Can you please let me know what are the deployment types in F5?
Ans:--
Routed mode
In route mode, the BIG-IP ASM system is in the routing path of the web servers, and all traffic to the server flows through the system.
• Servers detect the actual client IP address in the IP header for security and logging purposes. Since all communication traverses the BIG-IP system, there are no alternate, unprotected routes to the protected applications.
• The BIG-IP system must be configured to allow administrative and non-application traffic.
• Response traffic must be routed through the BIG-IP system. You usually accomplish this by setting the default gateway of the web server to the floating self-IP of the BIG-IP system.
One-armed mode
In one-armed mode, only application traffic flows through the BIG-IP ASM system, and the server-side connection uses a SNAT. The BIG-IP ASM appliance is logically in line with the web application traffic flow, but not physically in line with all traffic to and from the web servers.
Note: Requests and responses must go through the BIG-IP system. This means that if you do not use NAT on the source IP address of the client, the default gateway of the server needs to be the BIG-IP system. If you do use SNAT for all traffic from the client to an IP address of the BIG-IP system, all responses are sent back to the IP. To keep track of the original client IP address, you can enable the X-Forwarded-For feature of the HTTP profile. This adds the client IP address to the HTTP header that was sent to the web server.
• No changes to routing are required on the servers.
• Only application traffic is sent through the BIG-IP system, which reduces traffic traversing the device.
• Servers detect the IP address of the BIG-IP system in the TCP/IP header, which may complicate logging.
• There is more than one path to the protected application. You need additional security controls such as firewalls to ensure that malicious users do not access the application.
No comments:
Post a Comment