AFM NAT vs LTM NAT

Question

This feature seems to have creeped up somewhere in the 12.x release for AFM? Or maybe it's been there but I've never seen it...&nbsp;
https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/11.htmlconceptid&nbsp;
Anyway are there any documents or articles that discuss what happens if there are conflicting AFM NAT rules vs the LTM NAT Rules? Or even with SNAT?  If I was using my F5 as a gateway to the internet would I still be creating a wildcard VS with SNAT on it to translate private addresses to public or would I use an AFM NAT rule now? Does the order these are applied in reflect the order in which a packet hits each module on the BIG IP?&nbsp;

jwhitespro_1928 · Answer

Also what makes more sense? Have a Virtual Server on the external interface with a public address or having a virtual server on a dmz/internal interface and using AFM (or something) to translate the address to a public address?

vijay_e · Answer

I will answer the 2nd part of the question. Having worked with both Public IP VS and Private IP VS, there really isn't a big difference from a Network/ADC perspective. Some applications may not work well with NAT and hence, may require Public IP VS. Most applications are compatible with NAT and you shouldn't see any difference in performance or functionality in both cases.

peter_mills_697 · Answer

AFM NAT rules are applied after AFM Firewall rules. The functionality of the CGNAT module has been ported to AFM (dynamic-pat) and extended using 1:1 mapping features like static-nat and static-pat because a rule construct is more flexible. An AFM NAT Policy cannot be configured in tandem with other forms of address translation, like SNAT, a LSN pool or Automap since the two workflows are mutually exclusive.

bassam_gohar_26 · Answer

hi peter,&nbsp;
so what is difference between the standalone CGNAT module and CGNAT module that integrated in the AFM NAT ?&nbsp;

peter_mills_697 · Answer

Nothing actually. The same code is used for both.  It is repackaging exercise since AFM users prefer to use ACLs. It also reduces the number of virtual servers required since you can setup a wildcard VIP and use ACL rules to filter the traffic. AFM is also gradually leap frogging the CGNAT module in other respects e.g. by adding support for proxy ARP (both source and destination) and adding other forms of 1:1 static NAT.&nbsp;
dynamic-pat == CGNAT&nbsp;

Forum Discussion

AFM NAT vs LTM NAT

9 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Share what you learned on DevCentral in 2025

Failing over Virtual F5 VE to DR location using Zerto

Unblock Request WAF

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Failing over of a Virtual F5 configuration to another location using Zerto restore process

Related Content

BIG-IP AFM設定例-NAT

5. SYN Cookie: LTM Vs AFM

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

F5 BIG-IP AFM and FireMon Integration Guide

Enriching AFM with public domain Threat Intelligence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS