Professional Documents
Culture Documents
A10-DG-Palo Alto Networks SSL Intercept and Firewall Load Balancing
A10-DG-Palo Alto Networks SSL Intercept and Firewall Load Balancing
Guide
DG_PA-SSL_Intercept_2012.12.1
Table of Contents
1
Overview ............................................................................................................................................... 4
3.1
3.2
4.2
4.2.1
4.2.2
4.2.3
4.3
5
5.2
5.2.1
5.2.2
5.3
5.3.1
5.3.2
6.2
6.3
Summary ............................................................................................................................................ 44
Appendix A.
Appendix B.
Appendix C.
Appendix D.
Overview
Firewall or IPS/IDS (Intrusion Prevention System/ Intrusion Detection System) devices usually have
difficulties inspecting SSL traffic because the content is encrypted. Some devices offer internal SSL
decryption/encryption support but usually the performance requirements are not satisfied. To alleviate this
problem, A10 Networks has introduced the SSL Forward Proxy feature, also known as SSL Intercept.
When configured for SSL Intercept, the AX Series Application Deliver Controller (ADC/Load Balancer)
intercepts SSL encrypted traffic, decrypts it and forwards it through a firewall or Intrusion Prevention
System (IPS). Another AX Series Load Balancer then takes this traffic and encrypts it again, and sends it
to the remote destination.
Deployment Prerequisites
Here are the deployment requirements for SSL Intercept and Firewall Load Balancing (FWLB):
Architecture Overview
This section illustrates a joint solution of A10 Networks AX Series Application Delivery Controller/Load
Balancers and Palo Alto Networks PA Series firewalls providing SSL Intercept and FWLB capabilities.
This is a highly available solution, using VRRP-A for failover for the AX Series Load Balancers, and on
multiple redundant paths for the Palo Alto PA series firewalls. The SSL Intercept services are provided by
the A10 Load Balancers while the traffic inspection and monitoring services are provided by the Palo Alto
PA Series firewalls.
Notes:
The firewalls are set up in Layer 2 (L2) mode. The solution can work with firewalls in vWire mode as
well; a sample for such a design is given in Appendix B. Be aware that the number of ports required
on the AX device increases significantly while the firewall is in a vWire mode.
VRRP-A is an AX Series high availability protocol optimized for Server Load Balancing (SLB), and
differs significantly from the industry-standard implementation of Virtual Router Redundancy Protocol
(VRRP). For purposes of operational familiarity, VRRP-A borrows concepts from VRRP, but is not
VRRP. VRRP-A will not inter-operate with VRRP.
SSL Intercept feature is only supported on AX devices that have hardware-based SSL cards. The
SSL Intercept feature is not supported on SoftAX with software-based SSL. AX-V with hardware the
standard SSL card can support up to 5 SoftAX instances which will be capable of supporting the SSL
Intercept feature.
Remote Server
0
n-2 lt
vla efau
d
-
d
vri
20.1.1.2
20.1.1.1
eth18
AX Series ADC
eth18
eth2
eth1
10.1.240.11
vlan-15
vrid-5
10.1.250.12
External
Firewall
AX Series ADC
eth1
eth2
10.1.240.13
10.1.250.13
10.1.250.11
vla
n
-15 vrid -16
n
-6
vla id-5
r
v
eth1
eth2
eth3
eth4
Internal
AX Series ADC
eth20
eth2
eth18
eth2
eth3
eth4
10.1.250.1
10.1.240.1
10.1.1.2
v
vri lan
d- -20
de
f au
lt
eth1
6
n-1
vla id-16
r
v
10.1.250.2
eth18
10.1.1.1
VRID-6 (Red)
Firewall
External
Internal
vlan-16
vrid-16
vlan-15
vrid-15
vla
vri n-15
d-1
5
eth20
vlan-16
vrid-6
eth20
v
vri lan-2
d-d 0
efa
ult
20.1.1.3
10.1.240.3
eth1
AX Series ADC
10.1.1.3
eth20
0
n-2 ult
vla defa
-
d
vri
Clients
Figure 1.
3.1
SSL Intercept
Server
SSL Encrypted
Connection
AX Series ADC
Unencrypted
Traffic Flow
Firewall
Appliance
AX Series ADC
SSL Encrypted
Connection
Clients
Figure 2.
3.2
The FWLB feature allows load sharing between multiple firewalls. The typical deployment is in a
sandwich style design where the AX device load balances the external and internal zones of the firewalls.
The number of firewalls in the solution can be extended as required. The A10 FWLB solution can work
with HTTP, HTTPS, Generic TCP, Generic UDP, DNS, SIP and FTP.
This design can scale up to 15 firewall paths.
Traffic
originated:
Sent
to
default
gateway
Traffic
intercepted:
-
A
path
through
one
of
the
firewalls
is
selected
-
Load
balancing
happens
here
Server
6
AX Series ADC
vlan-1
vlan-2
3
PA
Firewall
End
Figure 3.
PA Firewall
Response is sent
AX Series ADC
Clients
Configuration Overview
The configuration for the SSL Intercept solution can be divided into the following portions:
1. Layer 2/3 (L2/L3) and High Availability on the AX Series Load Balancer
2. SSL Intercept configuration on the AX Series Load Balancer
3. FWLB configuration on the AX Series Load Balancer
4. Firewall rules and policy configuration on the PA firewalls
4.1
Access Credentials
The access credentials listed below are the default settings on the AX Series and Palo Alto Networks
appliances.
A10 Networks AX Series access defaults:
Note: Both the AX Series and PA Series appliances support a Graphical User Interface (GUI) and
Command Line User Interface (CLI).To access the CLI interfaces for both AX Series and PA Series, you
will be required to use an SSH client such as putty.exe.
4.2
The following sections provide more information about the AX configuration items listed above.
4.2.1
The solution has a pair of AX Series Load Balancers in the external zone of the firewalls and another pair
in the internal zone of the firewalls. Each pair is running VRRP-A to provide redundancy.
