Bigip ASM connectivity(with different ways) and traffic flow

Now the main question for your use-case is if all traffic flows are HTTP-only (likely to hold true in case of WAF deployment). When true, a one-arm SNAT implementation can be somewhat tolerable because IP-visiblity for all traversing traffic flows can be managed in L7.

• Leaving the somewhat tolerable aside, in any given scenario, a SNATless in-line WAF implementation is always cleaner and more professional than a filthy one-arm SNAT implementation. That's not even debatable.

As a consulting firm, it's very easy to ask "how it's easier for us to set it up?" instead of asking "how can we build the most manageable solution for our client?". That's easier said than done in a world where profit is the main driver. As a non-independent consultant you often have no choice but to deliver the "minimum viable product" instead of something you would want to manage, if you were employed by the client and not the consulting firm. Good luck with the POC!