| Deployment Model | X6510 | ||||
|---|---|---|---|---|---|
| Performance | Peak web traffic <= 2G | ||||
| Deployment Mode | Transparent Bridge | Reverse Proxy | |||
| Deployment Position (see diagram) | Inline, behind the firewall | Parallel with F5 on the same switch | |||
| Cabling Mode | Dual-line (bridge, multi-in multi-out) | Dual-line (multiple physical interfaces, multi-arm) | |||
| Network Layer | Layer 2 | Layer 3 | |||
| Deployment Requirements | Centralized network access point | F5 needs extra config to load-balance across WAF instances | |||
| Traffic must not exceed the single-device performance cap | Need to catalog every app's access domain list first | ||||
| Topology Diagram | ![]() | ![]() | |||
| Pros | No changes to existing network topology No need to know what apps sit behind it Lower latency | Easy to scale performance horizontally | |||
| Cons | Hard to scale out | Adds latency Requires network topology changes | |||
| Scenarios | Maintenance cost (security + ops) | WAF config is simple and easy to maintain | WAF config is more complex; automation via API helps a lot | ||
| Non-Layer-7 traffic | Passed through directly to backend without inspection | All traffic passing through gets inspected, no exceptions | |||
| Device failure / power loss | Fail-open on power loss — backend services stay up | No transparent failover; traffic shifts to other WAFs in the wafpool | |||
| Firewall NAT to backend servers | No impact; selective mapping works fine | No impact; selective mapping works fine | |||
| SSL offload | WAF needs the app's SSL cert to decrypt HTTPS (hits performance; may need an SSL accelerator card) | SSL is offloaded at F5; WAF only inspects plaintext HTTP traffic | |||
| Conclusion | Transparent bridge mode is the first pick; reverse proxy is the fallback. If you do go reverse proxy, dual-arm KRP + LoadBalance + dual-line single BL is the preferred setup. | ||||
For reverse proxy mode alone, just the cabling options give you 3–4 different deployment variations. But I’ll leave that rabbit hole for another time.
Spent a whole day organizing stuff I’ve been learning at work lately. Still have a bunch left to sort through, but it suddenly started raining tonight. Wu Bai’s “Bèi Dòng” is playing in the background — forget the tech for now. Time to chill. Dropping a flag here though.
Flag & ToDo:
- Lessons from the job and wisdom from the veterans
- Data security architecture reading notes
- Revisiting security architecture
- What does data security actually need?
- A quick take on KMS and HSM architecture

