For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Harry1's avatar
Harry1
Icon for Nimbostratus rankNimbostratus
Jan 08, 2017

Bigip ASM connectivity(with different ways) and traffic flow

Hi All,

 

just wanted to ask about physical connectivity of bigip ASM in case of POC at customer location. what would be the pros and cons at each connectivity mode. as i prefer two ways: one arm mode where bigip will be connected via core switch and SNAT will take care the traffic. second is: if customer asks for original source ip at server side, two arm mode is suffice where server's gateway would be bigip. if only two ways then its ok and if we can connect it in bridge mode, transparent mode,inline etc. please advise. Thanks...

 

application delivery
ASM Advanced WAF

3 Replies

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Jan 12, 2017

    Now the main question for your use-case is if all traffic flows are HTTP-only (likely to hold true in case of WAF deployment). When true, a one-arm SNAT implementation can be somewhat tolerable because IP-visiblity for all traversing traffic flows can be managed in L7.

     

    • Leaving the somewhat tolerable aside, in any given scenario, a SNATless in-line WAF implementation is always cleaner and more professional than a filthy one-arm SNAT implementation. That's not even debatable.

    As a consulting firm, it's very easy to ask "how it's easier for us to set it up?" instead of asking "how can we build the most manageable solution for our client?". That's easier said than done in a world where profit is the main driver. As a non-independent consultant you often have no choice but to deliver the "minimum viable product" instead of something you would want to manage, if you were employed by the client and not the consulting firm. Good luck with the POC!