Every capability across ADC, WAAP, AAM, GTM, and ZeroLeak.
Filter by product, add-on, or industry — a technical deep-dive reference for engineering and operations teams.
Subscribe via RSS13 algorithms — classical, consistent hash, Maglev, SED, and TR7's proprietary 8-signal Fastest+ engine. Picked per vService, hot-swapped.
Bandwidth is measured at the vService client-facing boundary as combined RX and TX. Pre-vService blocks and application-server pass-through do not count — license the tier you actually need.
9 ways to keep a user on the same backend across requests — from source-IP to SAM, TR7's configurable cookie engine.
Server-rendered pages with pixel-level modifications — readable on screen for the user, nonsense to OCR engines and AI vision models when extracted as an image.
Run the protected app inside a fully isolated session on the platform — the user sees only the rendered pixels. No HTML, no JavaScript, no cookies on the endpoint.
Letters on the page are silently swapped with visually-similar siblings; the area around the cursor reveals the originals. The human reads naturally — an AI fed a screenshot reads different words.
A visible per-user watermark plus an invisible trace ID embedded into the pixels — when a screenshot leaks, the source can be identified even after cropping, scaling, or being photographed.
Every user session runs in its own isolated browser context — no shared cookies, storage, or process state — with a strict domain allowlist and rendering-level anti-automation defences built in.
Event-driven screenshots at consequential moments, continuous FFmpeg video, word-level keystroke buffer and clipboard logging — every session reconstructable for compliance and investigation.
Manage VPN access as part of the AAM identity and device trust policy — not as a separate network exception.
Browser-only access to RDP, VNC, SSH, Kubernetes and legacy systems — with credential vault, recording, and watermark built in.
Three MFA methods, per-service policy, trusted-device shortcut — no third-party MFA cloud.
One flow engine decides every authentication outcome — who can reach what, after which factor, under which context.
Trust earned at login doesn't carry forever. Every session stays under evaluation, every step of the way.
Standards-correct SAML SP — enterprise IdPs, public-sector federation, and per-tenant routing, all coordinated with MFA, conditional access, and posture.
Standards-correct OIDC relying party — authorization code with PKCE, JWKS-verified ID tokens, nonce + state defenses, and per-tenant IdP routing.
Your enterprise directory already exists — TR7 AAM does not copy it, it connects to it and turns group membership into access policy.
Connect every identity source beyond SAML and OIDC to the same access and audit flow.
The fastest backend, computed per request across 8 live signals.
Diagnose network, DNS, TLS and packet-level issues in production — without opening a shell.
Carry client traffic to backends without mirroring every connection — fewer handshakes, lower latency.
Complete missing HttpOnly, Secure and SameSite flags at the response layer — no application changes required.
Manage preflight and response CORS headers from a single rule, without touching application code.
Change the config, keep live connections — not every rule update should require a maintenance window.
Manage HTTP→HTTPS transitions, domain migrations, path moves and error redirects without touching application code.
WAAP inspection, mTLS identity and data masking keep working even as traffic flows to backends over TLS.
Mask IP for log privacy, reconstruct the correct client IP across proxy chains.
Move beyond L3/L4 — carry HTTP context into your flow records.
Turn JSON body fields and JWT content into first-class signals for every traffic decision.
Pull Prometheus metrics from TR7 without deploying a separate exporter — dashboards ready out of the box.
Apply per-vService, per-user or shared bandwidth limits and distribute traffic capacity in a controlled way at the application layer.
Mask, replace or inject HTML into response content — without changing a line of backend code.
Observe behavior instead of blocking instantly — isolate sources that exceed a threshold and release them automatically.
Change the path, not the backend — the client keeps its URL while a new architecture runs inside.
Write rules visually, get compiled traffic behavior — manage request and response flow without scripting.
One expression language — traffic, health, logging, GTM, security and access decisions in the same model.
See production traffic request by request — turn observation directly into rule actions.
30+ breakdown dimensions, three formats (PDF / XLSX / HTML), up to 10 years of on-device history — no separate management server.
3000+ rules, OWASP / API Top 10 / CWE taxonomy, 14 correlation axes, per-host-group + cross-group rollups.
vService profiles, 5 frequency presets, multi-recipient email, cluster-aware single-send — same engine for ad-hoc and scheduled.
Hide cookie values from the client — protect session integrity without touching backend code.
Run two nodes as a single logical ADC — VIP failover, state replication and controlled maintenance in one cluster model.
Manage VIPs not just as IP addresses — but with interface type, VLAN, cluster role and transition method.
Move beyond headers — make body content part of the traffic and security decision.
Move TLS beyond file-based configuration — turn it into a per-service security profile, certificate lifecycle and post-quantum readiness layer.
Lift the client certificate out of connection control and turn it into an identity object that drives traffic decisions.
Insert TR7 ADC into the traffic path without touching backend IP addresses, gateways or routes.
Connect services without merging networks — manage overlapping IP plans and tenant isolation with a single vService model.
Go beyond 200 OK — validate backends at protocol, session and content level.
Serve frequent responses without a backend round-trip — reduce latency and free capacity.
Manage FTP not as an open port, but as a command-by-command controlled secure file transfer session.
From upstream NTP pools to internal infrastructure — centralized, controlled and isolated time delivery.
