PRA/RS Network Traffic Filtering /Inspection

Hello!

I am curious to know what type of filtering and packet inspection controls are typically recommended/used for on-prem PRA/RS appliances. As typical use cases (e.g. remote users, vendor access etc.) require the appliance to be external network facing , it is not feasible to restrict access to IP ranges. Based on KB articles SSL Offloading is not supported for client to appliance communication.
Question: What typical network security controls are recommended apart from restricting the outbound from appliance, blocking known-bad source IPs, and segmentation.
Anyone using Web App Firewalls , NGFWs or IDPS effectively ? Are there any resources available that can help identifying know benign traffic vs malicious traffic ?