Forum Discussion

Koni_51721's avatar
Koni_51721
Icon for Cirrus rankCirrus
Mar 17, 2013

Design with AFM in the DMZ-Environment

Hi

 

Has anybody some experience with the AFM-Module?

 

We have some discussions about the placement of the bigip when we would use the Advanced Firewall Modul.

 

In this case, bigip would have enabled: LTM, APM, ASM, AFM.

 

Do we need an additional stateful firewall in front of the bigip or can we place it directly in the internet, in front of the application servers?

 

What would make more sense?

 

Thanks

 

config
design

3 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Mar 18, 2013
    Any answer to this will be very dependent on your business, your existing infrastructure, security policy and so on. Can you provide some background please?
  • chamindak_11539's avatar
    chamindak_11539
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2013

    Hey, Basically a different vendor firewall sits in front of the F5s, just doing a cutover from a different vendor firewall onto AFM. Obviously upstream FW doesn't have contexts while the F5s have route-domains.

     

    I've done some testing now and the conclusion is I need to use %[RD] syntax with source/destination IPs. Makes sense given they are essentially different VRFs.

     

    Does any one know where AFM logs locally? I'm after a session/debug log that I can tail.

     

    Thanks, Ck

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Aug 21, 2013
      i would create a new question for your little unrelated to the originial question.
Related Content