The BIG-IP® Network Firewall provides policy-based access control to and from address and port pairs inside and outside of your network. By default, the network firewall is configured in ADC mode, which is a default allow configuration, in which all traffic is allowed through the firewall, and any traffic you want to block must be explicitly specified.
To understand this firewall scenario, imagine that your prerequisite system load-balances all traffic from the Internet to several internal servers. The internal servers are:
|Device and location||IP address||Traffic type|
|Externally accessible FTP server||188.8.131.52||FTP|
|Application virtual server||192.168.15.101||HTTP, FTP|
|Server on internal network||10.10.1.10||HTTP, HTTPS|
|Server on internal network||10.10.1.11||HTTP, HTTPS|
The system does not have a separate route domain configured, however you can use Route Domain 0, which is essentially the same as a global rule.
In order for traffic from the internal application virtual server to reach the external network virtual server, you must create a VLAN and enable both internal and external virtual servers on it. In this scenario, these VLANs are specified:
|net_ext||Enabled on 184.108.40.206/24, 192.168.15.101|
|net_int||Includes pool members 10.10.1.10, 10.10.1.11|
In addition, in this firewall configuration, there are three external networks that must be firewalled:
|220.127.116.11/24||Allow all access|
|18.104.22.168/24||Deny all access|
|22.214.171.124/24||Allow FTP, deny HTTP and HTTPS|
Firewall in ADC mode configuration scenario
Such a rule allows ICMPv6 pools to function, when a rule that denies all traffic is added at the end of the rule list in an ADC mode configuration.