First time setup

Question

Hi Team-&nbsp;
Need your advice/assistance as Im new to F5 and have very limited knowledge on setting up the appliance.  We recently purchased licenses for F5BIG-VE BT 200 and was able to setup on VMware 6.5.  Yet to configure network adapters and other cool stuff so that i can protect web servers.  My setup scenario is&nbsp;
Clients --&gt; Internet --&gt; Cisco ASA firewall --&gt; F5 LTM (in DMZ) --&gt; Web server (LAN)&nbsp;
Since we cannot afford multiple F5, we will use single F5 instance in DMZ (no failover pair).  My question, is it possible to setup F5 LTM like mentioned in above topology?  Is it possible to offload SSL traffic and use F5 device as proxy server?  I dont want to put web server in DMZ except F5 appliance that is my goal here.&nbsp;
F5 licenses
Carrier Grade NAT
LTM
ASM
Global Traffic (DNS)
Access Policy (APM)
Application Visibility and Reporting (AVR)
Advanced Firewall (AFM)
iRules Language Extensions (iRulesLX)&nbsp;
Your inputs are much appreciated.&nbsp;
sincerely,
sm&nbsp;

youssef1 · Answer

Hi,&nbsp;
your approach is correct regarding  your architecture.&nbsp;
My question is the following, your web app that you will expose to internet is public? if not you can use APM to implement a security policy (authentication, endpoint inspection, ...).&nbsp;
Second point, if you site is public and you dont set APM (authentificaiton), you can increase security by implementing an ASM security policy to avoid attack, ...&nbsp;
Regarding ssl Offload I advise you to set this settings. It will allow you to secure ssl/tls part (HSTS, Disable Renegotiation, use secure cypher, ...).&nbsp;
let me know if I can help you on some points.&nbsp;
Regards&nbsp;

kevina_246454 · Answer

Hi SM18&nbsp;
Setting up multiple network adapters is fairly straight forward on your ve appliance, you  1st need to decide your deployment architecture  the diagram you have is a good start, depending if you want to go the one arm route or external -&gt; internal interface that will depend how much network adapters you need, I think by default the ova template comes with 3 adapters one for HA, one for external and for internal and additional management. if you go one arm you can get away with one interface for your load balancing using snat.  If you require documentation on how to setup the adapters or even the ssl offloading the F5 VE LAB package that is available from the f5 downloads is a perfect place to start.&nbsp;

Forum Discussion

First time setup

2 Replies

Recent Discussions

preserve client IP on layer 4 VIP

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

Looking for Setup Advice

How to Setup Shape Log Analysis in Fastly

F5 Reverse Proxy setup

remote SYSlog setup

'What is WebAuthn' Next Time on DevCentral Connects