F5 Networks
F5 BIG-IP test
Application Delivery Controller & WAF · Category 6. ADC/Network Security · Tier 1
CL Listed — Visible
Methodology v3.5 · OLIR Schema
Avril 2026
Evaluation Tier:
Visible (Listed)
→
Verified (CAE)
→
Enterprise (EEE)
Layer 1-2 only · Documentary assessment · All capabilities vendor-claimed
⚡ Executive Summary 30 seconds
What it is
Enterprise-grade Application Delivery Controller (ADC) platform combining advanced Web Application Firewall (WAF), intelligent load balancing, SSL/TLS offloading, and DDoS protection. BIG-IP secures and optimizes application delivery across on-premises, cloud, and hybrid environments with full-proxy architecture.
Best for
PCI DSS Req. 6.4 (public-facing web app protection), DORA Art. 11 (ICT resilience & availability), NIS2 Art. 21(2)(c) (business continuity & disaster recovery). Ideal for large enterprises requiring high-availability application delivery with integrated Layer 7 security.
What it does NOT do
No source code analysis (SAST), no vulnerability scanning, no endpoint protection, no SIEM, no IAM, no email security, no data classification. Not an AppSec testing tool — focuses on runtime application delivery, protection, and availability.
CL Recommendation
F5 BIG-IP is the industry reference for enterprise ADC and advanced WAF. Unmatched in high-availability application delivery with integrated security. Critical for PCI DSS 6.4 (WAF requirement), DORA Art. 11 (resilience), and NIS2 Art. 21 (network security). Combine with SAST/DAST (Cat. 9), SIEM (Cat. 12), and IAM (Cat. 1) for defense-in-depth. Gartner MQ Leader for WAF and ADC for 15+ years.
⚖ Regulatory Fit Per regulation verdict
PCI DSS v4.0
~20% of requirements
✔ Strong — Req. 6.4 (WAF), Req. 1.2 (network controls), Req. 4.1 (encryption)
DORA
~18% of obligations
✔ Strong — Art. 11 (resilience), Art. 9(2) (network protection)
NIS2
~20% of Art. 21
✔ Strong — Art. 21(2)(c) business continuity, Art. 21(2)(d) network security
GDPR
~7% of articles
△ Supporting only — Art. 32 (encryption in transit, availability)
HIPAA
~10% of provisions
● Moderate — §164.312(e) transmission security, §164.308(a)(7) contingency
CCPA/CPRA
~8% of provisions
△ Supporting only — §1798.150 data security via encryption & WAF
PCI DSS v4.0 (PROPRIETARY)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Req. 6.4.1 | WAF for public-facing web apps | Direct | SC-7 / PR.DS-02 | Functional |
| Req. 1.2.1 | Network security controls | Direct | SC-7 / PR.DS-02 | Functional |
| Req. 4.2.1 | Strong cryptography for transmission | Direct | SC-8 / PR.DS-02 | Functional |
| Req. 11.6.1 | Change detection on payment pages | Contributing | SI-7 / DE.CM-09 | Semantic |
DORA (OPEN_GOV)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Art. 11(1) | ICT business continuity policy | Direct | CP-2 / PR.PO-02 | Functional |
| Art. 9(2) | Network security management | Direct | SC-7 / PR.DS-02 | Functional |
| Art. 9(4)(c) | Encryption of data in transit | Direct | SC-8 / PR.DS-02 | Functional |
| Art. 10(1) | Anomaly detection | Contributing | SI-4 / DE.AE-02 | Semantic |
NIS2 (OPEN_GOV)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| Art. 21(2)(c) | Business continuity & disaster recovery | Direct | CP-2 / PR.PO-02 | Functional |
| Art. 21(2)(d) | Supply chain & network security | Direct | SC-7 / PR.DS-02 | Functional |
| Art. 21(2)(j) | Encryption and cryptography | Direct | SC-13 / PR.DS-02 | Functional |
HIPAA (OPEN_GOV)
| Focal | Obligation | OLIR Rel. | Hub Ref | Rationale |
|---|
| §164.312(e)(1) | Transmission security | Direct | SC-8 / PR.DS-02 | Functional |
| §164.312(e)(2)(ii) | Encryption of ePHI in transit | Direct | SC-8 / PR.DS-02 | Functional |
| §164.308(a)(7) | Contingency plan | Contributing | CP-2 / PR.PO-02 | Semantic |
Articles without contribution omitted. Full OLIR mapping available in Audit Pack export.
