Design with AFM in the DMZ-Environment

Question

Hi&nbsp;
Has anybody some experience with the AFM-Module?&nbsp;
We have some discussions about the placement of the bigip when we would use the Advanced Firewall Modul.&nbsp;
In this case, bigip would have enabled: LTM, APM, ASM, AFM.&nbsp;
Do we need an additional stateful firewall in front of the bigip or can we place it directly in the internet, in front of the application servers?&nbsp;
What would make more sense?&nbsp;
Thanks&nbsp;

what_lies_bene1 · Answer

Any answer to this will be very dependent on your business, your existing infrastructure, security policy and so on. Can you provide some background please?

chamindak_11539 · Answer

Hey,
Basically a different vendor firewall sits in front of the F5s,  just doing a cutover from a different vendor firewall onto AFM. Obviously upstream FW doesn't have contexts while the F5s have route-domains. &nbsp;
I've done some testing now and the conclusion is I need to use %[RD] syntax with source/destination IPs. Makes sense given they are essentially different VRFs.&nbsp;
Does any one know where AFM logs locally? I'm after a session/debug log that I can tail.&nbsp;
Thanks,
Ck&nbsp;

boneyard · Answer

i would create a new question for your little unrelated to the originial question.

Forum Discussion

Design with AFM in the DMZ-Environment

3 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options

Mitigating OWASP Web Application Risk: Insecure Design using F5 XC platform

Verified Design: SSL Orchestrator with Palo Alto NGFW Virtual Edition-Part 1

Verified Design: SSL Orchestrator with McAfee Web Gateway-Part 1

Decision box design using js