Deflate DDoS attacks.

Stop volumetric attacks.

DDoS attacks saturate bandwidth, consume network resources, and disrupt application services. Can your infrastructure successfully fend them off?

With deep threat intelligence services and flexible mitigation options, BIG-IP Advanced Firewall Manager (AFM) defends against threats to network layers 3–4, stopping them before they reach your data center.

Specifically, BIG-IP AFM scales to shut down high-capacity DDoS attacks that can overwhelm load balancers, firewalls, and even networks. It automatically invokes mitigation, alerts security admins, and configures or adjusts DDoS thresholds as traffic patterns change and without affecting legitimate traffic.

If you can see and understand it, you can stop it.

BIG-IP AFM gives you deep attack visibility and intelligence, so you can expose and quickly act on threats.

It enforces blacklisting, stopping bad actors at the earliest point of access, at the network edge, or upstream—before feed lists are updated. By automatically signaling upstream edge routers or ISPs to drop or reroute blacklisted traffic, BIG-IP AFM keeps bad traffic away from specific network addresses and protects the data center against not only DDoS, but also other network or application attacks—before they materialize.

It also brings visibility and control to SSH and SSL connections, protecting against backdoor threats that use the SSH channel for data breaches and app attacks. And it inspects SSL sessions and terminates connections to identify attacks that are masked by encryption.

Gain deep attack visibility.

BIG-IP AFM helps you respond to threats quickly and with a
full understanding of your security status in real time.

Works with other security solutions.

BIG-IP AFM combines with other BIG-IP solutions to strengthen and unify security capabilities. It eliminates the need for single-point products that support application delivery, application security, client-side protections, user access, and DNS security. That means increased efficiency and lower total costs.

Better together.

F5 products, technologies, and solutions work together to make sure your applications are always protected and work the way they should. Extend the effectiveness of BIG-IP AFM by combining it with the following products.

Extend security via open programmability.

You can extend the capabilities of BIG-IP AFM to expand its functionality and deploy custom rules that protect against complex, multi-level attacks.

  • Use F5 iRules scripting language for extensibility and customization of rules that mitigate sophisticated, uncommon zero-day threats.
  • Gain reporting visibility and understand your security status with customizable reports and charts that provide insight into user types and enable effective forensic analysis.

Deploy however you want.


HARDWARE

Both the BIG-IP family of devices and the VIPRION chassis are purpose-built, powerful hardware that F5 software runs on.

Learn more >

SOFTWARE (Virtual Editions)

BIG-IP virtual editions have the same features as those that run on F5 purpose-built hardware—and you can deploy them on any leading hypervisor or select cloud providers.

Learn more >

CLOUD

F5 application services work exactly the same way in the public and private cloud as they do in the data center.

Learn more >

Features

Secure your apps>

Unifies the application configuration with security parameters for tighter policy enforcement.

Layer 3–7 app protection>

Terminates all connections and transparently runs checks to identify and mitigate network, protocol, and DNS threats, including those that hide behind SSL encryption—before they reach the data center.

High-volume logging controls>

Supports SNMP, SIP, DNS, and IPFIX collectors, and provides controls that prevent log servers from becoming overwhelmed.

Block known bad actors>

Automatically guards against known bad actors at the earliest point in the traffic flow, while accelerating blacklisting based on intelligent reputation feeds from third-party services and F5 security solutions.

SSH channel protection>

Delivers granular control over SSH channel in the data center, with policy-based protections, regular key management, and session time-out enforcement.

Features

Secure your apps

Unifies the application configuration with security parameters for tighter policy enforcement.

Layer 3–7 app protection

Terminates all connections and transparently runs checks to identify and mitigate network, protocol, and DNS threats, including those that hide behind SSL encryption—before they reach the data center.

High-volume logging controls

Supports SNMP, SIP, DNS, and IPFIX collectors, and provides controls that prevent log servers from becoming overwhelmed.

Block known bad actors

Automatically guards against known bad actors at the earliest point in the traffic flow, while accelerating blacklisting based on intelligent reputation feeds from third-party services and F5 security solutions.

SSH channel protection

Delivers granular control over SSH channel in the data center, with policy-based protections, regular key management, and session time-out enforcement.