🎯 Buyer Guidance Decision support
✔ Consider When
- + PCI DSS Req. 6.4 WAF mandate for public-facing web applications
- + High-availability application delivery with 99.999% uptime requirement
- + Enterprise-scale load balancing across data centers and clouds
- + DORA Art. 11 ICT resilience and business continuity compliance
- + Need DDoS protection at application and network layers
- + Complex SSL/TLS management with hardware acceleration
❌ Avoid When
- − Small web application with minimal traffic — overkill and expensive
- − Need source code security testing (SAST/DAST)
- − Pure cloud-native microservices using service mesh (consider lighter solutions)
- − Budget-constrained startup — enterprise licensing model
- − Need API-first developer experience (consider API gateways instead)
- − Looking for managed CDN/WAF service (consider Cloudflare or Akamai)
⚙ Capabilities 23 claimed · 4 groups · DR-2 Quality Tiers + Config Modifiers
WAF & App Protection 6✓ 0● 0✗▼
✓OWASP Top 10 protection
Signature and behavioral detection for all OWASP categories
Specific Obl.Out-of-Box
✓Bot protection
ML-based bot detection and mitigation
Specific Obl.Config Change
✓API security gateway
REST, GraphQL, gRPC API protection
Control FamilyConfig Change
✓Behavioral analytics (WAF)
ML-driven anomaly detection for zero-day attacks
Specific Obl.Config Change
✓IP intelligence & geofencing
Threat feed integration and geo-based blocking
Control FamilyOut-of-Box
✓Credential stuffing protection
Leaked credential database matching
Specific Obl.Config Change
Load Balancing & ADC 6✓ 0● 0✗▼
✓L4/L7 load balancing
TCP, HTTP, HTTPS, UDP intelligent distribution
Specific Obl.Out-of-Box
✓Global server load balancing (GSLB)
DNS-based multi-site distribution
Specific Obl.Config Change
✓Health monitoring
Active/passive application health checks
Control FamilyOut-of-Box
✓Connection multiplexing
TCP connection optimization and pooling
Generic ControlOut-of-Box
✓Content-based routing
URL, header, cookie-based traffic steering
Control FamilyConfig Change
✓Session persistence
Cookie, source IP, and custom persistence profiles
Control FamilyOut-of-Box
DDoS Mitigation 5✓ 0● 0✗▼
✓L3/L4 DDoS protection
SYN flood, UDP flood, ICMP flood mitigation
Specific Obl.Out-of-Box
✓L7 DDoS protection
HTTP flood, slowloris, application-layer attacks
Specific Obl.Config Change
✓Rate limiting
Configurable request rate thresholds per source
Control FamilyConfig Change
✓DNS DDoS protection
DNS query flood and amplification mitigation
Specific Obl.Config Change
✓Behavioral DDoS detection
ML-based traffic anomaly identification
Control FamilyConfig Change
SSL/TLS & Network Security 6✓ 0● 0✗▼
✓SSL/TLS offloading
Hardware-accelerated encryption termination
Specific Obl.Out-of-Box
✓SSL forward proxy (visibility)
Decrypt-inspect-re-encrypt for east-west traffic
Specific Obl.Config Change
✓Certificate management
Automated cert lifecycle and renewal
Control FamilyConfig Change
✓Network firewall (AFM)
Stateful L3/L4 firewall with DDoS vectors
Specific Obl.Config Change
✓Access policy management (APM)
VPN, SSO, identity-aware proxy
Control FamilyConfig Change
✓iRules programmability
Custom TCL-based traffic manipulation scripting
Generic ControlConfig Change
🛡 MITRE ATT&CK Mapping Layer 4 — Derived via SP 800-53
M1050
Exploit Protection
Full (claimed)
M1037
Filter Network Traffic
Full (claimed)
M1035
Limit Access to Resource Over Network
Full (claimed)
M1020
SSL/TLS Inspection
Full (claimed)
M1031
Network Intrusion Prevention
Partial (claimed)
Score: 4.2 / 5.0 (84%) — All vendor-claimed. Techniques addressed: T1190, T1498, T1499, T1557, T1071 (network exploitation & denial-of-service family).
