Sold by: F5, Inc.Â
Deployed on AWS
Protect against automated attacks. Bot Protections Rules is a partner managed rule group for AWS WAF that stops a broad range of malicious bots activities such as vulnerability scanners, web scrapers, DDoS tools, and forum spam tools.
4.3
Overview
F5's Managed Rules for AWS WAF offer an additional layer of protection that can be easily applied to your AWS WAF. F5's Bot Protection rules analyze all incoming requests and block any malicious bot activities identified, including DDoS tools, vulnerability scanners, web scrapers, and forum spam tools. All rules are written, managed and regularly updated by F5's security specialists to ensure protection against evolving threats without the need for intervention on your part. The rules are licensed on a pay-as-you-go basis so you will only pay for what you use. Deployment guidance can be found at https://pages.awscloud.com/rs/112-TZM-766/images/F5_OWASP_Getting%20Started%20Guide.pdf .
Alternatively, if you require more sophisticated protection then F5's Advanced WAF or Distributed Cloud Bot Defense may be more appropriate solutions. F5 Advanced WAF leverages behavioral analytics and machine learning to thwart complex app-layer attacks, while Distributed Cloud Bot Defense offers market-leading bot protection capable of determining if requests originate from bots and whether they have malicious or benign intent. Learn more about F5 Advanced WAF (https://aws.amazon.com/marketplace/pp/prodview-kqebnc25kfoe6?sr=0-5&ref_=beagle&applicationId=AWSMPContessa ) or Distributed Cloud Bot Defense (https://aws.amazon.com/marketplace/pp/prodview-x5mf4isftlzcc?sr=0-1&ref_=beagle&applicationId=AWSMPContessa ).
Highlights
- Easily Enhance Security - No security expertise needed, simply attach rules to your AWS WAF instances to immediately bolster protection.
- Continuously Updated - Rulesets are monitored, maintained and update by F5's security experts to ensure protection against evolving threats.
- Fast & Simple Deployment - Attach F5's WAF rules to your AWS WAF instance in a matter of minutes following three simple deployment steps.
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/unit |
|---|---|
Charge per month in each available region (pro-rated by the hour) | $20.00 |
Charge per million requests in each available region | $1.20 |
Dimensions summary
F5 Rules for AWS WAF follows a two-part pricing model on AWS Marketplace. The monthly regional charge covers the base subscription for maintaining and updating the WAF rules in each AWS region you deploy, with the flexibility of hourly prorating. The per-million requests pricing applies to the actual traffic processed through the WAF rules in each region, ensuring you only pay for the protection you use. This straightforward model combines fixed and variable costs to align with your security needs and usage patterns.
Top-of-mind questions for buyers like you
How does the monthly regional charge work for F5 Rules for AWS WAF?
The monthly regional charge is a base fee applied for each AWS region where you deploy F5's WAF rules. This charge covers continuous rule updates, maintenance, and access to F5's security expertise, while being prorated hourly to provide deployment flexibility and cost optimization.
What defines a billable request in the per-million requests pricing?
A billable request is any web traffic that passes through your AWS WAF using F5's rule sets. This includes API calls, web page requests, and any other HTTP/HTTPS traffic that is evaluated against the F5 security rules, with charges calculated based on the total volume of requests processed in each region.
Are there any prerequisites or additional AWS costs to consider?
While F5's pricing covers the rules and updates, you need an active AWS WAF deployment which incurs separate AWS charges. The AWS WAF costs include web ACL capacity units (WCU) and per-request charges that are billed directly by AWS, independent of F5's pricing.
