F5 ASM Summary

The F5 AFM module enables the network firewall available on the F5 BigIP load balancer. Without using AFM, your only options to firewall on the F5 are to setup either packet-filters or through iRules. I would not recommend using packet-filters due to the performance issues they cause and the iRule option can get really messy quickly.

The F5 AFM module offers a superior solution with multiple features that include: stateful network firewall, Denial of Service visibility/protection, ip reputation based access control, and impressive logging capabilities.

A common Data Center web hosting deployment consists of a network firewall, load balancer, and servers. The firewall and load balancer can be one of the most expensive pieces of hardware in your data center and for good reason. The firewall is particularly important since most data center network traffic will route through it.

Surprisingly, the performance of these platforms is not what we always expect and can create a significant bottle neck in the network. I have seen this numerous times working with Cisco ASA firewalls.


AFM Can Replace your Data Center Firewall

The F5 BigIP load balancer offers superior data center firewall performance when compared to many other platforms. For example, even the legacy entry-level model (2000s), would out perform the some of the Cisco ASAx models in a number of situations.

Many would argue that you cannot terminate L2L vpn tunnels on the F5 or use a remote-access vpn like you could on an ASA, but they are wrong as well. The F5 supports IPsec and GRE tunneling by default without the AFM module and also supports remote-access vpn using the APM module.

The F5 load balancer supports almost any feature that your traditional network firewall supports. In my opinion, it is a great option for a web hosting data center deployment.


When would you deploy AFM?

To start, I recommend using AFM and LTM for any BigIP that is the default gateway for multiple networks. It can be used along side a network firewall or on its own acting as the primary network firewall.

Deploying AFM with a Network Firewall

In some cases, you may want to place your Web and Database vlans behind your load-balancer for performance. This is especially true when trying to reduce load on your network firewall in conjunction with web application that generates large amounts of database traffic.

Database servers typically contain sensitive information and you want to restrict access to them. Using the AFM module is the best way to do this if you plan on moving the vlan behind the F5 and does not impact performance. Below is a network diagram of a common deployment.

AFM behind firewall diagram
AFM Deployed Behind Network Edge Firewall

Deploying AFM as The Edge Firewall

Alternatively, you can simple replace your existing existing web hosting firewall with AFM. This means the F5 would be the internet gateway for your hosted servers. Additionally, you will need to account for any site to site VPN connections or remote access VPN.

The F5 supports both Ipsec route-based and policy-base VPNs along with GRE. The BigIP can also support dynamic routing and supports BGPv4, OSPFv2/3, ISIS, and RIP.

Finally, you would need to account for any natting and perform that on the F5 BigIP. The F5 supports PAT, Static Nat using LTM and AFM (AFM is better), policy nat, port forwarding, and any other nat configuration you can think of.

Remote Access vpn requires another module but you could using something like OpenVPN on a linux server without your environment and it would be significantly cheaper. Below is a diagram of an example deployment.

Edge AFM Diagram
Edge AFM Diagram

Downsides of AFM

AFM gives you a ton of flexibility on how you can deploy it but it isn’t necessarily a good thing. You can do the same configuration multiple ways and accomplish the same goal.

This is a big problem if you have many different engineers working on the platform. It’s critical that you develop configuration standards and stick with them or your configuration can turn into a nightmare to support. However, this isn’t just an AFM problem.

I’ve seen the same issues with other F5 modules and iRules in particular. I plan on writing a number of articles going over deployment options and the advantages and disadvantages of each method based on my experience.


Conclusion

AFM is a great product from F5 and gives you very granular control on what traffic is allowed in your network.

If you interested in more F5 articles then click here!