Sold by: F5, Inc.Â
Deployed on AWS
Protects against API attacks, web attacks (such as XML external entity attacks) and server side request forgery. The rule set includes support for XML and JSON payloads, and common web API frameworks.
4
Overview
F5's Managed Rules for AWS WAF offer an additional layer of protection that can be easily applied to your AWS WAF. F5's API Security rules protect against API-level attacks as well as XML external entity attacks and server-side request forgery (SSRF); offering support for both XML and JSON payloads and other common web API frameworks. All rules are written, managed and regularly updated by F5's security specialists to ensure protection against evolving threats without the need for intervention on your part. The rules are licensed on a pay-as-you-go basis so you will only pay for what you use. Deployment guidance can be found at https://pages.awscloud.com/rs/112-TZM-766/images/F5_OWASP_Getting%20Started%20Guide.pdf .
Alternatively, if you require more sophisticated protection then F5's Advanced WAF may be a more appropriate solution. Leveraging behavioral analytics, machine learning and deep app expertise to thwart complex attacks such as L7 DoS, simple automated bot threats and API protocol attacks, F5 Advanced WAF affords apps and data unrivaled protection. Learn more about F5 Advanced WAF here (https://aws.amazon.com/marketplace/pp/prodview-cs4qijwjf3ijs?sr=0-1&ref_=beagle&applicationId=AWSMPContessa ) or contact our sales organization https://www.f5.com/products/get-f5?ls=meta#contactsalesÂ
Highlights
- Easily Enhance Security - No security expertise needed, simply attach rules to your AWS WAF instances to immediately bolster protection
- Continuously Updated - Rulesets are monitored, maintained and update by F5's security experts to ensure protection against evolving threats
- Fast and Simple Deployment - Attach F5's WAF rules to your AWS WAF instance in a matter of minutes following three simple deployment steps
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/unit |
|---|---|
Charge per month in each available region (pro-rated by the hour) | $20.00 |
Charge per million requests in each available region | $1.20 |
Dimensions summary
F5 Rules for AWS WAF follows a two-part pricing model on AWS Marketplace. The monthly regional charge covers the base subscription for maintaining and updating the WAF rules in each AWS region you deploy, with the flexibility of hourly prorating. The per-million requests pricing applies to the actual traffic processed through the WAF rules in each region, ensuring you only pay for the protection you use. This straightforward model combines fixed and variable costs to align with your security needs and usage patterns.
Top-of-mind questions for buyers like you
How does the monthly regional charge work for F5 Rules for AWS WAF?
The monthly regional charge is a base fee applied for each AWS region where you deploy F5's WAF rules. This charge covers continuous rule updates, maintenance, and access to F5's security expertise, while being prorated hourly to provide deployment flexibility and cost optimization.
What defines a billable request in the per-million requests pricing?
A billable request is any web traffic that passes through your AWS WAF using F5's rule sets. This includes API calls, web page requests, and any other HTTP/HTTPS traffic that is evaluated against the F5 security rules, with charges calculated based on the total volume of requests processed in each region.
Are there any prerequisites or additional AWS costs to consider?
While F5's pricing covers the rules and updates, you need an active AWS WAF deployment which incurs separate AWS charges. The AWS WAF costs include web ACL capacity units (WCU) and per-request charges that are billed directly by AWS, independent of F5's pricing.
Vendor refund policy
For this offering, F5 does not offer refund, you may cancel at anytime.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA)Â .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Vendor resources
Support
Vendor support
F5 Rules for AWS WAF are supported via F5 DevCentral - F5's extensive community of experts, developers and users addressing technical issues related to F5 products. Response times may be up to 2 days. For online information regarding F5 Rules for AWS WAF, please refer to https://support.f5.com/csp/article/K21015971 . For any infrastructure and WAF related questions please contact AWS Support (https://aws.amazon.com/contact-us ) for AWS WAF related assistance.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By F5, Inc.
By Fortinet Inc.
By Cyber Security Cloud Inc.