Vendor refund policy
For this offering, F5 does not offer refund, you may cancel at anytime.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA)Â .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Vendor resources
Support
Vendor support
F5 Rules for AWS WAF are supported via F5 DevCentral - F5's extensive community of experts, developers and users addressing technical issues related to F5 products. If you have any questions or need assistance with any aspect of F5's rulesets please submit a question with the tag 'F5 rules for AWS WAF' (http://devcentral.f5.com/s/questions?tag=F5+Rules+for+AWS+WAF ). Response times may be up to 2 days. For online information regarding F5 Rules for AWS WAF, please refer to https://support.f5.com/csp/article/K21015971 . For any infrastructure and WAF related questions please contact AWS Support (https://aws.amazon.com/contact-us ) for AWS WAF related assistance.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By F5, Inc.
By Fortinet Inc.
By Cyber Security Cloud Inc.
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Bot Traffic Detection
Advanced analysis of incoming web requests to identify and block malicious bot activities
Threat Pattern Recognition
Comprehensive protection against vulnerability scanners, web scrapers, DDoS tools, and forum spam tools
Security Rule Management
Dynamically updated rulesets written and maintained by specialized security experts
Web Request Filtering
Automated blocking mechanism for identifying and preventing malicious automated traffic
Threat Behavior Analysis
Systematic evaluation of incoming web requests to detect and mitigate potential automated attack patterns
Web Application Threat Protection
Comprehensive ruleset covering OWASP Top 10 web application threats including SQL Injection, Cross Site Scripting, and Known Exploits
Security Signature Updates
Regular threat information updates from FortiGuard Labs to maintain current protection signatures
Malicious Traffic Detection
Protection against malicious bots and common vulnerabilities and exposures (CVE)
Configurable Security Response
Flexible configuration options to log, alert, and block detected web application threats
Attack Vector Coverage
Comprehensive security rules targeting multiple web application attack vectors including general and known exploits
Web Application Threat Protection
Comprehensive ruleset targeting OWASP Top 10 Web Application Threats with low false-positive rate
Vulnerability Mitigation
Managed rules addressing code injection techniques including SQLi, NoSQLi, OScommandi, XSS, and directory traversal
Technology-Specific Protection
Specialized rules for web technologies like Apache Struts2, Apache Tomcat, Oracle WebLogic, WordPress, Drupal, and Joomla
Cyber Threat Intelligence
Regularly updated rulesets incorporating latest threat intelligence and security alerts
Compliance Support
Security rules designed to help meet compliance standards such as PCI-DSS
Standard contract
No
No
No
Customer reviews
Manmohan Rao
Managed security rules have protected our public e‑commerce sites and simplified ongoing defense
Reviewed on Dec 09, 2025
Review from a verified AWS customer
What is our primary use case?
We are providing support to our end customers who have e-commerce websites that need to be exposed to the public, and for a secure way around, we thought of getting them exposed via the Application Load Balancer to make sure it is exposed at Layer 7 only. While making sure it will be protected, we started using AWS WAFÂ services, where we found that we can utilize a WAFÂ rule set from Marketplace. We started using it, and I got the chance to be part of one of the summits where I heard of F5 Rules for AWS WAFÂ . Since then, I have been using their rule sets for bot protection, web exploit OWASP rules, common vulnerabilities and exposures, and API security, which is a use case we are using to configure these rule sets.
We are using AWS WAFÂ , which has been integrated with the Application Load Balancer to ensure that our Application Load Balancer is secure while it gets publicly exposed.
We thought of starting to use F5 Rules for AWS WAFÂ primarily for DDoS protection nowadays, as AWSÂ native rule sets also provide some protection for DDoS. I found that it demands continuous improvement in these rule sets. Previously, we used native rule sets, but these continuous demands were not listed in it, which led us to an unsecure environment. Now, using F5 Rules for AWS WAFÂ for bot protection, I found that they continuously perform vulnerability scans while these rules come into action. This continuous improvisation ensures that I can build trust against these rules instead of other third-party rule sets.
What is most valuable?
I really appreciate the way F5 Rules for AWS WAF generate reports proactively to show the number of exploits that come in and what remediation has been followed to block such exploits, mainly in the OWASP rule sets.