Every tenant in its own routing world — overlapping IPs, static + dynamic routing and gateway monitoring from one panel.
No reboot. No maintenance window. Interface changes go live.
ADC, routing and L3/L4 security from a single console.
Certificate renewal stops being a calendar task — TR7 ADC monitors, renews and applies the certificate to the service.
One VIP, one port — unlimited domain separation via SNI and Host header.
Combine signature, score and context in a single engine — manage known attacks with confidence.
Generation, delivery and verification — all inside the ADC. Zero calls to any third-party cloud service.
Replace static thresholds with service-aware DDoS protection that learns traffic behaviour and acts on conditions.
Mask sensitive data at platform level before it reaches the user or the logs.
Stop credential stuffing, brute-force and session hijacking attempts based on combined risk decision — not a single signal.
Extract an API inventory from real traffic; bring requests outside the allowed schema under control.
One IP, one account, one API key — you decide which dimension to limit.
Add your own WAAP logic alongside the built-in signature set — same scoring engine, same logs, same policy pipeline.
Turn country and ASN context into access decisions — without dependency on external services.
TR7's central feed, external URL lists and your own exceptions converge in a single IP reputation engine.
Three tiers of graduated friction — warn, challenge, lock — across IP, username, or both. Self-hosted CAPTCHA, no external cloud.
From session ID generation to cookie security, IP+UA binding to idle and absolute timeout — protect every session under one policy graph.
Send every platform event to your SIEM in the format it expects — JSON, CEF or plainText.
Collect, classify, replicate and forward UDP and TCP syslog traffic in front of your SIEM.
Accelerate enterprise DNS traffic and block malicious queries — in a single layer.
Make DNS and GSLB decisions on your own appliances — zone data and traffic policy never leave your premises.
Set resolver IP aside — make DNS decisions based on the user's real subnet, ASN and location.
When the primary DC goes down, DNS reshapes automatically — no manual intervention needed.
Percentage-based traffic distribution — in the language of DNS.
Take DNS responses beyond static records — let data-centre, application and service health drive every decision.
Authoritative DNS pulled from a hidden master, served from memory at line rate.
The path into failover and the path back are separately policy-controlled.
Decide which data center wins each query — using host, service, and client-side signals together.
Each data center's WAN and LAN access paths are monitored independently — partial reachability is a recognized state, not a binary.
Per-domain DNSSEC with key custody on your own infrastructure — no third-party signing service.
Full interactive console from the browser with no SSH wait — production-safe with RBAC and audit.
Manage N TR7 appliances from one console — share common settings, see differences per device.
The AAM-integrated pillar of the ETM add-on: device posture becomes a live signal in the access decision.
Know the device not by a few fields at VPN connection time, but continuously and in depth throughout the session.
Don't just observe the device; send commands, query state, isolate when needed — all under one console.
Manage Android and iOS devices from the same console as your desktop estate; no separate MDM platform required.
The same ETM agent runs on servers; CPU, RAM, IO, and process health flow directly into ADC routing decisions.
An ADC that doesn't know its servers' files runs a blind operator.
Kernel-level filtering against SYN/UDP/ICMP flood, amplification, and fragment attacks — with operator-confirmed adaptive baseline.
Per-vService behavioral protection against HTTP flood, Slowloris, R.U.D.Y., and bot attacks — with ddosCond combined conditions.
One TR7. Many tenants. Resources, network and operations boundaries each kept separate.
Make every L7 request measurable, filterable and reportable.
Produce branded, scheduled and on-demand PDF/XLSX reports in a single reporting pipeline.
Every process runs in its own profile — resource limits, restart and visibility built into the platform.
Credential recovery and emergency access without re-imaging.
TCP, UDP, DSR and IP tunnel — kernel-level L4 load balancing on a single ADC.
Pick the service type and TR7 shows only the right features — backend groups managed in the same model.
Manage DNS, RADIUS, SIP and NTP services with production-grade L4 load balancing, session affinity and health checks.
Generate CSRs, sign certificates, distribute as P12 — manage the certificate lifecycle inside TR7.
Not just an IP list — real traffic intelligence across 60+ criteria, AND/OR/NOT groups and Smart Function chains.
Not just one idle value — 9 independent timeout axes in a single named profile, applied per pool to match every traffic type.
Encode backend capacity across 8 axes — connections, rate, session, SSL, buffer and retry in one profile.
Close a vulnerability at the traffic layer in minutes — no code change required.
Do not treat GraphQL traffic as a plain POST body — catch introspection, nested DoS and query batching patterns inside your WAAP.
Apply 8 security headers at the ADC layer without touching application code.
Turn raw WAAP logs into readable evidence reports for auditors, management and customers.
Replace the generic 'access denied' screen with a controlled, branded experience that carries your message, language and reason code.
Branded login UX per gateway with template inheritance.
Modern auth at the front, identity injected downstream as header, Authorization, or cookie — legacy apps stay legacy.
Change, forgot, and reset flows on one engine — single-use tokens, recipient masking, audit on every step.
Real-time performance steering — route to the fastest DC for each user.
35 record types, DNSSEC and AXFR — the GSLB decision engine paired with full DNS operations on one platform.
GTM does more than produce DNS answers — when health state changes it fires external triggers and routes DNS queries to the right forwarder.
Get every event to the right person, on the right channel, with the right context.