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
API Payload Protection
Supports security rules for both XML and JSON payloads across web API frameworks
Attack Mitigation
Defends against API-level attacks, XML external entity attacks, and server-side request forgery (SSRF)
Threat Detection
Utilizes security rules written and regularly updated by specialized security experts
Web Application Protection
Provides comprehensive security rules for web application defense mechanisms
Automated Security Management
Offers continuous monitoring and maintenance of security rulesets without manual intervention
Web Application Threat Protection
Comprehensive ruleset covering OWASP Top 10 web application threats including SQL Injection, Cross Site Scripting, and Known Exploits
Security Signature Updates
Regular threat information updates from FortiGuard Labs to maintain current protection signatures
Malicious Traffic Detection
Protection against malicious bots and common vulnerabilities and exposures (CVE)
Configurable Security Response
Flexible configuration options to log, alert, and block detected web application threats
Attack Vector Coverage
Comprehensive security rules targeting multiple web application attack vectors including general and known exploits
Web Application Threat Protection
Comprehensive ruleset targeting OWASP Top 10 Web Application Threats with low false-positive rate
Vulnerability Mitigation
Managed rules addressing code injection techniques including SQLi, NoSQLi, OScommandi, XSS, and directory traversal
Technology-Specific Protection
Specialized rules for web technologies like Apache Struts2, Apache Tomcat, Oracle WebLogic, WordPress, Drupal, and Joomla
Cyber Threat Intelligence
Regularly updated rulesets incorporating latest threat intelligence and security alerts
Compliance Support
Security rules designed to help meet compliance standards such as PCI-DSS
Standard contract
No
No
No
Customer reviews
Manmohan Rao
Managed security rules have protected our public e‑commerce sites and simplified ongoing defense
Reviewed on Dec 09, 2025
Review from a verified AWS customer
What is our primary use case?
We are providing support to our end customers who have e-commerce websites that need to be exposed to the public, and for a secure way around, we thought of getting them exposed via the Application Load Balancer to make sure it is exposed at Layer 7 only. While making sure it will be protected, we started using AWS WAFÂ services, where we found that we can utilize a WAFÂ rule set from Marketplace. We started using it, and I got the chance to be part of one of the summits where I heard of F5 Rules for AWS WAFÂ . Since then, I have been using their rule sets for bot protection, web exploit OWASP rules, common vulnerabilities and exposures, and API security, which is a use case we are using to configure these rule sets.
We are using AWS WAFÂ , which has been integrated with the Application Load Balancer to ensure that our Application Load Balancer is secure while it gets publicly exposed.
We thought of starting to use F5 Rules for AWS WAFÂ primarily for DDoS protection nowadays, as AWSÂ native rule sets also provide some protection for DDoS. I found that it demands continuous improvement in these rule sets. Previously, we used native rule sets, but these continuous demands were not listed in it, which led us to an unsecure environment. Now, using F5 Rules for AWS WAFÂ for bot protection, I found that they continuously perform vulnerability scans while these rules come into action. This continuous improvisation ensures that I can build trust against these rules instead of other third-party rule sets.
What is most valuable?
I really appreciate the way F5 Rules for AWS WAF generate reports proactively to show the number of exploits that come in and what remediation has been followed to block such exploits, mainly in the OWASP rule sets.
It has generated value toward us because since these e-commerce websites could become exposed to the public in an unsecure manner, which really no one wants. Now, looking at these rule sets, they ensure that our origin or our application content and code, as well as the application itself or its API, are secure enough, always.
What needs improvement?
An area for improvement I see is that while everything is in good shape, I demand continuous improvisation of these rule sets. However, I am accepting of this. To stay safer from a security perspective, continuous improvisation in these security rules is required to ensure we are always up to date with new attacks.
For how long have I used the solution?
I have been using F5 Rules for AWS WAF in the last two years and I found it to be a good choice compared to other products.
What do I think about the stability of the solution?
F5 Rules for AWS WAF is stable.
What do I think about the scalability of the solution?
Scalability is not a challenge with F5 Rules for AWS WAF, as they are configured within the AWS WAF service, which is reliable and redundant. We have not faced any challenges with the rule set scalability, and that is a positive aspect.
How are customer service and support?
I have reached out to customer support multiple times, especially while configuring rule sets for the first time. The support provided was excellent. I appreciate the assistance; they clearly explained everything, how to configure these rule sets, and what the best options are based on my use case, which helped us shortlist what is required.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used AWSÂ native rule sets and Fortinet rule sets. We switched to F5 Rules for AWS WAF because we found it more competitive. They continuously improve their security rules and keep adding vulnerability protection to their existing rule sets, ensuring we are protected and our applications are safe.
We mainly evaluated AWS native rule sets prior to F5 Rules for AWS WAF.
What was our ROI?
It has absolutely saved money for our security team and time. There are two ways: either we write our own rule sets, which demands significant time, or we can use a more mature tool like F5 Rules for AWS WAF, which has already created these rule sets for perfect use cases like we are using for our end customers. Using F5 Rules for AWS WAF saves us time spent on developing security rules ourselves.
What's my experience with pricing, setup cost, and licensing?
From the pricing perspective, I found it to be comparable to other marketplace rules available in AWS Marketplace . It has competitive pricing.
What other advice do I have?
I advise anyone looking for a great tool to secure their public-facing applications to start using F5 Rules for AWS WAF. These are managed rule sets, so you do not need to worry about continuous improvements or ensuring your application is secure; F5 Rules for AWS WAF will take care of that and is always making the necessary improvements in these rule sets to ensure security.
