AFM perimeter firewall?

you don't even need 12.0 for this, AFM has been able to do this through 11 fine. and even before AFM you were able to built something with virtual servers and packetfilters, but AFM is nice step forward.

F5 positions it as a data centre firewall. so meant for clearly defined incoming connections, usually your VIPs and perhaps a little more. for outgoing connection, so clients go to the internet a next generation firewall still make more sense as there is no application control / ips (except for HTTP with ASM) and such.

Hi,

Personally i dont recommend AFM as a perimeter firewall because it lacks a lot of features as a firewall. It cant compete with Cisco/Checkpoint/Juniper/palo etc. Management is really a big pain.

-Jinshu

The new BIG-IQ Security management in v4.6 is better and provides a useful interface for managing AFM, F5 have been positioning it as a Gi firewall to SPs, especially useful where it allows you to collapse firewall and ADC into a single platform. With the Good, Better, Best licensing it becomes a viable option and scales well compared to other vendors.

Thanks Pete for your comments.

I have came across many customers facing issues with F5 AFM management. If we have a single route domain,we need to purely depend on VIPs and Vlans to segregate the traffic. As a solution for the end customers, we dont want put customers in a position to blame us( Solution architets) in future.

Sorry, im not bullying you but its a fact. I am continusly writing RFI to F5 to improve the AFM but i know thats is not a solution for atleast next one year.

-Jinshu

F5 AFM is a really good Datacenter firewall with LTM / ASM / APM and Checkpoint, Juniper, Palo Alto and Cisco can't compete with it...

I agree that AFM does not provide easy to configure Application control, Antivirus, Antispam, URL Filtering, DLP, modules. you can do some of these features but not as good as Checkpoint or Palo Alto.

As AFM is applied on Listeners (Virtual servers, Self IPs, ...), it allow to create generic policies with source address only filter and enable it on virtual servers.

• When a virtual server is not used anymore, removing it will also disable the associated incoming policies.
• TMOS drop any traffic not handled by a configured listener.
• TMOS include TCP
• ASM will enable a better server protection than standard firewall IPS solution.
• TMOS will allow you to unencrypt SSL connections to inspect it as clear traffic.

So do not propose AFM to replace perimeter firewall with UTM or Next Generation Firewall features but replace those protecting servers.

thank you all for your comments, specially you Stanislas, now I understand AFM.