How to bypass server-to-server communication from NGFW?

I'm working on a solution as a vendor over deployment model for CISCO NGFW with following interest:-

•      east-west traffic inside server farm for stopping malware lateral movement
•      user (access layer) to server farm for policy control e.g AV, IPS etc

Constraints / Concerns:
•      Currently there is no l4 policy control or firewall in place , network topology is flat.
•      don't want to buy layer 3 switch for inter-vlan routing
•      internet traffic is managed by another segment not to be passed through proposed ngfw.

Concerns from vendor integrator perspective

•      between application 2 application or App to DB server such traffic can be best addressed with a acl defined at ACL, no botnet, malware exploits or spread from server-server per say. The use of ips and av inspection will be counter-effective.
•      Further, connection between app to DB is heavy traffic , firewall will be kept looking for those connection for long time holding down mem, cpu and effecting throughput as well
•      terminate access to server farm ONLY to layer 3 device (ngfw) for policy control, ngfw compliance features (ips, av)

I'm looking your assistance if there exists an CISCO validated design either for or against the above solution. Thanks.
asad aliAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph HornseyPresident and JanitorCommented:
It seems like your requirements are mutually exclusive.  You have the NGFW, but you can't use IPS/AV Inspection because of performance issues.

As far as terminating access on the NGFW, that's doable via a remote access VPN.  Keep in mind, though, the tunnel terminates on the inside interface.  Since it's considered internal traffic - you have to configure NAT exclusions, etc. - I don't know if the ASA is going to inspect that.

Out of curiosity, do the servers have AV software installed on them?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joseph HornseyPresident and JanitorCommented:
Question answered as stated... double VPN, etc.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.