A key requirement of this solution is to have each firewall in a separate VLAN. The topology shown in
Figure 1 has a Red VLAN and a Green VLAN. There is one firewall in the Red VLAN and one in the
Green VLAN. Each firewall is tied to one VRRP-A instance on the external load balancer pair, and one
VRRP-A instance on the internal load balancer pair. The VRIDs must be unique on either side of the
firewall to avoid MAC address conflicts.
Each VRRP-A instance is attached to a single VLAN and tracks the member interface and the upstream
interface that connects to the gateway. This ensures that a failover occurs under any of the following
circumstances:
A cable is disconnected
4.2.2
SSL Intercept
The SSL Intercept configuration is slightly different on the external AX Series Load Balancer compared to
the internal AX Series Load Balancer. Additionally, the configuration is identical on both devices of the
same high availability pair, except for the VRRP-A priority. This guide discusses the configuration of only
one external AX Series Load Balancer and one internal AX Series Load Balancer.
SSL Intercept Configuration on Internal AX Load Balancer
A prerequisite for configuring the SSL Intercept feature is a CA certificate with a known private key. This
CA certificate must be pushed to all client machines on the internal network. If the CA certificate is not
pushed, the internal hosts will get an SSL untrusted root error whenever they try to connect to a site with
SSL enabled.
The following two commands generate and initialize a CA Certificate on a Linux system with an OpenSSL
package installed. Once generated, the certificate can be imported onto the AX device using FTP or SCP.
openssl genrsa -out ca.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
The root certificate must be imported onto the client machines. This can be done manually, or using an
automated service such as Microsoft Group Policy Manager. Automated login scripts can achieve the
same result for organizations that use Linux or Unix clients.
Note: Further details for Group Policy Manager can be found at: http://technet.microsoft.com/enus/library/cc772491.aspx
The configuration of SSL Intercept on the internal AX Series Load Balancer has the following key
elements:
The SSL server certificate is captured during the SSL handshake; all X.509 DN attributes are
duplicated, except for the issuer and base64 encoded public key.
Client-SSL template is used for this. The Client-SSL template includes the required command
forward-proxy-enabled, along with the local CA certificate and its private key used for
signing dynamically forged certificates.
The incoming SSL traffic is intercepted and decrypted, and is then forwarded in clear text over HTTP
through the firewall.
Along with the protocol (HTTPS to HTTP), the destination port also gets changed from 443 to 8080.
However, the destination IP remains unchanged (the server on the Internet).
The remote VRRP-A address of each VLAN is added as an SLB server. Each firewall is associated
with a single VLAN and thus traffic from the internal AX potentially will traverse each firewall. Port
8080 is defined for each remote host
The command slb server defines a remote host and port number 8080 is added.
10
Incoming HTTP traffic is converted into SSL traffic and sent out on port 443.
Service group is defined with port 443 and bound to the virtual port.
A server-SSL template is defined and applied to the VIP port. The template includes the
command forward-proxy-enable. The next-hop IP address of the default router is defined as
an SLB server. Optionally, a root CA certificate store file also may be applied to the serverSSL template.
Along with the protocol (HTTP to HTTPS), the destination port also gets changed from 8080 to 443.
The source MAC of the incoming traffic is preserved so that the response traffic can be sent to the
same address.
4.2.3
The FWLB configuration has many similarities to the SSL Intercept configuration. The primary difference
is that no client-SSL or server-SSL templates are required for the client side or server side, respectively.
Additionally, instead of intercepting traffic on a single port, all TCP and UDP traffic is intercepted.
Just as with SSL Intercept, the configuration on the two devices in each pair is identical, except for the
VRRP-A priorities. This guide discusses the configuration of one external AX and one internal AX.
FWLB Configuration on Internal AX Series Load Balancer
11
TCP port 0, UDP port 0 and others port 0 are defined on the wildcard VIP.
The command slb server is used to define next-hop gateways. These are the VRRP-A
addresses on the remote side, one VRRP-A address per VLAN.
Once traffic is intercepted, it is routed to one of the firewalls based on the configured algorithm (in this
case, round-robin). Destination-NAT is disabled for this traffic.
The commands port 0 tcp and port 0 udp help achieve this.
TCP port 0, UDP port 0 and others port 0 are defined on the wildcard VIP.
The command slb server is used to define the next-hop gateway. The default router address
is the next hop in this case.
The incoming HTTP traffic is converted to SSL traffic and sent on port 443.
A server-SSL template is defined and applied to the VIP port. The template includes
command forward-proxy-enable. The next-hop IP address is defined as an SLB server.
Along with the protocol (HTTP to HTTPS), the destination port also gets changed from 8080 to 443.
Service group is defined with port 443 and bound to the virtual port.
12
The source MAC address of the incoming traffic is preserved so that the response traffic can be sent
to the same address.
4.3
The firewall should be configured according to the institutional security policy. Here are the key
requirements for this solution to work:
ARP packets should be allowed for VRRP-A packets on both internal and external AX Series Load
Balancers.
Health-check packets should be allowed from internal AX Series Load Balancers to the VRRP-A
addresses on the external AX Series Load Balancers, since the firewalls are configured as SLB
servers.
This section provides detailed steps for configuring the AX Series Load Balancer for SSL Intercept.
5.1
Virtual Ethernet (VE) interfaces, which are IP addresses assigned to VLAN router interfaces
VLAN-10: This is the uplink to the internal network. Add router-interface ve 10 along with the
Ethernet interface.
VLAN-15: This is the path to the external AX Series Load Balancers through firewall-1. Add routerinterface ve 15 along with the Ethernet interface.
13
VLAN-16: This is the path to the external AX Series Load Balancers through firewall-2. Add routerinterface ve 16 along with the Ethernet interface.
VLAN-99: This is the VLAN for VRRP-A sync messages. Add router-interface ve 99 along with the
Ethernet interface.
14
Figure 4.
VLAN configuration
The VLAN configuration should be similar to the following after all four VLANs have been added.
Figure 5.
VLAN settings
15
16
Figure 6.
VRID-Default: This VRID will be used for the enterprise switch, floating IP 203.0.113.1.
