We currently have a route through
a router, Checkpoint external Firewall, F5 load balancer, Checkpoint internal FW to (DMZ role) Web servers.
Now it looks like the single external firewall easily works as a "fuse", and becomes a failing bottleneck, when we test for a high volume DoS attack (we have a gigabit line to the ISP side, with smaller but upgradeable guaranteed bandwith). So to strenghten the availablity and DoS resilience we are thinking, why not to get rid of the external firewall totally? We could configure the F5 with all the security features and use it also in an external firewall role...
Note that the external Cisco router anyway limits incoming traffic, with a simple ACL, to a few virtual IP addresses and ports 80 and 443. Do we really need a separate external firewall? Anyway, I can't find any references of this kind of setups with F5 interfacing the Internet. Maybe I better ask F5, but I would like to have an independent opinion/experience...