I am very impressed with the rule sets and the continuous engineering from their security team to ensure the required rule set availability. I really appreciate the fantastic job they are doing.
F5 Rules for AWS WAF can be integrated with AWS CloudFront, Application Load Balancer, Lambda, and API Gateway. I am satisfied with all these services as they are our intermediary points for services exposed to the public or globally.
I gave this product a rating of ten out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
G Verduci
Application layer protection has improved traffic control and supports my initial security testing
Reviewed on Dec 02, 2025
Review from a verified AWS customer
What is our primary use case?
I have been using F5 Rules for AWS WAFÂ for a short time and want to discover more about it.
My main use case with F5 Rules for AWS WAFÂ is testing it out.
I don't have a quick specific example of what I'm testing at this moment.
For now, I don't have anything else to add about my testing experience so far.
What is most valuable?
The best features F5 Rules for AWS WAFÂ offers, from what I've seen or read so far, are application layer protection.
I am referring to application layer protection with F5 Rules for AWS WAFÂ , which stands out to me as using something similar to iRules to protect applications.
F5 Rules for AWS WAF has positively impacted our organization for security through the implementation of traffic rules in our application.
I have noticed specific benefits such as easy management with F5 Rules for AWS WAF, but I think that it's too early to provide a definitive assessment because I started using it only a few days ago.
What needs improvement?
I don't know how F5 Rules for AWS WAF can be improved because I have only been using it for a few days.
I don't have anything to add about the needed improvements for F5 Rules for AWS WAF at this time.
For how long have I used the solution?
I have been working in my current field for about two years.
What do I think about the stability of the solution?
F5 Rules for AWS WAF is stable in my experience so far.
What do I think about the scalability of the solution?
From what I've seen, F5 Rules for AWS WAF's scalability is stable for now.
How are customer service and support?
I have not had any experience with customer support for F5 Rules for AWS WAF yet.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I did not previously use a different solution.
How was the initial setup?
I had a great experience with the pricing, setup cost, and licensing.
What about the implementation team?
My company does not have a business relationship with this vendor other than being a customer.
What was our ROI?
It's too early to talk about a return on investment with F5 Rules for AWS WAF.
What's my experience with pricing, setup cost, and licensing?
I had a great experience with the pricing, setup cost, and licensing.
Which other solutions did I evaluate?
I did not evaluate other options before choosing F5 Rules for AWS WAF as it was my first time.
What other advice do I have?
It's too early to provide my experience or advice to others looking into using F5 Rules for AWS WAF.
I don't have any additional thoughts about F5 Rules for AWS WAF before we wrap up.
I found this interview at AWSÂ re:Invent.
I gave this review a rating of 8.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Sumit K.
F5 AFM is powerful and advanced software based firewall
Reviewed on Apr 07, 2023
Review provided by G2
What do you like best about the product?
F5 advanced firewall is software based firewall solution to provide network security. It can provide real-time visibility in to network traffic and can block traffic real-time. It also has intrusion prevention which is advanced security feature. It can be deployed in a wide range of network environment.
What do you dislike about the product?
It is premium product but still having some performance related issues. Overall its a powerful device with great features.
What problems is the product solving and how is that benefiting you?
It provides the advanced network security in large networks. Better GUI interface for quick setup and configuration. Really advanced firewall in industry.
David L.
Great Product and has met all our needs!
Reviewed on Oct 15, 2021
Review provided by G2
What do you like best about the product?
It has integrated well with what we have and replaced some really old software. It has been a great experience and given us everything we needed.
What do you dislike about the product?
Nothing so far.. the only thing was we had to have some help on the setup due to it being a little complicated.
What problems is the product solving and how is that benefiting you?
giving extra security to some of our internal websites
Computer Networking
"Firewall Manager for Data Center"
Reviewed on Sep 20, 2019
Review provided by G2
What do you like best about the product?
As i am working with ISP Company i need to deal with firewalls.F5 Advanced Firewall Manager are most effective network-level security for enterprises and service providers.Connect securely to VPN within quick time.Connection times are fast and reliable.Web properties and applications in balance and maintain high accessibility level."
What do you dislike about the product?
I think cost is little bit high as compare to other firewall manager.
What problems is the product solving and how is that benefiting you?
*Connection times are fast and reliable.
*It provides full SSL visibility,as well as network-layer and session-layer security.
*Advanced Firewall Manager gives fast and secure access as well as it is high performance firewall.
*It provides full SSL visibility,as well as network-layer and session-layer security.
*Advanced Firewall Manager gives fast and secure access as well as it is high performance firewall.
Recommendations to others considering the product:
Secure protection for data center and cloud,Highly recomended.