Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

npaulo_213434's avatar
npaulo_213434
Icon for Nimbostratus rankNimbostratus
Nov 05, 2015

AFM perimeter firewall?

Hi everyone,   For what I can see, AFM at least starting on version 12 can act and be configured as a network firewall with rules permitting or denying traffic with a source and destination, in sp...
advanced firewall manager
design
security
TMOS
stan_piron's avatar
stan_piron
Icon for Cumulonimbus rankCumulonimbus
Dec 01, 2015

F5 AFM is a really good Datacenter firewall with LTM / ASM / APM and Checkpoint, Juniper, Palo Alto and Cisco can't compete with it...

 

I agree that AFM does not provide easy to configure Application control, Antivirus, Antispam, URL Filtering, DLP, modules. you can do some of these features but not as good as Checkpoint or Palo Alto.

 

As AFM is applied on Listeners (Virtual servers, Self IPs, ...), it allow to create generic policies with source address only filter and enable it on virtual servers.

 

  • When a virtual server is not used anymore, removing it will also disable the associated incoming policies.
  • TMOS drop any traffic not handled by a configured listener.
  • TMOS include TCP
  • ASM will enable a better server protection than standard firewall IPS solution.
  • TMOS will allow you to unencrypt SSL connections to inspect it as clear traffic.

So do not propose AFM to replace perimeter firewall with UTM or Next Generation Firewall features but replace those protecting servers.

 

Related Content