CirrusGents,
I have a question for you.
We have a F5 AFM/LTM facing the internet, and a new FW NG will be provisioned soon for end users.
There is question whether or no the F5 should be next to or besides to.
What would be the right setup.
1) Having them next to each other (F5 AFM/LTM besides to FW NG)
2) Having F5 LTM behind the FW NG. In that case AFM module is no longer needed.
Please let me know,
Thanks,
Edouard.
It kind of depends what kind of Next-Gen FW you are going to be using and what you are trying to achieve. What's your business case? I'm working a lot with both F5 and Check Point. In most cases I would position the F5 ADC behind the Check Point, because the Check Point comes with superb management capabilities (detailed logging etc...).
You could also check out SSL Orchestrator to create a decrypted zone to put the Next-Gen FW into. This way you can save resources on your Next-Gen FW, becasue it will only need to inspect already decrypted traffic.
CirrusI am provisioning a NG FW in an environment that has F5 LTM+AFM facing the internet. I have considered an internal NG FW and another external NG FW.
The point is, if I have already an external NG FW, I would not need the F5 AFM module because the NG FW will do that work. Provided that the F5 LTM is behind the NG Firewalls.
Let me know what do you think.
Thanks,
Edouard.
