Forum Discussion

WAMARANTE's avatar
WAMARANTE
Icon for Nimbostratus rankNimbostratus
Nov 14, 2019

BIG-IP AND NG FIREWALLS POSITIONING BEST PRACTICES

Hi everyone,

 

I'm new here at devcentral, but I have seen a lot of Devcentral BIG-IP lightboard lessons videos at Youtube with Jason, John and Peter.

 

I have both searched there and here for any discussion or articles talking about the best practices related to the BIG-IP and Firewalls positioning. My objective is to gather information to set our environment (one BIG-IP VE and one Palo Alto Firewall) mainly with two main factors in mind:

 

  1. The best approach - BIG-IP facing the Internet in front of the Firewall or the reverse situation with it behind the firewall.
  2. BIG-IP or my firewall as the default gateway.

 

Any references, articles or information would be very welcome :)

 

Thank you.

BIG-IP
security
  • Islam_Nadim1's avatar
    Islam_Nadim1
    Icon for Cirrus rankCirrus
    Nov 15, 2019

    Hello WAMARANTE,

     

    Well, answering your question, there is no right or wrong deployment method. It all depends on how you see your network ..

     

    For me for example, I prefer to have a router as a gateway, behind it is a Firewall.

    After the firewall is where everything comes .. But still depends on how you want to use them. If I'm using the F5 as a Forward Proxy, I will keep it close to the users as much as possible .. If it is a Reverse Proxy, I will try keeping it right after the Firewall, if there is WAF applied, will try to keep it near the servers ..

     

    So, as you see .. It all depends in the end on how you want to use them, and how you design your network.

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Nov 16, 2019

    totally agree with above answer, it depends.

     

    you need to look at the total picture. what is happening on the inside and outside of the network?

     

    in general i would expect a big-ip to handle heavy traffic a bit better then a firewall. but with a virtual edition that changes things. on the other side if you have a smaller internet connection that becomes less relevant.

     

    with virtual edition you expose your hypervisor in a certain form to the internet, something to think about.

     

    so yeah, there is no best, you have to think about pros and cons.

  • WAMARANTE's avatar
    WAMARANTE
    Icon for Nimbostratus rankNimbostratus
    Nov 18, 2019

    Well, thanks Islam and Boneyard (also to Corrado). In some way I know I would see the "depends", because its use is quite appropriated to broad questions like mine. My goal is to gather experiences and different POV to bring those insights to my team in order we may evaluate our infra and look for gaps and points that need improvements.

     

    Today, the majority of our traffic is outbound (Internet access). We have around 3,000 internal users.

     

    The two main objectives underlying the BIG-IP purchase were 1. open SSL traffic to be analyzed by the FW and 2. internal app load balancing.

     

    Recently, we have been asked to deliver apps to Internet clients.

     

    So, as I said, I'm gathering experiences to redraw our network.

     

    Thanks again.

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Nov 30, 2019

    with the extra information my primary feeling is to place the BIG-IP between the firewall and the users. for SSL offloading you will need to sandwich the firewall anyway, but for internal apps it makes sense the have the BIG-IP closer to the users.