17
Repeat on the external AX Series Load Balancer pair. Make sure to use unique IP addresses.
Using the GUI:
1. Navigate to Config Mode > VRRP-A > Setting > VRRP-A Global.
2. Select the Device ID. Each device in the VRRP-A set must have a unique VRRP-A device ID.
3. In the Set ID field, enter 1.
Figure 7.
18
Click Add.
Figure 8.
Click Add.
19
Figure 9.
d. Click OK.
Figure 10.
20
7. Repeat the steps above on the external AX Series Load Balancer pair. Make sure to use unique
IP addresses.
5.2
5.2.1
Use the following steps to configure SSL Intercept parameters in the internal AX Series Load Balancer.
Configure Servers for VLAN-10 and VLAN-15
These steps configure a remote server with port 8080, and with the VRRP-A address of the first VLAN.
Then a second server is configured, with the VRRP-A address of the second VLAN.
Using the CLI:
AX(config)#slb server FW1_Path 198.51.100.11
AX(config-real server)#port 8080 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server FW2_Path 192.0.2.11
AX(config-real server)#port 8080 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
Name: FW1_Path
IP Address: 198.51.100.11
21
Port: "8080"
Protocol: "TCP"
Click Add.
5. Click OK.
6. Repeat for the second VLAN, using a unique IP address.
Figure 11.
Figure 12.
22
Name: "SSLfp"
Type: "TCP"
4. Click on Server.
5. Select the Server, "FW1_Path", from the drop-down list.
6. Select the Port, "80".
7. Click Add.
8. Repeat for the second server, "FW2_Path"
9. Click OK.
23
Figure 13.
Figure 14.
Servers (internal)
24
ID: "100"
Action: "Permit"
Protocol: "IP"
4. Click OK.
25
Figure 15.
26
Figure 16.
27
Name: outbound_wildcard
Type: "HTTPS"
Port: "443"
Direct Server Return: Select Enabled, and select the Port Translation checkbox.
28
Figure 17.
29
Figure 18.
30
5.2.2
Use the following steps to configure SSL Intercept parameters in the external AX Series Load Balancer.
Create an SLB Server Configuration for the Default Gateway
These steps create a server configuration for the default gateway, for HTTPS traffic (port 443).
Using the CLI:
AX(config)#slb server server-gateway 192.0.2.253
AX(config-real server)#port 443 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
Name: server-gateway
IP Address: 192.0.2.253
Protocol: "TCP"
Click Add.
5. Click OK.
31
Figure 19.
Figure 20.
Name: "SG_443"
Type: "TCP"
4. Click on Server.
5. Select the Server, "server-gateway", from the drop-down list.
6. Select the Port, " 443".
32
7. Click Add.
8. Click OK.
Figure 21.
Figure 22.
Servers (external)
Configure an ACL to intercept incoming traffic on VLAN-15 and VLAN-16 for the wildcard VIP
These steps configure an extended ACL to intercept traffic on VLAN-15 and VLAN-16. This ACL will be
used as part of the wildcard VIP configuration, below.
Using the CLI:
AX(config)#access-list 100 permit ip any any vlan 15
AX(config)#access-list 100 permit ip any any vlan 16
33
ID: "100"
Action: "Permit"
Protocol: "IP"
4. Click OK.
5. Repeat to create a similar ACL rule for VLAN-16.
Figure 23.
34
Figure 24.
35
Name: outbound_wildcard
Type: "HTTPS"
Port: "443"
Direct Server Return: Select Enabled, and select the Port Translation checkbox.
36
Figure 25.
Figure 26.
37
5.3
FWLB configuration is very similar to SSL Intercept configuration, with the following difference: FWLB will
intercept traffic on TCP port 0 and UDP port 0, and send the traffic out on the same ports to the remote
hosts.
The same ACL wildcard VIPs used for SSL Intercept can be used for FWLB.
Note: For brevity, only the CLI commands are shown in this section.
5.3.1
The steps in this section configure FWLB parameters on the internal AX Series Load Balancer.
Add TCP Port 0 and UDP Port 0 to the Firewall Paths
AX(config)#slb server FW1_Path 198.51.100.11
AX(config-real server)#port 0 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#port 0 udp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server FW2_Path 192.0.2.11
AX(config-real server)#port 0 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#port 0 udp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
38
Add UDP port 0, TCP port 0 and Others Port 0 to the wildcard VIP
These commands add the service group to the UDP, TCP, and others wildcard ports. The no-dest-nat
port-translation command is used to convert incoming 8080 traffic to 443, while preserving the
destination IP address.
The command use-rcv-hop-for-resp is used so that response traffic goes back through the same path
through which the request traffic arrives. The others wildcard port can take an already defined TCP
service group or UDP service group. In this example, the TCP service group is used.
AX(config)#slb virtual-server outbound_wildcard 0.0.0.0 acl 100
AX(config-slb vserver)#port 0 tcp
AX(config-slb vserver-vport)#name internal1_in_to_out
AX(config-slb vserver-vport)#service-group LB_Paths_TCP
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#port 0 udp
AX(config-slb vserver-vport)#name internal1_in_to_out_UDP
AX(config-slb vserver-vport)#service-group LB_Paths_UDP
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#port 0 others
AX(config-slb vserver-vport)#name internal1_in_to_out_Others
AX(config-slb vserver-vport)#service-group LB_Paths_TCP
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#exit
39
5.3.2
The steps in this section configure FWLB parameters on the external AX Series Load Balancer.
Add TCP Port 0 and UDP Port 0 to the Gateway Path
AX(config)#slb server server-gateway 192.0.2.253
AX(config-real server)#port 0 udp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#port 0 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
Add the TCP and UDP Gateway Paths to the Service Groups
AX(config)#slb service-group SG_TCP tcp
AX(config-slb svc group)#member server-gateway:0
AX(config-slb svc group)#exit
AX(config)#slb service-group SG_UDP udp
AX(config-slb svc group)#member server-gateway:0
AX(config-slb svc group)#exit
Add UDP port 0, TCP port 0 and Others Port 0 to the wildcard VIP
These commands add the service group to the UDP, TCP, and others wildcard ports. The no-dest-nat
port-translation command is used to preserve the destination IP address.
