Jump to content
Welcome to our new Citrix community!

WAF Placement


Frajo Kizhuvara

Recommended Posts

Currently we have imperva WAF(bridge mode) in front of the LB and now we would like to place it behind the NetScaler loadbalancer. On LB we have SNIP configured for all VLAN and the traffic to the service group is sent through it. 

Looking for recommendation on how to configure it to make sure the traffic pass through imperva WAF.

 

Link to comment
Share on other sites

1 minute ago, Frajo Kizhuvara said:

Problem is we have multiple VLAN SNIP for eg. VLAN 38 , VLAN 54 etc and the WAF can have only ip address.

 

So, you will probably need to have only one VLAN for LAN for all traffic to go through that VLAN to your WAF and after define all required VLAN 38, 54, etc. on the WAF.

Link to comment
Share on other sites

12 minutes ago, Arnaud Pain said:

 

So, you will probably need to have only one VLAN for LAN for all traffic to go through that VLAN to your WAF and after define all required VLAN 38, 54, etc. on the WAF.

But if we do that will the load balancing feature work since WAF will be taking the discussion on forwarding the traffic to the servers.

Link to comment
Share on other sites

9 minutes ago, Frajo Kizhuvara said:

But if we do that will the load balancing feature work since WAF will be taking the discussion on forwarding the traffic to the servers.

 

The Load Balance feature will forward request to 1 of the define resource, WAF should just intercept and forward traffic to this resource,

Link to comment
Share on other sites

  • 2 weeks later...

Sorry got side tracked. Got below article https://docs.citrix.com/en-us/citrix-adc/13/content-inspection/integration-with-ips-or-ngfw-as-inline-devices.html and  this is what we want. 

Am I reading this right below is what i got from this.

NS 1/2 - WAF Ingress 

NS 1/3-  WAF Egress

NS 1/4- Web Servers trunk 

Since content inspection is enable globally all traffic coming in will be sent to WAF through NS 1/2 and return back to from WAF to NS 1/3 then the NS forward the traffic to the web servers.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...