Compare F5 Distributed Cloud Services
Available on an annual subscription, cloud marketplace private offers and Pay-as-you-Go in the AWS Marketplace.
Fill out this form to be contacted by F5 about Distributed Cloud.
Available on an annual subscription, cloud marketplace private offers and Pay-as-you-Go in the AWS Marketplace.
Fill out this form to be contacted by F5 about Distributed Cloud.
F5 Distributed Cloud Services is available in two annual subscription packages: Essentials and Enterprise. The Essentials package is best suited for customers that want a cloud-based solution to securely deliver public facing web applications. The Enterprise package is built for customers that need advanced security that leverages behavioral traffic analysis to detect suspicious or harmful behavior, this layer of protection extends towards malware detection and client-side attacks.
Compare Essentials and Enterprise ›
Web Application and API Protection
Reduce risk and eliminate tool sprawl with unified WAF, API protection, bot defense, and DDoS mitigation that provide consistent, automated security for every app and API across hybrid and multicloud environments.
Application Delivery & Traffic Management
Ensure fast, resilient, and scalable digital experiences by unifying load balancing, traffic routing, and application control across hybrid and multicloud environments—reducing operational complexity while improving performance, reliability, and visibility.
Edge Distribution
Consolidate CDN, WAAP, and edge services into a single platform to reduce complexity and cost, enforce consistent policy and visibility across cloud/data center/edge, and deliver faster, more reliable digital experiences with multi‑edge deployment flexibility.
Essentials | Enterprise | ||
WAF | |||
Signature based protection | Mitigate application and API vulnerabilities with F5's core WAF technology, backed by our advanced signature engine containing over 8,500 signatures for CVEs, plus other known vulnerabilities and techniques including Bot Signatures identified by F5 Labs and threat researchers | Yes | Yes |
Compliance enforcement | Combination of violations, evasions and http protocol compliance checks. | Yes | Yes |
Automatic attack signature tuning | Self-learning, probabilistic model that suppresses false positive triggers | Yes | Yes |
Masking Sensitive Parameters/Data in Logs | Users can mask sensitive data in request logs by specifying http header name, cookie name, or query parameter name. Only values are masked. By default, values of query parameters card, pass, pwd, and password are masked. | Yes | Yes |
Custom blocking pages/response codes | When a request or response is blocked by the WAF, users have the ability to customize the blocking response page served to the client. | Yes | Yes |
Allowed responses codes from origin | User can specify which HTTP response status codes are allowed. | Yes | Yes |
IP Reputation | Analyzes IP threats and publishes a dynamic data set of millions of high-risk IP addresses maintained by F5, to protect app endpoints from inbound traffic from malicious IPs. IP treat categories include Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners Denial of Services, Phishing and more. | Yes | Yes |
Sensitive Data Protection for Apps | Data Guard prevents HTTP/HTTPS responses from exposing sensitive information, like credit card numbers and social security numbers, by masking the data. | Yes | Yes |
Exclusion rules | Rules that define the signature IDs and violations/attack types that should be excluded from WAF processing based on specific match criteria. The specific match criteria include domain, path, and method. If the client request matches on all these criteria, then the WAF will exclude processing for the items configured in the detection control. | Yes | Yes |
CSRF protection | Allows users to easily configure/specify the appropriate, allowed source domains | Yes | Yes |
Cookie protection | Cookie Protection provides the ability to modify response cookies by adding SameSite, Secure, and Http Only attributes. | Yes | Yes |
Malware detection and prevention | Detects and blocks malicious payloads and files delivered through HTTP/HTTPS traffic using signature‑based and behavioral analysis to prevent malware delivery and propagation. | No | Yes |
GraphQL protection | The WAF engine inspects GraphQL requests for vulnerabilities and will block traffic based on the F5 signature database | Yes | Yes |
Web App Scanning | Essentials | Enterprise | |