The command use-rcv-hop-for-resp is used so that response traffic goes back through the same path
through which the request traffic arrives.
AX(config)#slb virtual-server external_in_to_out 0.0.0.0 acl 100
AX(config-slb vserver)#port 0 tcp
AX(config-slb vserver-vport)#name _wildcard_v4_TCP_65535
AX(config-slb vserver-vport)#service-group SG_TCP
AX(config-slb vserver-vport)#use-rcv-hop-for-resp
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#port 0 udp
AX(config-slb vserver-vport)#name _wildcard_v4_UDP_65535
40
This section provides detailed steps for configuring Palo Alto Networks Firewall for SSL Intercept.
6.1
Zone Configuration
Diagram 27: Trusted and untrusted zone requirements for Palo Alto Networks Appliance
Note: The "Trusted" network segment is located in the internal section of the network topology. The
"Untrusted" network segment of the topology is in the external section of the network topology. (See
Figure 1.)
A vsys is equivalent to an AX Series Application Delivery Partition (ADP). On the Palo Alto Networks
Appliance, partitions such as vsys1 or vsys2 from the example above can be created dynamically.
41
6.2
42
6.3
Policy Configuration
General
Source
User
Destination
Application
43
Service/URL Category
Actions
Note: Every network will have its own policy so the configuration within the Palo Alto Networks appliance
will be used as a reference configuration.
Summary
The sections above show how to deploy the AX device with the Palo Alto Networks device for SSL
Intercept. By using the AX device for SSL Intercept, the following key advantages are achieved:
SSL traffic inspection: AX Series ADC/Load Balancer decrypts incoming packets before they pass to
the firewall, then re-encrypts them before sending them to the destination/target server.
Real-time traffic validation, dynamic traffic flow regulation and enhanced security checks.
Seamless distribution of client traffic across multiple firewalls for site scalability.
http://www.a10networks.com/products/axseries.php
http://www.a10networks.com/resources/solutionsheets.php
http:/www.a10networks.com/resources/casestudies.php
44
Appendix A.
!
VRRP-A device-id 1
VRRP-A set-id 1
hostname 3000-11.80
!
vlan 10
untagged ethernet 20
router-interface ve 10
!
vlan 15
untagged ethernet 1
router-interface ve 15
!
vlan 16
untagged ethernet 2
router-interface ve 16
!
vlan 99
tagged ethernet 18
router-interface ve 99
!
access-list 100 permit ip any any vlan 10
!
interface management
ip address 192.168.223.80 255.255.255.192
ip default-gateway 192.168.223.65
!
interface ve 10
ip address 203.0.113.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 198.51.100.2 255.255.255.0
!
interface ve 16
ip address 192.0.2.2 255.255.255.0
!
interface ve 99
ip address 55.1.1.1 255.255.255.0
!
ip route 192.0.2.0 /24 198.51.100.11
!
VRRP-A enable
VRRP-A vrid default
floating-ip 203.0.113.1
priority 200
!
VRRP-A device-id 2
VRRP-A set-id 1
hostname 3000-11.81
!
vlan 10
untagged ethernet 20
router-interface ve 10
!
vlan 15
untagged ethernet 1
router-interface ve 15
!
vlan 16
untagged ethernet 2
router-interface ve 16
!
vlan 99
tagged ethernet 18
router-interface ve 99
!
access-list 100 permit ip any any vlan 10
!
interface management
ip address 192.168.223.81 255.255.255.192
ip default-gateway 192.168.223.65
!
interface ve 10
ip address 203.0.113.3 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 198.51.100.3 255.255.255.0
!
interface ve 16
ip address 192.0.2.3 255.255.255.0
!
interface ve 99
ip address 55.1.1.2 255.255.255.0
!
ip route 192.0.2.0 /24 198.51.100.11
!
VRRP-A enable
VRRP-A vrid default
floating-ip 203.0.113.1
priority 180
45
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A vrid 15
floating-ip 198.51.100.1
priority 200
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A vrid 16
floating-ip 192.0.2.1
priority 200
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A interface ethernet 18 vlan 99
!
tftp blksize 32768
!
slb server FW1_Path 198.51.100.11
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb server FW2_Path 192.0.2.11
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb service-group LB_Paths_UDP udp
member FW1_Path:0
member FW2_Path:0
!
slb service-group LB_Paths_TCP tcp
member FW1_Path:0
member FW2_Path:0
!
!
VRRP-A vrid 15
floating-ip 198.51.100.1
priority 180
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A vrid 16
floating-ip 192.0.2.1
priority 180
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A interface ethernet 18 vlan 99
!
tftp blksize 32768
!
slb server FW1_Path 198.51.100.11
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb server FW2_Path 192.0.2.11
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb service-group LB_Paths_UDP udp
member FW1_Path:0
member FW2_Path:0
!
slb service-group LB_Paths_TCP tcp
member FW1_Path:0
member FW2_Path:0
!
46
47
Appendix B.
Clients
AX
AX
Firewall
Encrypted Zone
Server
Encrypted Zone
SYN
SYN/ACK
ACK
Client-Hello
SYN
SYN/ACK
ACK
Client-Hello
Server-Hello
(Server
Cert
Public
Key
Signed
by
well
known
CA)
Server-Hello
(Server
Cert
+
Local
Public
Key
+
Signed
by
Local
CA)
SSL-Handshake
Messages
+
Finished
RST
SSL-Handshake
Messages
+
Finished
Encrypted
Application
Data
3
4
Clear
Text
Application
Data
SYN
SYN/ACK
ACK
Client-Hello
SSL
Handshake
messages
+
Finished
Encrypted
Application
Data
5
Encrypted
Application
Response
Encrypted
Application
Response
Clear
Text
Application
Response
SSL-Reverse-Proxy:
New
SSL
session
initiated
with
remote
server.
