F5 BIG-IP Advanced Firewall Manager (AFM) Review

Offers good IP geolocation, IP intelligence, and DDoS features and good scaling options

What is our primary use case?

We use three main features. The first one is access control. Access control would mainly use the IP geolocation feature. This feature in AFM lets you limit access to some countries and allow other countries. Some countries can access your service while others cannot access it. This is one feature which is called IP geolocation. 

The second feature we use is called IP intelligence. It's another feature of F5. It's like a straight feed for all blacklisted IP addresses in the world. They make categories for the blacklisted IP addresses, such as blacklists to a channel, blacklisted proxies, blacklisted malicious malware, and blacklisted spammers. If anyone of these IPs is trying to hurt your service, we are able to just block it with the AFM firewall, which is a separate license in essence. We utilize this license as well. 

Finally, we have a DDoS safety feature. AFM provides protection for the network from a DDoS attack. We use this feature at times too. These are the only three features we utilize: IP geolocation, IP intelligence, and DDoS.

What needs improvement?

Firstly, geolocation currently relies on manual updates. It has to move to automatic updates. There are no automatic updates for this feature. If some IPs, countries, or service providers move to another country, now we will allow IPs that were previously denied. This is because you depend on the database, which doesn't update automatically. This is really a very important area that they need to improve.

I also want to see something like application inspection. If they can add application inspection like a DC firewall, it would be a good added feature for them.

For how long have I used the solution?

We've been using this solution for four years now.

What do I think about the stability of the solution?

I would say it's a good, stable solution. We haven't had a major issue with the AFM.

What do I think about the scalability of the solution?

They have many options to scale. They have a very stable, versatile FM, but we rely on the physical units. I can see that it's very scalable. Whatever you want to add, you can add to the same cluster.

How are customer service and technical support?

Sometimes technical support is good and sometimes they are bad, so I can evaluate them around 80%.

What other advice do I have?

It's a good solution only for a published service. If you are publishing services outside the company, it's very good for us, but the biggest lesson is that it cannot be applied internally to replace a data center firewall. Sometimes, a company will introduce F5 to the place as a data center firewall. It's not a replacement for the DC firewall. It cannot replace the data center firewall but can be added to the service.

I would rate this as eight out of ten.

Which deployment model are you using for this solution?


Which version of this solution are you currently using?

**Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
More F5 BIG-IP Advanced Firewall Manager (AFM) reviews from users
...who compared it with Imperva Incapsula
Learn what your peers think about F5 BIG-IP Advanced Firewall Manager (AFM). Get advice and tips from experienced pros sharing their opinions. Updated: July 2021.
522,281 professionals have used our research since 2012.
Add a Comment
ITCS user