𝛑
𝛑

A Quick Look at Imperva WAF Deployment Options

Deployment ModelX6510
PerformancePeak web traffic <= 2G
Deployment ModeTransparent BridgeReverse Proxy
Deployment Position (see diagram)Inline, behind the firewallParallel with F5 on the same switch
Cabling ModeDual-line (bridge, multi-in multi-out)Dual-line (multiple physical interfaces, multi-arm)
Network LayerLayer 2Layer 3
Deployment RequirementsCentralized network access pointF5 needs extra config to load-balance across WAF instances
Traffic must not exceed the single-device performance capNeed to catalog every app's access domain list first
Topology DiagramImage
ProsNo changes to existing network topology
No need to know what apps sit behind it
Lower latency
Easy to scale performance horizontally
ConsHard to scale outAdds latency
Requires network topology changes
ScenariosMaintenance cost (security + ops)WAF config is simple and easy to maintainWAF config is more complex; automation via API helps a lot
Non-Layer-7 trafficPassed through directly to backend without inspectionAll traffic passing through gets inspected, no exceptions
Device failure / power lossFail-open on power loss — backend services stay upNo transparent failover; traffic shifts to other WAFs in the wafpool
Firewall NAT to backend serversNo impact; selective mapping works fineNo impact; selective mapping works fine
SSL offloadWAF needs the app's SSL cert to decrypt HTTPS (hits performance; may need an SSL accelerator card)SSL is offloaded at F5; WAF only inspects plaintext HTTP traffic
ConclusionTransparent bridge mode is the first pick; reverse proxy is the fallback. If you do go reverse proxy, dual-arm KRP + LoadBalance + dual-line single BL is the preferred setup.

For reverse proxy mode alone, just the cabling options give you 3–4 different deployment variations. But I’ll leave that rabbit hole for another time.

Spent a whole day organizing stuff I’ve been learning at work lately. Still have a bunch left to sort through, but it suddenly started raining tonight. Wu Bai’s “Bèi Dòng” is playing in the background — forget the tech for now. Time to chill. Dropping a flag here though.

Flag & ToDo:

  • Lessons from the job and wisdom from the veterans
  • Data security architecture reading notes
  • Revisiting security architecture
  • What does data security actually need?
  • A quick take on KMS and HSM architecture