Data
encrypted
and
sent
to
remote
server
48
Appendix C.
eth20
192.0.2.2
192.0.2.1
eth18
eth1
eth2
eth3
192.0.2.3
eth4
eth1
198.51.100.11
Internal
eth4
eth4
192.0.3.13
eth3
eth4
VRID-6 (Red)
Firewall / IPS
Firewall
/
IPS
eth8
eth5 eth6
192.0.3.2
VRID-5
(Green) 198.51.100.2
eth1 eth2 eth3
eth3
192.0.3.11
eth1 eth2
Firewall
/
IPS
eth5 eth6 eth7
eth2
198.51.100.13
192.0.3.12
External
eth20
eth18
198.51.100.1
eth4
eth18
eth20 203.0.113.2
eth18
203.0.113.1
eth7
192.0.3.1
198.51.100.3
eth1
eth2
eth8
External
Internal
203.0.113.3
eth4
eth20
Clients
49
Appendix D.
A DMZ can be added to the main design. The basic concepts are the same except that a new wildcard
VIP is configured on the external and internal AX Series Load Balancers. This new wildcard VIP will
intercept incoming traffic from the external network and send it to either to the DMZ or to the internal
network.
The configuration on the DMZ AX Series Load Balancers generally will be similar to what was configured
on the external AX Series Load Balancers. In essence, there will be one wildcard VIP listening for traffic
entering from the firewalls on both VLANs with the required command use-rcv-hop-for-resp. An
additional wildcard VIP, optionally, can be configured to intercept traffic moving from the DMZ to either
the external or internal networks.
Attention should be paid to the ACL definitions, as traffic now must be classified based on the destination.
In particular, the ACL on the internal AX Series Load Balancer is modified and the AX device chooses the
appropriate next-hop address.
Firewall policies should be updated in accordance with enterprise security policies.
50
eth1
eth3
eth1
AX Series ADC
Laptop
eth4
eth2
eth2
eth2
192.0.2.2
eth20 203.0.113.2
vri vlan
d- -10
de
f au
lt
Internal
External
AX Series ADC
eth20
vlan-99
192.0.2.1
vla
vri n-15
d-1
5
eth18
203.0.113.1
eth2
eth4
eth3
203.0.113.3
198.51.100.3
eth1
0
n-1 ult
vla defa
-
d
vri
eth2
192.0.3.13
eth20
eth1
192.0.3.1
192.0.3.11
eth18
vlan-99
198.51.100.1
6
n-1
vla id-16
vr
vla
n-
5
n-1 vrid- 16
6
vla id-5
vr
192.0.3.12
eth1
v
vri lan-2
d-d 0
efa
ult
192.0.2.3
198.51.100.13
eth18
198.51.100.11
eth18
192.0.2.253
192.0.3.2
0
n-2 lt
vla efau
d-d
i
r
v
vlan-16
vrid-6
VRID-6 (Red)
eth20
eth2
vla
n
vrid -16
eth1 -26
AX Series ADC
vlan-1
5
vrid-2
5
Internal
External
AX Series ADC
vlan-16
vrid-16
vlan-15
vrid-5
vlan-15
vrid-15
Outside
(Untrust)
Zone
eth7
192.0.3.21
vlan-99
DMZ
192.0.3.22
eth2
192.0.3.21
DMZ Server
192.0.3.23
eth7
eth2
192.0.3.23
AX Series
ADC
198.51.100.21 198.51.100.23
vlan-
16
vlan-15vrid-26
vrid-25
eth1
192.0.3.22
198.51.100.22
vr vla
id n
-
de -20
fa
ul
t
Remote Server
20 t
n- aul
vla -def
id
vr
51
Internal - Primary
Internal - Standby
!
VRRP-A device-id 1
VRRP-A set-id 1
hostname 3000-11.80
!
clock timezone America/New_York
!
vlan 10
untagged ethernet 20
router-interface ve 10
!
vlan 15
untagged ethernet 1
router-interface ve 15
!
vlan 16
untagged ethernet 2
router-interface ve 16
!
vlan 99
tagged ethernet 18
router-interface ve 99
!
access-list 100 deny ip any 15.1.0.0 0.0.255.255 vlan 10
access-list 100 permit ip any any vlan 10
access-list 105 permit ip any 15.1.0.0 0.0.255.255 vlan 10
access-list 106 permit ip any any vlan 15
access-list 106 permit ip any any vlan 16
!
interface management
ip address 192.168.223.80 255.255.255.192
ip default-gateway 192.168.223.65
!
!
!
interface ve 10
ip address 203.0.113.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 198.51.100.2 255.255.255.0
!
interface ve 16
ip address 192.0.2.2 255.255.255.0
!
interface ve 99
ip address 55.1.1.1 255.255.255.0
!
ip route 192.0.2.0 /24 198.51.100.11
ip route 15.1.0.0 /16 198.51.100.21
!
!
VRRP-A enable
VRRP-A vrid default
floating-ip 203.0.113.1
priority 200
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A vrid 15
!
VRRP-A device-id 2
VRRP-A set-id 1
hostname 3000-11.81
!
clock timezone America/New_York
!
vlan 10
untagged ethernet 20
router-interface ve 10
!
vlan 15
untagged ethernet 1
router-interface ve 15
!
vlan 16
untagged ethernet 2
router-interface ve 16
!
vlan 99
tagged ethernet 18
router-interface ve 99
!
access-list 100 deny ip any 15.1.0.0 0.0.255.255 vlan 10
access-list 100 permit ip any any vlan 10
access-list 105 permit ip any 15.1.0.0 0.0.255.255 vlan 10
access-list 106 permit ip any any vlan 15
access-list 106 permit ip any any vlan 16
!
interface management
ip address 192.168.223.81 255.255.255.192
ip default-gateway 192.168.223.65
!
!
!
interface ve 10
ip address 203.0.113.3 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 198.51.100.3 255.255.255.0
!
interface ve 16
ip address 192.0.2.3 255.255.255.0
!
interface ve 99
ip address 55.1.1.2 255.255.255.0
!
ip route 192.0.2.0 /24 198.51.100.11
ip route 15.1.0.0 /16 198.51.100.21
!
