I’ve worked with lots of Network Firewalls. Mainly, I’ve worked with Fortinet FortiGate firewalls. However, I also have to know about Checkpoint or Palo Alto firewalls from time to time, or even about pfSense or iptables firewalls. I’ve also installed Web Application Firewalls (WAF). Mainly, I’ve installed F5 BIG-IP ASM. However, I’ve also installed FortiGate WAF from time to time. Therefore, I would like to write about F5 BIG-IP AFM today, which is the Network Firewall of F5 Networks.

F5 BIG-IP AFM offers four core areas of functionalities. Network Firewall which provides layer 3 to layer 4 security by applying policy-based firewall rules on network traffic arriving into the BIG-IP device. Denial of Service where AFM checks either on the system or per virtual server for potential attacks and then can drop or rate limit that traffic according the thresholds you can configure. IP Intelligence which can be used to block traffic from known unreliable or questionable IP addresses provided from several sources. Finally, AFM Reporting and Logging provides historical and analytical data for the security administrator.

AFM Functionality

Creating a firewall in AFM is done in four steps. Firstly, create an schedule that identify the day ranges, days of the week and time ranges when client traffic would be accepted. Secondly, It can consolidate the schedule, address lists and port lists together into a firewall policy. Thirdly, creating an address list and a port list that identify the appropriate source IP address and destination port that would be accepted. Finally, applying the policy to the virtual server context that provides access to the website.

Creating a Scheduled Network Firewall Policy
AFM plays a significant role in F5 application delivery firewall solution. Together with other modules such as LTM, DNS and Advanced WAF, the BIG-IP system provides protection features across the entire OSI stack. AFM detects and mitigates network attacks such as SYN or connection floods. This is accomplished by rate limiting traffic and dropping traffic according the threshold you set for the BIG-IP AFM system as an whole.

DDoS Detection and Mitigation
Modern cyber criminals use numerous techniques to hide their identities and activities. However, every packet that traverses the Internet has a source IP address. Therefore, disabling inbound communication from known malicious IP is highly effective. IP Intelligence provides this functionality. With IP Intelligence, AFM can be configured to block or allow traffic entering the system based on the reputation of the source IP address.

IP Intelligence
F5 Networks is a company with good products. From my point of view, LTM, ASM and APM are the best modules for load balance, WAF and VPN. However, AFM and the Network Firewall is a little bit basic for network protection. It’s really useful for virtual server protection but it’s not made for user protection. Therefore, if you want to protect users, you’ll have to install a NGFW appliance.

Regards my friends! Drop me a line with the first thing you are thinking.