If your WAF is terminating TLS, can't it also initiate outgoing TLS connections? In this case the ephemeral Diffie-Hellman secrets would be created on the WAF, so it would have full ability to inspect traffic.
it won't work for devices/website that do certificate pinning, device won't accept MitM'd certificates, only original non-intercepted certs are accepted
Right, you pin the cert deployed on your WAF and you should still be able to terminate TLS at it.
I see no issues here - your WAF itself is initiating and terminating outgoing and incoming TLS connections. DHE keys are generated on the WAF. The WAF's cert could be the authoritative one.
The WAF could then re-establish a new connection to applications behind it.
There does not seem to be any technical boundary here.