It has generated value toward us because since these e-commerce websites could become exposed to the public in an unsecure manner, which really no one wants. Now, looking at these rule sets, they ensure that our origin or our application content and code, as well as the application itself or its API, are secure enough, always.
What needs improvement?
An area for improvement I see is that while everything is in good shape, I demand continuous improvisation of these rule sets. However, I am accepting of this. To stay safer from a security perspective, continuous improvisation in these security rules is required to ensure we are always up to date with new attacks.
For how long have I used the solution?
I have been using F5 Rules for AWS WAF in the last two years and I found it to be a good choice compared to other products.
What do I think about the stability of the solution?
F5 Rules for AWS WAF is stable.
What do I think about the scalability of the solution?
Scalability is not a challenge with F5 Rules for AWS WAF, as they are configured within the AWS WAF service, which is reliable and redundant. We have not faced any challenges with the rule set scalability, and that is a positive aspect.
How are customer service and support?
I have reached out to customer support multiple times, especially while configuring rule sets for the first time. The support provided was excellent. I appreciate the assistance; they clearly explained everything, how to configure these rule sets, and what the best options are based on my use case, which helped us shortlist what is required.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used AWSÂ native rule sets and Fortinet rule sets. We switched to F5 Rules for AWS WAF because we found it more competitive. They continuously improve their security rules and keep adding vulnerability protection to their existing rule sets, ensuring we are protected and our applications are safe.
We mainly evaluated AWS native rule sets prior to F5 Rules for AWS WAF.
What was our ROI?
It has absolutely saved money for our security team and time. There are two ways: either we write our own rule sets, which demands significant time, or we can use a more mature tool like F5 Rules for AWS WAF, which has already created these rule sets for perfect use cases like we are using for our end customers. Using F5 Rules for AWS WAF saves us time spent on developing security rules ourselves.
What's my experience with pricing, setup cost, and licensing?
From the pricing perspective, I found it to be comparable to other marketplace rules available in AWS Marketplace . It has competitive pricing.
What other advice do I have?
I advise anyone looking for a great tool to secure their public-facing applications to start using F5 Rules for AWS WAF. These are managed rule sets, so you do not need to worry about continuous improvements or ensuring your application is secure; F5 Rules for AWS WAF will take care of that and is always making the necessary improvements in these rule sets to ensure security.
I am very impressed with the rule sets and the continuous engineering from their security team to ensure the required rule set availability. I really appreciate the fantastic job they are doing.
F5 Rules for AWS WAF can be integrated with AWS CloudFront, Application Load Balancer, Lambda, and API Gateway. I am satisfied with all these services as they are our intermediary points for services exposed to the public or globally.
I gave this product a rating of ten out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
G Verduci
Application layer protection has improved traffic control and supports my initial security testing
Reviewed on Dec 02, 2025
Review from a verified AWS customer
What is our primary use case?
I have been using F5 Rules for AWS WAFÂ for a short time and want to discover more about it.
My main use case with F5 Rules for AWS WAFÂ is testing it out.
I don't have a quick specific example of what I'm testing at this moment.
For now, I don't have anything else to add about my testing experience so far.
What is most valuable?
The best features F5 Rules for AWS WAFÂ offers, from what I've seen or read so far, are application layer protection.
I am referring to application layer protection with F5 Rules for AWS WAFÂ , which stands out to me as using something similar to iRules to protect applications.
F5 Rules for AWS WAF has positively impacted our organization for security through the implementation of traffic rules in our application.
I have noticed specific benefits such as easy management with F5 Rules for AWS WAF, but I think that it's too early to provide a definitive assessment because I started using it only a few days ago.
What needs improvement?
I don't know how F5 Rules for AWS WAF can be improved because I have only been using it for a few days.
I don't have anything to add about the needed improvements for F5 Rules for AWS WAF at this time.
For how long have I used the solution?
I have been working in my current field for about two years.