!
VRRP-A enable
VRRP-A vrid default
floating-ip 203.0.113.1
priority 180
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A vrid 15
52
Internal - Primary
floating-ip 198.51.100.1
priority 200
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A vrid 16
floating-ip 192.0.2.1
priority 200
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A interface ethernet 18 vlan 99
!
!
slb server FW1_Path 198.51.100.11
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb server FW2_Path 192.0.2.11
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb server FW1_Path_ToDMZ 198.51.100.21
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb server FW2_Path_ToDMZ 192.0.2.21
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb server internal_GW 203.0.113.253
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb service-group LB_Paths_UDP udp
member FW1_Path:0
member FW2_Path:0
!
Internal - Standby
floating-ip 198.51.100.1
priority 180
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A vrid 16
floating-ip 192.0.2.1
priority 180
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A interface ethernet 18 vlan 99
!
!
slb server FW1_Path 198.51.100.11
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb server FW2_Path 192.0.2.11
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb server FW1_Path_ToDMZ 198.51.100.21
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb server FW2_Path_ToDMZ 192.0.2.21
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb server internal_GW 203.0.113.253
port 0 tcp
no health-check
port 0 udp
no health-check
port 8080 tcp
no health-check
!
slb service-group LB_Paths_UDP udp
member FW1_Path:0
member FW2_Path:0
!
53
Internal - Primary
Internal - Standby
54
Internal - Primary
Internal - Standby
External - Primary
External - Standby
!
VRRP-A device-id 3
VRRP-A set-id 2
hostname 3000-11.78
!
clock timezone America/Los_Angeles
!
vlan 15
untagged ethernet 1
router-interface ve 15
!
vlan 16
untagged ethernet 2
router-interface ve 16
!
vlan 20
untagged ethernet 20
router-interface ve 20
!
vlan 99
tagged ethernet 18
router-interface ve 99
!
access-list 100 deny ip any 198.51.100.0 /24
access-list 100 deny ip any 192.0.2.0 /24
access-list 100 permit ip any any vlan 15
access-list 100 permit ip any any vlan 16
access-list 105 permit ip any 15.1.0.0 0.0.255.255 vlan 20
access-list 106 deny ip any 15.1.0.0 0.0.255.255 vlan 20
access-list 106 permit ip any any vlan 20
!
interface management
ip address 192.168.223.78 255.255.255.192
ip default-gateway 192.168.223.65
!
!
VRRP-A device-id 4
VRRP-A set-id 2
hostname 3000-11.79
!
clock timezone America/Los_Angeles
!
vlan 15
untagged ethernet 1
router-interface ve 15
!
vlan 16
untagged ethernet 2
router-interface ve 16
!
vlan 20
untagged ethernet 20
router-interface ve 20
!
vlan 99
tagged ethernet 18
router-interface ve 99
!
access-list 100 deny ip any 198.51.100.0 /24
access-list 100 deny ip any 192.0.2.0 /24
access-list 100 permit ip any any vlan 15
access-list 100 permit ip any any vlan 16
access-list 105 permit ip any 15.1.0.0 0.0.255.255 vlan 20
access-list 106 deny ip any 15.1.0.0 0.0.255.255 vlan 20
access-list 106 permit ip any any vlan 20
!
interface management
ip address 192.168.223.79 255.255.255.192
ip default-gateway 192.168.223.65
!
interface ve 15
ip address 198.51.100.12 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 15
ip address 198.51.100.13 255.255.255.0
ip allow-promiscuous-vip
!
55
External - Primary
External - Standby
interface ve 16
ip address 192.0.2.12 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 20
ip address 192.0.2.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 99
ip address 99.1.1.1 255.255.255.0
!
ip route 203.0.113.0 /24 198.51.100.1
ip route 15.1.0.0 /16 198.51.100.21
!
!
VRRP-A enable
VRRP-A vrid default
floating-ip 192.0.2.1
priority 200
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A vrid 5
floating-ip 198.51.100.11
priority 200
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A vrid 6
floating-ip 192.0.2.11
priority 200
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A interface ethernet 18 vlan 99
!
slb template server-ssl external-intercept
forward-proxy-enable
!
!
slb server server-gateway 192.0.2.253
port 0 udp
no health-check
port 0 tcp
no health-check
port 443 tcp
no health-check
!
slb server FW1_Path_Tointernal 198.51.100.1
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb server FW2_Path_Tointernal 192.0.2.1
port 0 tcp
interface ve 16
ip address 192.0.2.13 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 20
ip address 192.0.2.3 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 99
ip address 99.1.1.2 255.255.255.0
!
ip route 203.0.113.0 /24 198.51.100.1
ip route 15.1.0.0 /16 198.51.100.21
!
!
VRRP-A enable
VRRP-A vrid default
floating-ip 192.0.2.1
priority 180
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A vrid 5
floating-ip 198.51.100.11
priority 180
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A vrid 6
floating-ip 192.0.2.11
priority 180
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 20 priority-cost 60
!
VRRP-A interface ethernet 18 vlan 99
!
slb template server-ssl external-intercept
forward-proxy-enable
!
!
slb server server-gateway 192.0.2.253
port 0 udp
no health-check
port 0 tcp
no health-check
port 443 tcp
no health-check
!
slb server FW1_Path_Tointernal 198.51.100.1
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb server FW2_Path_Tointernal 192.0.2.1
port 0 tcp
56
External - Primary
no health-check
port 0 udp
no health-check
!
slb server FW1_Path_ToDMZ 198.51.100.21
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb server FW2_Path_ToDMZ 192.0.2.21
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb service-group SG_TCP tcp
member server-gateway:0
!
slb service-group SG_UDP udp
member server-gateway:0
!
slb service-group SG_443 tcp
member server-gateway:443
!
slb service-group LB_Paths_Tointernal_UDP udp
member FW1_Path_Tointernal:0
member FW2_Path_Tointernal:0
!
slb service-group LB_Paths_Tointernal_TCP tcp
member FW1_Path_Tointernal:0
member FW2_Path_Tointernal:0
!
slb service-group LB_Paths_ToDMZ_UDP udp
member FW1_Path_ToDMZ:0
member FW2_Path_ToDMZ:0
!
slb service-group LB_Paths_ToDMZ_TCP tcp
member FW1_Path_ToDMZ:0
member FW2_Path_ToDMZ:0
!
