Sunday, 24 May 2020


Can you please let me know what are the deployment types in F5?
Ans:--

Routed mode
In route mode, the BIG-IP ASM system is in the routing path of the web servers, and all traffic to the server flows through the system.

Servers detect the actual client IP address in the IP header for security and logging purposes. Since all communication traverses the BIG-IP system, there are no alternate, unprotected routes to the protected applications.
The BIG-IP system must be configured to allow administrative and non-application traffic.
Response traffic must be routed through the BIG-IP system. You usually accomplish this by setting the default gateway of the web server to the floating self-IP of the BIG-IP system.
One-armed mode
In one-armed mode, only application traffic flows through the BIG-IP ASM system, and the server-side connection uses a SNAT. The BIG-IP ASM appliance is logically in line with the web application traffic flow, but not physically in line with all traffic to and from the web servers.
Note: Requests and responses must go through the BIG-IP system. This means that if you do not use NAT on the source IP address of the client, the default gateway of the server needs to be the BIG-IP system. If you do use SNAT for all traffic from the client to an IP address of the BIG-IP system, all responses are sent back to the IP. To keep track of the original client IP address, you can enable the X-Forwarded-For feature of the HTTP profile. This adds the client IP address to the HTTP header that was sent to the web server.


No changes to routing are required on the servers.
Only application traffic is sent through the BIG-IP system, which reduces traffic traversing the device.
Servers detect the IP address of the BIG-IP system in the TCP/IP header, which may complicate logging.
There is more than one path to the protected application. You need additional security controls such as firewalls to ensure that malicious users do not access the application.


No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...