What do I think about the stability of the solution?
F5 Rules for AWS WAF is stable in my experience so far.
What do I think about the scalability of the solution?
From what I've seen, F5 Rules for AWS WAF's scalability is stable for now.
How are customer service and support?
I have not had any experience with customer support for F5 Rules for AWS WAF yet.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I did not previously use a different solution.
How was the initial setup?
I had a great experience with the pricing, setup cost, and licensing.
What about the implementation team?
My company does not have a business relationship with this vendor other than being a customer.
What was our ROI?
It's too early to talk about a return on investment with F5 Rules for AWS WAF.
What's my experience with pricing, setup cost, and licensing?
I had a great experience with the pricing, setup cost, and licensing.
Which other solutions did I evaluate?
I did not evaluate other options before choosing F5 Rules for AWS WAF as it was my first time.
What other advice do I have?
It's too early to provide my experience or advice to others looking into using F5 Rules for AWS WAF.
I don't have any additional thoughts about F5 Rules for AWS WAF before we wrap up.
I found this interview at AWSÂ re:Invent.
I gave this review a rating of 8.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Banking
Evaluating the Effectiveness of F5 BIG-IP Advanced WAF ln Enhancing Application Security
Reviewed on Jun 01, 2023
Review provided by G2
What do you like best about the product?
its real-time threat intelligence integration, leveraging F5's Security Operations Center (SOC) and global threat intelligence network. This integration ensures that the firewall remains constantly updated with the latest threat trends, enabling it to proactively defend against emerging threats. Additionally, the Advanced WAF allows for extensive customization options, empowering organizations to tailor their security policies to the unique requirements of their applications.
What do you dislike about the product?
WAF is relatively high, positioning it as a more suitable option for larger enterprises rather than smaller organizations with budget constraints
Configuring and managing the Advanced WAF requires a certain level of expertise, which could result in inefficiencies or misconfigurations if not properly addressed.
Configuring and managing the Advanced WAF requires a certain level of expertise, which could result in inefficiencies or misconfigurations if not properly addressed.
What problems is the product solving and how is that benefiting you?
It enables organizations to customize security policies based on their specific application requirements. This flexibility allows for fine-tuning and optimizing security measures, reducing false positives and negatives while maintaining an optimal balance between security and application performance.
Katya G.
Best way to protect exposed applications
Reviewed on Dec 27, 2021
Review provided by G2
What do you like best about the product?
WAF configurations are very high level. I really feel safe in this sense. The microservice and DOS protection features are also great. The signature-based protection module is also very advanced.
What do you dislike about the product?
The interface could be better. f5 should now make the interface look better.
What problems is the product solving and how is that benefiting you?
We use it behind this WAF in all applications we open. We do this with a good configuration with the BLocking mode turned on. There may be occasional false positive situations in the first week, but then it works incredibly regularly.
Computer & Network Security
Industry leading solution for WAF
Reviewed on Nov 10, 2021
Review provided by G2
What do you like best about the product?
F5 Application Security Firewall is a robust solution. You can enable WAF on the F5 Load Balancer with one click with a license. F5 presents to the customers load balancer and WAF one same appliance. So while you can load balancing the application you don't need to send user requests to other products, F5 inspects the user request while load balancing. It offers comprehensive configuration for application security. It is learning the application then blocks the unwanted traffic.
What do you dislike about the product?
You have a piece of deep knowledge for configuring the F5 WAF. Configuration GUI is very complex, sometimes you can be lost while configuring. And the price is ver high.
What problems is the product solving and how is that benefiting you?
IPS on the firewalls is not enough to control user requests. We can check all clients request on F5 WAF. Clients unwanted requests stopped on WAF before they reached the application
Recommendations to others considering the product:
There are a few vendors at the market which offer detailed application security. F5 ASM is one of them. If you want to configure with detail and fight OWASP top 10 threats F5 ASM (or WAF) best fit your requests.