Forum Discussion
NimbostratusLTM-WAF Integration query
Hello All,
We are planning to integrate WAF (Radware) in our network setup for the web servers.
We are thinking of 2 options for WAF implementation:
Option 1 : Client IP --> Ext FW (NAT for F5 VIP)-L3-> ACI --L3-> (VIP)F5--(SNAT on F5)L3--> WAF (SNAT on WAF) --> (VIP)F5 --L3-->ACI--> F5--L3--> Webserver.
Option2 : Client IP --> Ext FW (NAT for F5 VIP)-L3-> ACI --L3-> (VIP)F5--> WAF(WAF as L2) ---> Webserver.
Please confirm what is the right approach to integrate WAF into this setup. Note : Every endpoint (Webserver, LTM Internal/External Leg , WAF ) has a gateway on ACI Fabric.
Role of F5 : To do the load balancing across Web servers, SSL offloading etc.
Role of WAF : to perform L4-L7 functions.
Thanks.
Dayesh
PeteWhiteEmployee
The benefit to going with option 1 is that you can easily scale the WAFs by adding more. Add source and destination persistence to the first and last F5 respectively and they will loadbalance across the WAFs. If you don't think you'll ever have to scale the WAFs then you can put it in front of the F5 for simplicity.
The F5 and Cisco APIC integration based on the device package and iWorkflow is End Of Life.
The latest integration is based on the Cisco AppCenter named ‘F5 ACI ServiceCenter’.
Click here to view the Cisco ACI and F5 BIG-IP design guide which discusses the following topics:
- SNAT or no SNAT
- BIG-IP redundancy
- Multi-tenancy
- Tighter integration using F5 ACI ServiceCenter
Visit https://devcentral.f5.com/s/articles/F5-and-Cisco-ACI-Essentials-Design-guide-for-a-single-POD-APIC-cluster to learn how to access a lab for hands on experience using the F5 ACI ServiceCenter
https://f5.com/cisco for updated information on the integration.
