AFM Foundations and Provisioning
Everyone uses network firewalls to protect their critical business assets…and rightfully so. But not every network firewall is the same. Some are fast, some are slow, some are full of rich features, some are not. It’s probably no surprise that, in this article, you will read about how awesome the BIG-IP Advanced Firewall Manager (AFM) is. The AFM is a high-performance, stateful, full-proxy network firewall designed to guard against incoming threats that enter the network on the most widely deployed protocols. It’s an industry leader in network protection, and one of its most impressive features is the scalability it can handle. It leverages the high performance and flexibility of F5's TMOS architecture in order to provide large data center scalability features that take second place to no one.
As for speed, network firewalls are notorious for introducing latency into a network. And, if the firewall takes care of SSL offload, then latency becomes an even bigger issue. Latency can cause problems like excessive concurrent TCP connections, excessive response time for HTTP transactions, or connection time out. So, it’s important to deploy a fast and capable network firewall. The speed of the AFM was recently put to the test, and the dudes doing the testing said this about firewalls in general: "Connection capacity is important because a single user request can involve many TCP connections...and connection rate matters because web sites may be hit with huge bursts of traffic."
With this in mind, NetworkWorld pushed the AFM to its limits with many iterations of complex tests. They pushed SSL and non-SSL traffic through the device to see what kind of latency they would find. They concluded that the AFM actually moved SSL traffic faster than non-SSL! That’s unheard of.
The experts said that “…the most plausible explanation for the [increase in SSL traffic speed] is that the BIG-IP AFM is a load balancer. By performing web server health checks and distributing requests accordingly, the F5 firewall is able to distribute workloads more efficiently than clients and servers can do on their own.” So, the AFM is a network firewall built on the foundation of a network load balancer…this allows it to make significantly more intelligent decisions about network traffic than any other network firewall you can deploy.
The F5 firewall is able to distribute workloads more efficiently than clients and servers can do on their own. – NetworkWorld
We are about to release a series of AFM-specific articles here on DevCentral and we will discuss in depth many of these cool features. You can learn more about them and how to use them to protect your network with the AFM.
Now that you know a little bit about the AFM speed and features, it’s time to learn how to turn it on and get it protecting your network.
Let’s Provision This Thing…
In order to provision the AFM on your BIG-IP system, navigate to System >> Resource Provisioning and check the Advanced Firewall (AFM) box, then hit the “Submit” button at the bottom of the page. After you hit the Submit button, the BIG-IP will need to restart in order to apply the changes and activate the AFM module. See the screenshot below:
See, that wasn’t hard! Now that you have it provisioned, it’s time to start configuring this thing and make it sing just the way you like it. Stay tuned for our upcoming articles on the AFM so you can learn all about this powerful module!