External attack surface management | Automatically scans and maps any web app to find all exposed services and infrastructure including server versions, operating systems and hosting providers along with identifying known vulnerabilities (CVEs). | Yes | Yes |
Dynamic application security testing (DAST) | Runs automated penetration tests on any web app, to uncover unknown vulnerabilities and deliver remediation guidance. This includes a wide range of tests suite that uncovers risks across the Web App and LLM OWASP Top 10 lists with documentation, including every step of the penetration test with videos, screenshots and, test cases. | Yes | Yes |
DDoS Mitigation | Essentials | Enterprise | |
Fast ACLs | Network Firewall controls allowing users to block ingress traffic from specific sources, or apply rate limits to network traffic from a specific source. Enhanced protections allow for filtering traffic based on source address, source port, destination address, destination port, and protocol. | Yes | Yes |
Layer 3-4 DDoS Mitigation | The platform protects customer provisioned services on the F5 network from DDoS attacks. This includes multi-layered, volumetric attack mitigation including a combination of pre-set mitigation rules with auto mitigation and advanced DDoS mitigation scrubbing for customers consuming Distributed Cloud services only. | Yes | Yes |
Layer 3-4 DDoS Mitigation - Routed Mitigation | This is an add-on managed service, which can be sold standalone or added by customers who have either the essentials or enterprise plans. This managed service provides multi-layered, volumetric attack mitigation including a combination of pre-set mitigation rules with auto mitigation and advanced routed DDoS mitigation scrubbing with full packet analysis via BGP route advertisement or authoritative DNS resolution with always-on or always-available deployment options for customers needing DDoS protection for on premises or public cloud applications and associated networks and critical app infrastructure. | Add-on | Add-on |
Layer 7 DoS - Detection and mitigation | Anomaly detection and alerting on abnormal traffic patterns and trends across apps and API endpoints, leveraging advanced machine learning (ML) to detect spikes, drops and other changes in app and API behavior over time by analyzing request rates, error rates, latency and throughput with the ability to deny or rate limit endpoints including auto-mitigation. | Yes | Yes |
Layer 7 DoS - Policy based challenges | Custom policy-based challenges can be set up to execute a JavaScript or Captcha challenge. Define match criteria and rules when to trigger challenges based on source IP and reputation, ASNs or Labels (cities, countries) helping to filter out attackers from legitimate clients trying to execute an attack. | Yes | Yes |
Application Rate Limiting | Rate limiting controls the rate of requests coming into or going out of an application origin. Rate limiting can be controlled for apps using key identifiers IP address, Cookie name, and/or HTTP header name. | Yes | Yes |
API Security | Essentials | Enterprise | |
API Protection Rules | Organizations can granularly control API endpoint connectivity and request types. They can identify, monitor, and block specific clients and connections all together or set particular thresholds. These includes deny listing (blocking) based on IP address, region/country, ASN or TLS fingerprint, plus more advanced rules defining specific match criteria guiding app and API interactions with clients, including HTTP method, path, query parameters, headers, cookies, and more. This granular control of API connections and requests can be done for individual APIs or an entire domain. | Yes | Yes |
API Rate Limiting | The API rate limiting controls rate of requests made to your API endpoints and uses user identification to identify the clients sending requests to your application APIs. | Yes | Yes |
JWT Validation | Allows organizations to upload authentication keys and will validate JSON Web Token (JWT) sign in requests at the edge. This also contributes to improved security by allowing edge servers to filter out unauthorized requests before they can reach an organization’s origin infrastructure. RSA private/public key pairs for JWT signature verification are supported, ensuring that the data in JWT payloads has not been modified by third parties. | Yes | Yes |
API Schema Upload | Import OpenAPI spec files to define API groups and set rules to control access to and enforce behavior of APIs. | Yes | Yes |
API Endpoint and Groups Management | discoveries can quickly be marked as "non-API" when mistakenly | Yes | Yes |