!
slb virtual-server external_in_to_out 0.0.0.0 acl 100
port 0 tcp
name _wildcard_v4_TCP_65535
service-group SG_TCP
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
name _wildcard_v4_UDP_65535
service-group SG_UDP
use-rcv-hop-for-resp
no-dest-nat
port 0 others
name _wildcard_v4_UDP_65535
service-group SG_UDP
use-rcv-hop-for-resp
no-dest-nat
port 8080 http
name ReverseProxy_Wildcard
service-group SG_443
use-rcv-hop-for-resp
External - Standby
no health-check
port 0 udp
no health-check
!
slb server FW1_Path_ToDMZ 198.51.100.21
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb server FW2_Path_ToDMZ 192.0.2.21
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb service-group SG_TCP tcp
member server-gateway:0
!
slb service-group SG_UDP udp
member server-gateway:0
!
slb service-group SG_443 tcp
member server-gateway:443
!
slb service-group LB_Paths_Tointernal_UDP udp
member FW1_Path_Tointernal:0
member FW2_Path_Tointernal:0
!
slb service-group LB_Paths_Tointernal_TCP tcp
member FW1_Path_Tointernal:0
member FW2_Path_Tointernal:0
!
slb service-group LB_Paths_ToDMZ_UDP udp
member FW1_Path_ToDMZ:0
member FW2_Path_ToDMZ:0
!
slb service-group LB_Paths_ToDMZ_TCP tcp
member FW1_Path_ToDMZ:0
member FW2_Path_ToDMZ:0
!
!
slb virtual-server external_in_to_out 0.0.0.0 acl 100
port 0 tcp
name _wildcard_v4_TCP_65535
service-group SG_TCP
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
name _wildcard_v4_UDP_65535
service-group SG_UDP
use-rcv-hop-for-resp
no-dest-nat
port 0 others
name _wildcard_v4_UDP_65535
service-group SG_UDP
use-rcv-hop-for-resp
no-dest-nat
port 8080 http
name ReverseProxy_Wildcard
service-group SG_443
use-rcv-hop-for-resp
57
External - Primary
template server-ssl external-intercept
no-dest-nat port-translation
External - Standby
template server-ssl external-intercept
no-dest-nat port-translation
!
slb virtual-server Inbound_ToDMZ_Wildcard 0.0.0.0 acl 105
port 0 tcp
name _wildcard_v4_106_TCP_0
service-group LB_Paths_ToDMZ_TCP
no-dest-nat
port 0 udp
name _wildcard_v4_106_UDP_0
service-group LB_Paths_ToDMZ_UDP
no-dest-nat
!
slb virtual-server Inbound_Tointernal_Wildcard 0.0.0.0 acl 106
port 0 tcp
name external1_out_to_in
service-group LB_Paths_Tointernal_TCP
no-dest-nat
port 0 udp
name internal1_out_to_in
service-group LB_Paths_Tointernal_UDP
no-dest-nat
!
end
!
slb virtual-server Inbound_Tointernal_Wildcard 0.0.0.0 acl 106
port 0 tcp
name external1_out_to_in
service-group LB_Paths_Tointernal_TCP
no-dest-nat
port 0 udp
name internal1_out_to_in
service-group LB_Paths_Tointernal_UDP
no-dest-nat
!
slb virtual-server Inbound_ToDMZ_Wildcard 0.0.0.0 acl 105
port 0 tcp
name _wildcard_v4_106_TCP_0
service-group LB_Paths_ToDMZ_TCP
no-dest-nat
port 0 udp
name _wildcard_v4_106_UDP_0
service-group LB_Paths_ToDMZ_UDP
no-dest-nat
!
end
DMZ - Primary
DMZ - Standby
!
VRRP-A device-id 5
VRRP-A set-id 3
hostname 3000-11.88
!
clock timezone Europe/Dublin
!
vlan 15
untagged ethernet 1
router-interface ve 15
!
vlan 16
untagged ethernet 2
router-interface ve 16
!
vlan 20
untagged ethernet 3 ethernet 7
router-interface ve 20
!
vlan 99
untagged ethernet 8
router-interface ve 99
!
access-list 100 deny ip any 198.51.100.0 /24
access-list 100 deny ip any 192.0.2.0 /24
access-list 100 permit ip any any vlan 15
access-list 100 permit ip any any vlan 16
access-list 105 permit ip any 10.1.0.0 0.0.255.255 vlan 20
access-list 106 deny ip any 10.1.0.0 0.0.255.255 vlan 20
access-list 106 permit ip any any vlan 20
!
VRRP-A device-id 6
VRRP-A set-id 3
hostname 3000-11.89
!
clock timezone Europe/Dublin
!
vlan 15
untagged ethernet 1
router-interface ve 15
!
vlan 16
untagged ethernet 2
router-interface ve 16
!
vlan 20
untagged ethernet 3 ethernet 7
router-interface ve 20
!
vlan 99
untagged ethernet 8
router-interface ve 99
!
access-list 100 deny ip any 198.51.100.0 /24
access-list 100 deny ip any 192.0.2.0 /24
access-list 100 permit ip any any vlan 15
access-list 100 permit ip any any vlan 16
access-list 105 permit ip any 10.1.0.0 0.0.255.255 vlan 20
access-list 106 deny ip any 10.1.0.0 0.0.255.255 vlan 20
access-list 106 permit ip any any vlan 20
58
DMZ - Primary
DMZ - Standby
!
interface management
ip address 192.168.223.88 255.255.255.0
ip default-gateway 192.168.223.1
!