▼ Show ATT&CK techniques detail| Technique | Name | How Addressed | Provenance |
|---|
| T1190 | Exploit Public-Facing Application | WAF blocks OWASP Top 10 attacks against web applications | DERIVED via M1050 |
| T1498 | Network Denial of Service | L3/L4/L7 DDoS mitigation with behavioral detection | DERIVED via M1037 |
| T1499 | Endpoint Denial of Service | Application-layer DDoS protection and rate limiting | DERIVED via M1037 |
| T1557 | Adversary-in-the-Middle | SSL/TLS enforcement and certificate pinning prevent MITM attacks | DERIVED via M1020 |
| T1071 | Application Layer Protocol | Deep packet inspection of HTTP/S, DNS, and custom protocols | DERIVED via M1031 |
📄 Evidence Pack DR-2 §5.1 — Proof of value
✔WAF event logs & reports
Detailed blocked request logs with OWASP categorization. SIEM-exportable.
✔DDoS mitigation reports
Attack vector analysis, traffic volume, and mitigation effectiveness.
✔SSL/TLS compliance reports
Cipher suite inventory, certificate expiry, protocol compliance.
✔Uptime & availability reports
SLA compliance, failover events, health check history.
⚠Third-party penetration test
F5 undergoes annual third-party security assessments.
✔SOC 2 Type II / ISO 27001
F5 Cloud Services certified. On-prem depends on customer deployment.
Evidence level: Documentary review only (CL Listed). For verified evidence, upgrade to CAE (Examine + Interview) or EEE (+ Test).
⏱ Operational Metrics & Anti-Hype DR-2 §5.1 + §9.2
| Metric | BIG-IP Virtual Edition (VE) | BIG-IP Hardware Appliance | Enterprise Multi-Site (HA) |
|---|
| Implementation | 1-2 weeks | 4-8 weeks | 8-16 weeks |
| FTE Required | 0.5 FTE | 1 FTE | 1.5-2 FTE |
| Time to first value | Day 1-3 (basic load balancing and WAF policy active) |
| Time to production | Month 2-4 (full WAF tuning, DDoS profiles, GSLB, and HA configured) |
Anti-Hype: Marketing vs. Reality
99.999% application availability
Achievable with properly configured HA pairs and GSLB. Requires skilled F5 administrators and redundant infrastructure.
Verified
Zero-day attack protection
Behavioral WAF catches some zero-days but signature updates lag. Not a replacement for proactive vulnerability management.
Partial
Simple cloud migration
BIG-IP VE available on AWS/Azure/GCP but configuration complexity remains. Cloud-native alternatives (NGINX+) may be simpler.
Partial
Industry-leading WAF
Verified. Gartner MQ Leader for WAF. Most deployed enterprise WAF globally.
Verified
AI-powered security
ML features exist for bot detection and behavioral analysis but require training data and tuning. Not fully autonomous.