Sensitive Data Detection and Protection | Identify API endpoints that are impacted by specific regulatory and compliance regimes and discover, tag and report on specific sensitive data. Including over 400 data types associated with over 20 different frameworks (PCI-DSS, HIPPA, GDPR etc.) when observed in API code and/or through traffic. Detect generic (credit card, social security number) or less common and custom PII data patterns (addresses, names, phone numbers) within API responses, then mask the sensitive data or block API endpoints that are transmitting sensitive information. | Yes | Yes |
Traffic-Based API Discovery and Schema Learning | Advanced machine learning, enables markup and analysis of API endpoint traffic (requests & responses) for applications in order to discover API endpoints and perform behavioral analysis. This includes request and response schemas, sensitive data detection and authentication status. Providing inventory and shadow API sets with OpenAPI spec (OAS) generation. | Available as an add-on | Yes |
Code-Based API Discovery and Schema Learning | Integrates into code repositories. Advanced machine learning enables automatic analysis of application code in order to discover and document API endpoints. This includes with automated OpenAPI spec (OAS) generation. | Available as an add-on | Yes |
Crawler-Based API Discovery and Schema Learning | Intelligently and automatically crawls any web based application from the client-side to find and map APIs—filling in any gaps that code or traffic analysis might not capture. Whether those are forgotten, depricated endpoints or infrequently used endpoints that may not be passing traffic. | Available as an add-on | Yes |
Schema Validation | Automatically delivers a positive security model using learned, automatically generated, or existing OpenAPI Specification (OAS) files to enforce desired API behavior through valid endpoint, parameter, method, authentication, and payload details. | No | Yes |
Compliance Reporting | Identify and report on API endpoints exposing sensitive data, including over 400 data types associated with over 20 different frameworks (PCI-DSS, HIPPA, GDPR etc.) when observed in API code and/or through traffic. | No | Yes |
API Testing | Proactive API testing that runs targeted tests to detect vulnerabilities in APIs before they reach production. Integrates seamlessly with code repositories and working in conjunction with code-based API discovery, all discovered APIs identified from code can be run through critical, targeted tests to uncover vulnerabilities across a wide range of OWASP API Top 10 threats. | No | Yes |
Bot Defense | Essentials | Enterprise | |
Signature based protection | The WAF signature engine includes unique signatures for known automated threats and bot techniques, such as crawlers, DDoS/DoS attacks, and more. | Yes | Yes |
Advanced bot protection | Uses rich signal collection and behavioral analysis to detect and mitigate automated threats, including sophisticated, low‑and‑slow bot attacks that evade signature‑based defenses. | Available as an add-on | Available as an add-on |
Protects against OWASP automated threats. | Prevent attackers' use of OWASP Automated Threat attack vectors. | Available as an add-on | Available as an add-on |
Credential stuffing and account takeover mitigation | Prevent automated bots from entering stolen credentials on login pages, which can lead to account takeover and fraud. | Available as an add-on | Available as an add-on |
Prevent web scraping | Prevent automated bots and web crawlers from extracting content or data from your site, and from using your data for competitive pricing or AI training without your permission. | Available as an add-on | Available as an add-on |
Device fingerprinting | Uniquely identify and track a web user or a mobile application. The device's fingerprint is retained as the user interacts with the application over time. | Available as an add-on | Available as an add-on |
Client-side protection | Monitor and mitigate browser-based attacks in real-time to protect against Magecart, formjacking, skimming, PII harvesting, and other critical security vulnerabilities. Prevents site or app based data leakage as part of compliance with security standards and regulations such as GDPR, CCPA, HIPAA and PCI DSS 4. | No | Yes |
Network Connect | Essentials | Enterprise | |
Customer Edge (CE) Node | Deployable software that connects different environments and enable local delivery of security and networking services. CE nodes enable multicloud transit, security service insertion, network segmentation, and end-to-end encryption. | Available as an add-on | 3 Medium CEs included, more available as add-ons |