!
interface ve 15
ip address 198.51.100.22 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 16
ip address 192.0.2.22 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 20
ip address 15.1.250.2 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 99
ip address 99.1.1.1 255.255.255.0
!
ip route 192.0.2.0 /24 198.51.100.11
ip route 203.0.113.0 /24 198.51.100.1
!
!
VRRP-A enable
VRRP-A vrid default
floating-ip 15.1.250.21
priority 200
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 3 priority-cost 60
!
VRRP-A vrid 25
floating-ip 198.51.100.21
priority 200
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 3 priority-cost 60
!
VRRP-A vrid 26
floating-ip 192.0.2.21
priority 200
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 3 priority-cost 60
!
VRRP-A interface ethernet 8 vlan 99
!
!
slb server DMZ-gateway 15.1.250.10
port 0 udp
no health-check
port 0 tcp
no health-check
!
slb server FW1_Path_Tointernal 198.51.100.1
port 0 tcp
no health-check
!
interface management
ip address 192.168.223.89 255.255.255.0
ip default-gateway 192.168.223.1
!
!
interface ve 15
ip address 198.51.100.23 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 16
ip address 192.0.2.23 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 20
ip address 15.1.250.3 255.255.255.0
ip allow-promiscuous-vip
!
interface ve 99
ip address 9.1.1.2 255.255.255.0
!
ip route 192.0.2.0 /24 198.51.100.11
ip route 203.0.113.0 /24 198.51.100.1
!
!
VRRP-A enable
VRRP-A vrid default
floating-ip 15.1.250.21
priority 180
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 3 priority-cost 60
!
VRRP-A vrid 25
floating-ip 198.51.100.21
priority 180
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 3 priority-cost 60
!
VRRP-A vrid 26
floating-ip 192.0.2.21
priority 180
tracking-options
interface ethernet 1 priority-cost 60
interface ethernet 2 priority-cost 60
interface ethernet 3 priority-cost 60
!
VRRP-A interface ethernet 8 vlan 99
!
!
slb server DMZ-gateway 15.1.250.10
port 0 udp
no health-check
port 0 tcp
no health-check
!
slb server FW1_Path_Tointernal 198.51.100.1
port 0 tcp
no health-check
59
DMZ - Primary
port 0 udp
no health-check
!
slb server FW2_Path_Tointernal 192.0.2.1
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb server FW1_Path_Toexternal 198.51.100.11
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb server FW2_Path_Toexternal 192.0.2.11
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb service-group DMZ_SG_TCP tcp
member DMZ-gateway:0
!
slb service-group DMZ_SG_UDP udp
member DMZ-gateway:0
!
slb service-group LB_Paths_Tointernal_UDP udp
member FW1_Path_Tointernal:0
member FW2_Path_Tointernal:0
!
slb service-group LB_Paths_Tointernal_TCP tcp
member FW1_Path_Tointernal:0
member FW2_Path_Tointernal:0
!
slb service-group LB_Paths_Toexternal_UDP udp
member FW1_Path_Toexternal:0
member FW2_Path_Toexternal:0
!
slb service-group LB_Paths_Toexternal_TCP tcp
member FW1_Path_Toexternal:0
member FW2_Path_Toexternal:0
!
!
slb virtual-server Inbound_ToDMZ 0.0.0.0 acl 100
port 0 tcp
name DMZ_Wildcard_TCP
service-group DMZ_SG_TCP
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
name DMZ_Wildcard_UDP
service-group DMZ_SG_UDP
use-rcv-hop-for-resp
no-dest-nat
!
slb virtual-server DMZ_To_internal 0.0.0.0 acl 105
port 0 tcp
name Inbound
service-group LB_Paths_Tointernal_TCP
no-dest-nat
port 0 udp
DMZ - Standby
port 0 udp
no health-check
!
slb server FW2_Path_Tointernal 192.0.2.1
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb server FW1_Path_Toexternal 198.51.100.11
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb server FW2_Path_Toexternal 192.0.2.11
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb service-group DMZ_SG_TCP tcp
member DMZ-gateway:0
!
slb service-group DMZ_SG_UDP udp
member DMZ-gateway:0
!
slb service-group LB_Paths_Tointernal_UDP udp
member FW1_Path_Tointernal:0
member FW2_Path_Tointernal:0
!
slb service-group LB_Paths_Tointernal_TCP tcp
member FW1_Path_Tointernal:0
member FW2_Path_Tointernal:0
!
slb service-group LB_Paths_Toexternal_UDP udp
member FW1_Path_Toexternal:0
member FW2_Path_Toexternal:0
!
slb service-group LB_Paths_Toexternal_TCP tcp
member FW1_Path_Toexternal:0
member FW2_Path_Toexternal:0
!
!
slb virtual-server Inbound_ToDMZ 0.0.0.0 acl 100
port 0 tcp
name DMZ_Wildcard_TCP
service-group DMZ_SG_TCP
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
name DMZ_Wildcard_UDP
service-group DMZ_SG_UDP
use-rcv-hop-for-resp
no-dest-nat
!
slb virtual-server DMZ_To_internal 0.0.0.0 acl 105
port 0 tcp
name Inbound
service-group LB_Paths_Tointernal_TCP
no-dest-nat
port 0 udp
60
DMZ - Primary
name internal1_out_to_in
service-group LB_Paths_Tointernal_UDP
no-dest-nat
!
slb virtual-server DMZ_To_external 0.0.0.0 acl 106
port 0 tcp
name _wildcard_v4_106_TCP_0
service-group LB_Paths_Toexternal_TCP
no-dest-nat
port 0 udp
name _wildcard_v4_106_UDP_0
service-group LB_Paths_Toexternal_UDP
no-dest-nat
!
end
DMZ - Standby
name internal1_out_to_in
service-group LB_Paths_Tointernal_UDP
no-dest-nat
!
slb virtual-server DMZ_To_external 0.0.0.0 acl 106
port 0 tcp
name _wildcard_v4_106_TCP_0
service-group LB_Paths_Toexternal_TCP
no-dest-nat
port 0 udp
name _wildcard_v4_106_UDP_0
service-group LB_Paths_Toexternal_UDP
no-dest-nat
!
end
61