Partial
⚖ Strengths & Cautions
✔ Strengths
- + Most deployed enterprise ADC/WAF globally — proven at massive scale
- + Full-proxy architecture with L4-L7 inspection and control
- + Advanced WAF with bot protection, credential stuffing, and behavioral analytics
- + Hardware-accelerated SSL/TLS for high-throughput environments
- + Comprehensive DDoS protection at network and application layers
- + iRules programmability for custom traffic management logic
- + Mature HA and GSLB for multi-site disaster recovery
⚠ Cautions
- ! Complex configuration requiring certified F5 administrators
- ! Enterprise pricing — significant hardware and licensing costs
- ! Legacy TCL-based iRules can become technical debt
- ! Cloud-native transition ongoing — competing with lighter-weight solutions
- ! WAF false positive tuning requires ongoing operational effort
- ! No application security testing (SAST/DAST) capabilities
- ! All capabilities VENDOR-CLAIMED (no CL independent testing)
📈 Competitive Positioning Category 6 — ADC/Network Security
| Capability | F5 BIG-IP test | Cloudflare | Akamai | Citrix ADC |
|---|
| Advanced WAF | ✔ | ✔ | ✔ | ✔ |
| L4/L7 load balancing | ✔ | ● | ✔ | ✔ |
| DDoS protection | ✔ | ✔ | ✔ | ● |
| On-prem hardware | ✔ | ✗ | ✗ | ✔ |
| Bot management | ✔ | ✔ | ✔ | ● |
| Global CDN | ✗ | ✔ | ✔ | ✗ |
| Pricing model | CapEx/OpEx | Usage-based | Enterprise | CapEx/OpEx |
Competitive data based on public information. CL has not evaluated these alternatives — for detailed assessment, see individual CL Listings.
📑 Framework Views Hub: CSF 2.0 + 800-53r5 + ISO 27001
▼ Show NIST SP 800-53, CSF 2.0, ISO 27001 mapping tablesNIST SP 800-53 Rev 5
| Control | Name | Contribution | Provenance |
|---|
| SC-7 | Boundary Protection | direct | DERIVED via PCI DSS 1.2 |
| SC-8 | Transmission Confidentiality & Integrity | direct | DERIVED via PCI DSS 4.2 |
| SC-5 | Denial-of-Service Protection | direct | DERIVED via DORA Art. 11 |
| CP-2 | Contingency Plan | direct | DERIVED via NIS2 Art. 21(2)(c) |
| SI-4 | System Monitoring | contributing | CL-ORIGINAL |
| AC-4 | Information Flow Enforcement | contributing | CL-ORIGINAL |
NIST CSF 2.0
| Control | Name | Contribution | Provenance |
|---|
| PROTECT | PR.DS-02 Data-in-transit protection | direct | DERIVED via SC-8 |
| PROTECT | PR.PO-02 Infrastructure resilience | direct | DERIVED via CP-2 |
| DETECT | DE.AE-02 Anomalous activity analysis | direct | DERIVED via SI-4 |
| DETECT | DE.CM-01 Network monitoring | direct | DERIVED via SC-7 |
| RESPOND | RS.MI-01 Incident containment | contributing | CL-ORIGINAL |
ISO 27001:2022 Annex A
| Control | Name | Contribution | Provenance |
|---|
| A.8.20 | Networks security | direct | DERIVED via NIS2-ISO |
| A.8.21 | Security of network services | direct | DERIVED via NIS2-ISO |
| A.8.24 | Use of cryptography | direct | DERIVED via PCI-ISO |
| A.8.14 | Redundancy of information processing facilities | direct | DERIVED via DORA-ISO |
| A.8.22 | Segregation of networks | contributing | CL-ORIGINAL |
| SSDF ID | Practice | Status |
|---|
| PW.1 | Risk-based secure design | Claimed |
| RV.2 | Timely vulnerability remediation | Claimed |
| PO.5 | Secure development environment | Claimed |
| PS.3 | SBOM available | Not stated |
| RV.1 | Vulnerability disclosure program | Claimed |
| PS.2 | Code signing | Claimed |
Compliance Labs · Software Listing v3.5 · OLIR Schema
Hub: CSF 2.0 ↔ 800-53r5 ↔ ISO 27001 · Avril 2026
