Attack signatures, security policies and NAT vs Virtual Servers

I went through a couple of them and thought I had it, then found myself confused again. So basically to do anything you need to set up a virtual server? Even if you just have a handful of individual web sites/servers to point traffic to?

That would be the easiest way to start manipulating incoming traffic, yes. Keep translating "Virtual Servers" to "Listeners" in your head until it makes sense :)

So in my scenario, if I'm reading this correctly, since I don't need load balancing among a pool of redundant servers for each of these sites, I should set up a Forwarding (IP) Virtual Server for that purpose. Is that correct? Also, if you have a Virtual Server that is listening for external clients wishing to connect, where does NAT come into play? Isn't the IP of the Virtual Server essentially doing NAT in and of itself? Thanks for your patience in answer this stuff.

Choosing the Virtual Server type is really all about what you are trying to do... Forwarding IP VSs just route traffic, allowing some L3 manipulations (NAT, PBR, etc.). For more advanced stuff, like an ASM policy, you would need a "Standard" VS type, allowing to fully proxy the incoming traffic, and pass it to ASM for inspection. There's more to it than just choosing the correct VS type, though... It would probably better if you go through some more training, or have a professional guide you through the initial phases and concepts. You are entering a world of fun, I assure you.

So let's say I have 3 public-facing websites I want to direct traffic to and inspect using ASM, etc. None of them will get enough traffic to require redundancy and load balancing. We'll call them: www.website1.com www.website2.com www.website3.com They all are in the same /24 subnet internally (private IP space), but they each have different public IPs. That would necessitate 3 distinct pools and virtual servers, correct? Or could it be done a bit more efficiently than that? I'm more familiar with the Palo Alto NGFW and trying to 'translate' the way things worked there, with the BIG IP way of handling that.

Just as an update, I've been trying some things in the F5 to see how this might look. Even though it's just one node (let's say it's private IP is 10.10.10.2). I created a node with that IP address. Then I created a pool and added that node as a member. Since all the traffic to it will be HTTPS, I added https and https_443 as active health monitors. All other default settings were left intact. Then I created a VS. This is where it gets tricky for me. I have it set up right now as a Standard VS with a network address that covers our entire subnet of web content servers (for example, 10.10.10.0/26). Service port is 443 (https). For SSL Profile I used serverssl. All other settings stayed at default. So at this point I'm just trying to figure out how best to do this. Does that setup look like I'm on the right track? And if I'm going to have other single web servers in that same /26 subnet that are totally different sites, should make my VS just point directly to the node (destination address 10.10.10.2 in the above example) and create a new VS for each other web server, or perhaps have this one network address VS cover them all and just create different pools for the different web servers? Forgive me for all the questions. I do need to get more formal training, but the time frame for this won't allow that right away.