F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Preetham_73405's avatar
Preetham_73405
Icon for Nimbostratus rankNimbostratus
Dec 31, 2010

F5 behind a router instead of a firewall, are there any risks??

Most practices refer to installing a F5 LTM with ASM behind a firewall               Internet --> Router --> FireWall --> LTM with ASM --> Web Servers       ...
security
svs's avatar
svs
Icon for Cirrostratus rankCirrostratus
Nov 11, 2015

Just to make sure: These are not the most recent recommendations by F5. As there are many firewalls on the market, that cannot handle as much sessions as the BIG-IP is able to do (when the sizing of firewall and BIG-IP is almost the same), today F5 recommends to place the BIG-IP directly to the outside, so beside the firewall. In combination with the AFM module the BIG-IP does nearly the same job as the firewall would do (no NG-Firewall).

 

In addition the most amount of traffic already is or will be in the future TLS. So also NG-Firewalls would have to terminate the TLS session. This doesn't make sense at all, because the firewalls I know do not have the capabilities in handling TLS traffic as the BIG-IP have - i.e. Cipher Suite Support, Protocol Support, Session Handling configuration, SNI and so on.

 

I know this article is from 2011, but if there are people out there, asking Google questions like this, they might be leeded to the wrong direction, because of a very old recommendation.

 

Greets, svs