LTM-WAF Integration query

Question

Hello All,&nbsp;
We are planning to integrate WAF (Radware) in our network setup for the web servers.&nbsp;
We are thinking of 2 options for WAF implementation:&nbsp;
Option 1 :  Client IP --&gt; Ext FW (NAT for F5 VIP)-L3-&gt; ACI --L3-&gt; (VIP)F5--(SNAT on F5)L3--&gt; WAF (SNAT on WAF) --&gt; (VIP)F5 --L3--&gt;ACI--&gt; F5--L3--&gt; Webserver.&nbsp;
Option2 : Client IP --&gt; Ext FW (NAT for F5 VIP)-L3-&gt; ACI --L3-&gt; (VIP)F5--&gt; WAF(WAF as L2) ---&gt; Webserver.&nbsp;
Please confirm what is the right approach to integrate WAF into this setup.
Note : Every endpoint (Webserver, LTM Internal/External Leg , WAF ) has a gateway on ACI Fabric.&nbsp;
Role of F5 : To do the load balancing across Web servers, SSL offloading etc.&nbsp;
Role of WAF : to perform L4-L7 functions.&nbsp;
Thanks.&nbsp;
Dayesh&nbsp;

petewhite · Answer

The benefit to going with option 1 is that you can easily scale the WAFs by adding more. Add source and destination persistence to the first and last F5 respectively and they will loadbalance across the WAFs.
If you don't think you'll ever have to scale the WAFs then you can put it in front of the F5 for simplicity.&nbsp;

payal_s · Answer

The F5 and Cisco APIC integration based on the device package and iWorkflow is End Of Life.

The latest integration is based on the Cisco AppCenter named ‘F5 ACI ServiceCenter’.

Click here to view the Cisco ACI and F5 BIG-IP design guide which discusses the following topics:

SNAT or no SNAT
BIG-IP redundancy
Multi-tenancy
Tighter integration using F5 ACI ServiceCenter

Visit https://devcentral.f5.com/s/articles/F5-and-Cisco-ACI-Essentials-Design-guide-for-a-single-POD-APIC-cluster to learn how to access a lab for hands on experience using the F5 ACI ServiceCenter

https://f5.com/cisco for updated information on the integration.

Forum Discussion

LTM-WAF Integration query

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Making Mobile SDK Integration Ridiculously Easy with F5 XC Mobile SDK Integrator

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Ensuring Security in Continuous Integration and Continuous Deployment (CI/CD) Pipelines

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy