Forum Discussion
Greg_Labelle
Nov 02, 2016Nimbostratus
If you only have the single F5 (or a single HA Pair), then the best way to do this will be to setup two partitions, each with a unique routing group set as the default for the partition.
One partition will be for "Internal", and the other "External". Using strict isolation you can prevent the routing groups from passing traffic between each other, thus forcing traffic to pass through the firewall.
As an example, traffic hitting an external VIP would be proxied by a self ip in the external routing group. This IP not having a direct route to the internal IP (VIP or otherwise) will be forced through the default gateway of that routing group (or a static route) which could be your firewall, or a router employing a firewall IPhelper.