Forum Discussion
NimbostratusF5 Client IP Address
CirrostratusYou can use AWAF only with SSL offloaded as the F5 AWAF inbuilt with LTM functionality which is necessary for HTTP applications.check the below link for LTM features available within AWAF license
https://my.f5.com/manage/s/article/K14231234
If you have any policy to use LTM at edge with ssl offload and AWAF with Plain HTTP traffic and keep the Public IP visibility in WAF and server then you have to rely on the XFF (X-Forwarded-For) header value.
[LTM inserts the Client IP in X-Forwarded-For header and in AWAF http profile with accept XFF, and waf policy with Trust XFF should be enabled)
But XFF value can be Spoofed and AWAF will not be much effective to block if multiple ip address are present in XFF header and also L7 DOS will not be effective.
as suggested by Mohamed_Ahmed_Kansoh's better use AWAF at edge(so AWAF take action on L3 IPaddress value) and LTM to load balance your servers. Either you can use Full SSL ie SSL in AWAF and SSL offload in LTM. or SSL only in AWAF and plain HTTP in LTM and backend servers
**
one more advantage of using AWAF at edge , as you can use the Priority Group option to failover, to direct servers in case LTM fails or down. A pool With both LTM VIP and Backend server IPs a members, LTM VIP member with higher priority and priority group value less than 1. If LTM VIP /device is down the traffic will be load balanced to backend servers along with waf capability.
NimbostratusDears
Thanks for the replies, please confirm the below thoughts will work in my design
Please find the attached diagram
- WAF DG is firewall
- Nexus DG is firewall
- Nexus has routes to reach internal networks
- Load Balancer DG is Nexus
Here is the traffic flow: Incoming traffic to server
- Internet client is trying to access the web server
- traffic reaches on FW,
- FW NAT's to private address VIP towards WAF
- WAF' destination is Load balancer VIP so it forwards the traffic to nexus switch (1/6) by its internal interface ( keeping source IP as it is received from internet i.e PUBLIC IP)
- Nexus switch sends to Load balancer
- Load balancer looks for the server IP and forwards by source NAT and sends it to the nexus switch
- Nexus switch send the traffic downwards to DC FW and then to the servers
Return Traffic from server
- server's send the packet to DCFW and then to nexus switch
- nexus switch looks the destination is load balancer IP so it forwards to Load balancer
- For Load Balancer the destination is PUBLIC IP and it sends to the default route to nexus switch
- And nexus switch according to his default route it send traffic to perimeter firewall and not to AWAF this becomes a problem and asymmetric routing occurs
Solution:
- I will keep f5 in one arm mode and the DG will be nexus switch
- I will configure interface vlan 10 on switch with ip add 10.1.1.1 and assign 2 ports on switch ( 1/7, 1/6) in vlan 10
- AWAF to reach LTM VIP , AWAF will do arp request on LTM VIP and to reach to direct servers it will have a route pointing to vlan 10 interface ip ( 10.1.1.1) on switch.
- For the return traffic I will enable auto last hop on the virtual server or vlan , that will help for bypassing the local routing table of LTM sending packets towards switch interface vlan 10 IP address becz LTM default gateway is interface vlan 10 on switch and by enabling auto last hop on the virtual server or vlan it will send it to AWAF MAC Address from where it received the connection. https://my.f5.com/manage/s/article/K13876
Please confirm whether this traffic flow will work.
