Hi Kevin,
Great series, it's exactly what I was looking for :-) Have some questions (as usual):
- The NGFW is connected to the DMZ switching network in such a manner that traffic traverses it when the BIG-IP SSL Orchestrator is configured to push traffic for inspection. - could you elaborate a bit what do you mean by that?
- All routing configuration is static routing – no dynamic routing protocols is implemented in this design. - will design/setup change a lot when for example BGP will be used - of course except of adding routers and enabling BGP on BIG-IPs/SSLO
- The design allows for the administrator to gradually forward services to the BIG-IP SSL Orchestrator using source-based routing rules. - that is very interesting, any hints how it should be implemented, looking at the network diagram it looks like all traffic has to pass via SSLO - and that requires network reconfiguration. I wonder if you menat SSLO policies that will be catching first only selected traffic (even if all will be passing via SSLO) or maybe policies on external devices that will either direct traffic to SSLO or send it via "old" path?
- AutoMap is a secure network address translation (SNAT) described in Knowledge article K7336. AutoMap should not be used where possible in BIG-IP SSL Orchestrator deployments. - I've seen this suggestion but I am not really sure why it's recommended - could you give some examples when it should be used and when not?
- note that NGWF is configured with vWire and performs its inspection as a transparent L2 device. - do you mean BIG-IP configured with vWire or device marked as PAN PA3220 (guess Palo Alto NGWF)?
Sorry for so many questions. If you covered those in another parts (not yet able to read them all), just ignore my questions.
Piotr