Q&A: Best practice/Silverline recommendation for deploying WAF with a CDN?

Question

• I am curious as to whether there is a best practice / Silverline recommendation for deploying the WAF service when leveraging a CDN as well?
• Are there any nuances or issues I need to keep in mind for this implementation?

Environment

• Silverline WAF
• Policy / Policies
• Proxy / Proxies

Answer

• The recommended setup is to run F5 Silverline WAF behind your CDN service. This deployment lets you get the most out of your CDN service.
• You can then configure the CDN to inject the source client IP address in a typical "X-Forwarded-For" header or any header of your choosing, like Akamai for example that uses "True-Client-IP" headers.
  • For more information about setting up "Alternative Trusted Source Header" see 
    Proxy / Application Configuration Option: Advanced
• Once Silverline knows which header contains the source client IP, we'll use that header to extract the source IP information. 
• As for the rest of the process, the Silverline proxy will act as any other proxy would, where when traffic comes in, we forward traffic to the backend origin.

Related Content

• WAF Setup: Onboarding and Implementation Plan
• Proxy Set-up Guide: Proxy / App Configuration in Silverline Portal