Applies To:

Show Versions Show Versions

Manual Chapter: Introduction to the BIG-IP Data Center Firewall
Manual Chapter
Table of Contents   |   Next Chapter >>


The BIG-IP system offers native, high-performance firewall services to protect the entire network infrastructure, and operates as a purpose-built, high-performance application delivery controller (ADC) designed to protect data centers. In many cases, the BIG-IP system can replace an existing firewall while also offering scale, performance, and persistence.

The BIG-IP system provides a unified view of Layer 3 through Layer 7, as well as integration with Security Incident and Event Manager (SIEM) vendors.

Features and benefits

The BIG-IP system includes these firewall features:

Protocol security
The BIG-IP system natively decodes IPv4, IPv6, TCP, HTTP, SIP, DNS, SMTP, FTP, Diameter, and RADIUS. Organizations can control almost every element of the protocols they deploy.
DDoS prevention capabilities
An integrated architecture enables organizations to combine traditional firewall Layers 3 and 4 with application Layers 5 through 7.
DDoS mitigations
The BIG-IP system protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate connections.
SSL termination
You can offload computationally-intensive SSL functions to the BIG-IP system, and gain visibility into potentially harmful encrypted payloads.
Dynamic threat mitigation
iRules provide a flexible way to enforce protocol functions on both standard, and emerging or custom protocols. With iRules, organizations can create a zero-day dynamic security context to react to vulnerabilities for which an associated patch has not yet been released.
Resource cloaking and content security
You can prevent leaks of error codes and sensitive content.

BIG-IP data center firewall packet handling

A BIG-IP data center firewall includes three basic mechanisms for controlling packet flow: Packet filters, traffic listeners, and iRules assigned to virtual servers.

Basic packet flow through a BIG-IP data center firewall

To effectively configure a BIG-IP system as a data center firewall, you must decide the way that you want the BIG-IP system to process any network traffic that the system receives. A BIG-IP system evaluates and acts on network traffic using the following order of operations.

Packet Filters

The BIG-IP system evaluates network traffic against any packet filters that you have configured, in the explicit order you define. Once accepted, a packet is not evaluated against additional filters, but is processed by any SNATs, virtual servers or iRules that apply. If a packet is discarded or rejected, a BIG-IP system does not perform any further evaluation of that packet.

Traffic listeners

When you create local traffic objects (such as virtual servers, NATs, and SNATs) that process network traffic on the BIG-IP system, the BIG-IP system creates appropriate listeners for the objects that you define. A local traffic object with a destination listener processes requests matching a destination host or network IP address defined on the BIG-IP system. A local traffic object with a source listener processes requests originating from a host or group of hosts defined on the BIG-IP system. For example, a virtual server with a destination address and a netmask of, takes precedence over a virtual server with a destination address and a netmask of If the traffic does not match a virtual server and there is a SNAT in place, processing follows a specific order. For example, a SNAT with an origin address of takes precedence over a SNAT with an origin of default. Additionally, a SNAT with an origin address of takes precedence over a NAT with an origin address of

Virtual server-specific ACL using iRules

Any iRules associated with the matched virtual server are processed. iRules are event-driven, so that the order of events ultimately controls the order in which code blocks are processed. Additionally, you can use priority statements within iRules to assign execution orders for like events. Lastly, for like events of identical priority, iRules are triggered in the order that they are assigned to the virtual server. For each of these BIG-IP features, consult the BIG-IP product documentation and other online resources, such as F5 Networks' DevCentral Wiki, for complete details.
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)