11-21-2013 01:39 PM - edited 03-07-2019 04:43 PM
Hi All,
I have attached a very high-level drawing representing the Infrastructure I support. I am having trouble understanding "One-Off Deployments."
As my drawing depicts, traffic from clients goes over the internet via DMVPN and terminates on the Cisco ASA 5520 in my data center. The ASA then performs firewalling functions and forwards traffic onwards to the data server. Here's the kicker: The traffic also must be filtered by a Web Application Firewall (WAF) per company policy, but our WAF is a one-off deployment.
I've always been taught and understood that, "In order for a device to affect traffic (emulate, filter, firewall, etc....), traffic must flow through it. If that's the case, and if both the data server and the WAF are connected to a common core switch, how is the WAF filtering traffic BEFORE it goes to the data server without being directly in between the switch and the server?
Solved! Go to Solution.
11-21-2013 02:05 PM
Dean
No direct experience of them but WAFs can act as reverse proxies so it may be that the clients are configured to send the traffic to that server and it then proxies the connection to the back end server. If the clients are not explicity confgured to do so then somethiing must intercept that traffic and send it to the WAF.
This could be the firewall itself or it could be the switch using WCCP to redirect traffic to the WAF.
Jon
11-21-2013 02:05 PM
Dean
No direct experience of them but WAFs can act as reverse proxies so it may be that the clients are configured to send the traffic to that server and it then proxies the connection to the back end server. If the clients are not explicity confgured to do so then somethiing must intercept that traffic and send it to the WAF.
This could be the firewall itself or it could be the switch using WCCP to redirect traffic to the WAF.
Jon
11-22-2013 06:09 AM
A-HA! Thank you Jon, you actually led me to my answer. The WAF is NATing/Proxying to web servers in the back end, so not all traffic flows to it, only company websites. So if a user tries to go to a company website, the DNS resolves to the VIP on the WAF for the back-end web server. So no traffic passes through it unless it is destined for a web server. In that case, it IS the destination.
Love that moment when it clicks, lol.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide