F5 Client IP Address

Hi , 

I will reply to your points according to each point in the query: 

• you should put AWAF first not the LTM. 
• you don't need SSLO you can use same Certificate which you will use in the LTM in the Client side , you can do the ssl offloading by AWAF same as LTM exactly.
• No for the optimal use , you should use AWAF then LTM behind it. 
  • the traffic flow should be :
    1. you will create a Virtual server for each application on AWAF , then use the Client ssl profile  and http profile and AWAF policy.
    2. you should go to the LTM device , the create another Virtual server for the same application and behind it the Pool of servers.
    3. the last step you will create the LTM Virtual server in (step 2) as a pool member in a pool, this all be done in AWAF.
• the last point of preserving the Client Public IP: 
  
  • you can do that by disabling SNAT options ( Auto map or SANT pool ) , but in this case you will create only one route as a default route to send any traffic to the LTM ( as a Next hop I mean the self IP of the LTM [ Floating self if HA or non-floating self if Standalone] ).
  • Do you have a Firewall between AWAF and LTM or not , because this will be the main issue as in this case I don't see it has a benefit in this design.
  • it's Okay to place it before servers ( between LTM and Servers ) but you will need to use Auto-map option or SNAT pool. 
  • you can depend on XFF header to preserve the public IP.

Let me know if you have further concerns :)