https://community.checkpoint.com/t5/WAF/Blueprint-design-for-inbound-webtraffic-in-onpremise-datacenter/m-p/130842#M49 <P>My guess is that it would probably be similar to that in public cloud except you're using on-prem load balancers.<BR />AppSec can also do IPS:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13847i7BE673894522CEC3/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 01 Oct 2021 18:23:50 GMT PhoneBoy 2021-10-01T18:23:50Z https://community.checkpoint.com/t5/WAF/Blueprint-design-for-inbound-webtraffic-in-onpremise-datacenter/m-p/130820#M48 <P>We are looking for a design concept or best practice setups for onpremise datacenter environment where 90% of traffic is inbound https.</P><P>We are already using R80.40 clusters and Citrix netscalers (for loadbalancing and ssl offloading) but we also want to use the Appsec.</P><P>Upgrade to R81 is planned.</P><P>Does Checkpoint has some kind of document or blueprint in order to create the best setup for doing security on this incoming https traffic.</P><P>One question for example is which component can or should do IPS. The gateway or the appsec.. or both ?</P><P>Please let me know which thoughts about those kind of setups are the in community&nbsp;</P><P>&nbsp;</P> Fri, 01 Oct 2021 12:23:18 GMT https://community.checkpoint.com/t5/WAF/Blueprint-design-for-inbound-webtraffic-in-onpremise-datacenter/m-p/130820#M48 Mischa_Meekes 2021-10-01T12:23:18Z https://community.checkpoint.com/t5/WAF/Blueprint-design-for-inbound-webtraffic-in-onpremise-datacenter/m-p/130842#M49 <P>My guess is that it would probably be similar to that in public cloud except you're using on-prem load balancers.<BR />AppSec can also do IPS:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13847i7BE673894522CEC3/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 01 Oct 2021 18:23:50 GMT https://community.checkpoint.com/t5/WAF/Blueprint-design-for-inbound-webtraffic-in-onpremise-datacenter/m-p/130842#M49 PhoneBoy 2021-10-01T18:23:50Z https://community.checkpoint.com/t5/WAF/Blueprint-design-for-inbound-webtraffic-in-onpremise-datacenter/m-p/130873#M50 <P>Hi,</P> <P>if you want to use AppSec then it also has IPS capabilities specifically for WEB traffic. So it you activate it on AppSec you don't need to do double inspection and activate it on the Gateways also.</P> <P>you might just activate it for other protocols passing through your Gateways using the Threat Prevention policy.</P> Sun, 03 Oct 2021 08:04:53 GMT https://community.checkpoint.com/t5/WAF/Blueprint-design-for-inbound-webtraffic-in-onpremise-datacenter/m-p/130873#M50 Nir_Shamir 2021-10-03T08:04:53Z