It depends on your environment and requirements
Application scenarios for several types deployment modes:
Route Mode: If there is no router as a gateway in the existing environment, AF needs to be used for routing.
Transparent mode and virtual wire mode: Supports all security protection functions (such as IPS, WEB application protection, botnet, etc.), and is suitable for scenarios that does not required to change the original environment and only need to use the security protection functions of AF (no required VPN, routing, NAT, etc.)
Mixed Mode: It mainly refers to the situation that each network port of AF has both a layer 2 port and a layer 3 port. Especially when the server cluster in the DMZ area needs to be configured with a public IP address, the corresponding security functions are supported in mixed mode deployment, such as IPS, WEB application protection, botnet, application control, content security, real-time vulnerability analysis, etc.
Bypass Mode: The device can be mounted on the internal network switch or router to implement the protection functions which does not need to change the user's existing environment at all. Avoiding all possible risk of interruption caused by the device to the user's network.
Single-arm mode: The single-arm port is a routing port that supports routing functions and required to directly connected on network devices to implement policy routing and divert data through AF.
The difference between the deployment modes:
Route Mode: All service ports are Layer 3 routing ports, and IP addresses must be configured to forward data according to the routing table and arp table.
Transparent Mode: All service ports are Layer 2 transparent ports, which are divided into access and trunk attributes.
Virtual Wire Mode: All service ports are virtual network ports. Directly forward or intercept data without checking the routing and forwarding rules, which can be described as the two ends of a network cable.
Mixed mode: All service ports have Layer 2 transparent ports and Layer 3 routing ports
Bypass mode: The interfaces deployed in bypass mode are mirrored ports, which do not support routing and forwarding functions and need to be used in conjunction with the mirroring configuration on the physical switch.
Single-arm mode: The single-arm interface is a routing port that supports routing functions. The policy configuration is similar to the route mode configuration.
1. All security protection functions of the NGAF can be used in transparent mode, virtual wire mode, route mode and mixed mode.
2. The bypass mode only supports WAF (web application protection), IPS (intrusion prevention system), APT (botnet), Real-Time Vulnerability Analysis, DLP (data leak protection), website anti-tampering function.
3. The functions of NGAF is depends on the deployment mode and not directly related to the AF deployment location.