F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

RecontuerSG_258's avatar
RecontuerSG_258
Historic F5 Account
Aug 07, 2017

If F5 LTM/AFM is tier-1 DDoS Protection, what about upstream non-F5 Firewalls?

I understand F5 can do network-related DDoS protection at Layer 3 and 4. What I am curious is what about the edge router or firewall upstream?   Example: Internet->Edge Router->Firewall(Inter-VLAN...
AFM
antiddos
firewall
LTM
security
nathe's avatar
nathe
Icon for Cirrocumulus rankCirrocumulus
Aug 08, 2017

ReconteurSG,

 

You make a good point on where to have your security mitigations. F5 would give you two options here. First option is to replace your existing perimeter firewall and replace it with a BIG-IP device with AFM and, optionally ASM for L7 protections. See the following datasheet: f5-ddos-protection-reference-architecture. The BIG-IP hardware is, most likely, going to be better at handling DDoS attack vectors, when compared to commodity hardware/NGFWs. So this gets around a situation where the NGFW falls over before the next layer BIG-IP has a chance to assist.

 

The 2nd scenario is to deploy the latest Herculon Hybrid DDoS defender external to your existing firewall, see herculon-ddos-hybrid-defender-datasheet and ddos-hybrid-defender. This will be the first line in defence from DDoS attacks and take the pressure off your existing NGFW. It can also signal back to Silverline, when under attack, to perform Cloud Scrubbing too. Herculon DDoS can protect against L3/4 and L7 DDoS attacks. It can also monitor bandwidth and mitigate attacks based on a percentage of bandwidth in use - this will help ease pressure on your Edge Router.

 

Hope this helps,

 

N