Hi I would always suggest to put the external port of the SA behind a firewall. Solely for the purpose of protecting the device from DoS and DDoS attacks. There are some mechanisms onboard to prevent the success of such attacks but it is always better to get this job done by a device that really is designed for it, a firewall. With regards to the internal port, you are really free to place it on an firewall port or directly to your internal network. This depends on how much configuration work you want to do on the firewall (need all the ports open for AAA, logging, applications, etc..) and on the other hand how high are your demands in terms of security/visibility/control. Regards T.
... View more