BIG-IP AFM and Flowmon DDoS protection Part I - Configuration

F5’s dedicated security portfolio is impressive - with WAF, DDoS Hybrid Defender and cloud-based Silverline, it provides solid Network and App protection for many customers around the world. In today’s market every Service Provider and Enterprise is trying to implement a comprehensive DDoS detection and mitigation systems to protect customers, network infrastructure and critical applications. With DDoS threat risks rising daily, new vectors and bot-initiated coordinated attacks, it is crucial for every company to have an automatic and dependable DDoS protection framework in place.

There are various deployment scenarios for DDoS protection solutions

  • On-premise or cloud-based In-line or "Always-ON"
  • Hybrid of “Always-ON” and “Always-available” i.e. F5 DDoS Hybrid Defender
  • Out-of-path using port mirroring (SPAN) for unidirectional traffic analysis and DDoS detection
  • "Always-available” with 3rd party DDoS detection 


For most, in-line “Always-ON”  option, combined with “Always Available” Cloud-based scrubbing center, works best, as it allows for quick threat detection, can protect from Layer 7 attacks and usually have good capabilities to deal with large volumetric attacks. Some companies (ISPs in particular) though decide not to deploy in-line systems, opting for an out-of-band solutions that provide on-premise “Always Available” option. 

Through close partnership with Flowmon, F5 has created fully automated DDoS protection system, and today we will focus on deployment aspects and a configuration example in this solution.





Bill of Materials

  • F5 BIG-IP AFM (appliance or VE)

Flowmon has been tested with BIG-IP v13.1 ( and

  • Flowmon Collector (appliance or VE)
  • Flowmon DDoS Defender module

Flowmon v8 and DDoS Defender v3.01.00 minimum is required

*Flowmon v9.x has fully integrated BIG-IP AFM interface. If installing Flowmon v9.x with DDoS Defender v4.x some configuration steps will be skipped


BIG-IP platform should be licensed, provisioned and configured with necessary VLANs, trunks, and Self-IPs. For more information on initial configuration See

Application configuration i.e. Virtual Server, DDoS profile are configured dynamically by Flowmon via iControl REST. Details of this integration will be covered in Part II of the series.

Flowmon appliance (or VE) requires data sources and can utilize NetFlow/sFlow/IPFIX or Flowmon Probes (wiretaps) to collect, analyze and store network traffic data. Integrated L4 DDoS protection requires one of those source types to be connected to Flowmon.

Flowmon DDoS Defender needs to be configured to detect a DDoS attack and perform corresponding action(s). In integrated F5/Flowmon solution it means traffic is redirected to F5 AFM and valid configuration is created in AFM so it can perform traffic scrubbing effectively:

 - F5 Client for Flowmon DDoS Defender has to be installed. For download and installation instructions refer to Flowmon Support portal

*F5 Client installation step should be skipped if installing Flowmon v9.x with DDoS Defender v4.x

 - Create a new Scrubbing Center, selecting “F5 BIG-IP/VIPRION” as OSCI and providing IP address and Credentials for F5 iControlREST interface





Figure 3: Scrubbing Center details

 - Add IP router(s) Flowmon will use to redirect network traffic. Various options available, including eBGP, iBGP, ACL and BGP Flowspec






Figure 4: Router details

 - Create a new alert of type “Run Script” and upload “”






Figure 5: Alert definition

* Alert should be configured according to requirements without custom script, if installing Flowmon v9.x with DDoS Defender v4.x

 - Create new Rule for DDoS detection. Input values for minimal traffic and baseline learning period, according to the environment









Figure 6: Rule definition

 - Finally, Create new segment which would list protected subnets and corresponding actions










Figure 7: Protected object definition

What’s next?

In Part II of the series we will see how Flowmon triggers traffic rerouting and what it provisions on BIG-IP AFM platform to enforce DDoS attack scrubbing. 

Published Feb 27, 2018
Version 1.0

Was this article helpful?

No CommentsBe the first to comment