F5 Advanced WAF Reviews

What a WAF is happens to be exactly what we are using F5 WAF for: a firewall for our web applications. It is a totally customizable solution. You have our signature-based rule sets and then we can customize to our heart's content depending on what our application can and can not do or what we are trying to protect against.  

So we are using this for anything that is internet-facing. We are applying the WAF there and we are putting it in block mode wherever possible.  

The features I think are the most valuable starts with the IP intelligence component. That is separately licensed and it is definitely one component that we have made heavy use of. Geo-blocking is another — which can be done without a WAF because you do not necessarily need a WAF to do it — but the F5 WAF has those capabilities.  

The signature-based controls that F5 has are another one of the heavier-used components that Advanced WAF has. We do not have to worry about updating signatures, et cetera. WAF will automatically update the signatures for us. I think that is a nice feature.  

Those are the biggest things that we are making use of month-to-month.  

I think the contextual-based component needs a lot of help. It is all based on regular-expressions. That is something I think companies like Signal Sciences are doing a really good job with. We are transitioning off to Signal Sciences on some of our WAF components because of the capabilities Signal Science has. I think that contextual-base signatures would definitely help in F5 WAF.  

Within the enterprise, F5 Advanced WAF (Web Application Firewall) has been rolled out for about six or seven years. I have been working on it for about three to four years.  

It is a stable product.  

F5 WAF is a scalable solution. A lot of the employees and other end-users (virtually anybody on the internet who is coming to your site) benefit from the solution. As far as the people who are directly dealing with the administration, maintenance, and deploying the updates, there are maybe two people. But it can certainly scale-out to service passive use.  

The F5 tech supports is fairly decent. It is not the top of the line, but they do their job. They give you an account team. The account teams are normally really responsive. When you need to run something by them, they are unlike some other products. With other products you have to go through opening up a ticket — because that is the only way they will respond to you — and later they might come back and say it is not their problem and you need to figure it out on your own. The F5 is very different from that perspective in providing support. Your account team is your go-to group. They will walk you through solutions, help you design solutions, and it is part of the value add of using F5Advanced WAF. I really liked them for the extra effort they put in to provide good support. They do not upsell professional services or anything like that. Because of that, I would rate them a little on the higher side for support than just your average support experience.  

The installation of F5 Advanced WAF is complex. Any WAF that you put in takes a lot of time to install correctly. You never really just drop it in and have it working right off the bat. The only exception I can say that I have come across to that right now is Signal Sciences. You can literally drop that solution in place and put it in blocking mode within the same day. With F5 there is a learning period where you allow it to learn and then you go back because it is based on regular expressions. So you have to go through and check to see that there is normal traffic going through your site, et cetera. In other words, there is training involved. It can take from seven to fourteen days before you get a good signature set up.  

If you just need to turn on the licensing key, that might take 10 seconds to do and that is available essentially immediately when you implement WAF. But when you are talking about implementation — and this is true with any WAF — it is time-consuming. You are integrating a piece of technology with applications that have already been written. It might be a legacy app, it might be a new app or whatever that you use for whatever your use case might be for that application. You are using WAF in order to protect that app. You have to invest time in creating the signatures. That period of time where you are creating the signature is what is complex and extends the period of the implementation.  

That is what I think the true difference is between F5 WAF and the new-gen stuff like Signal Sciences is. With Signal Sciences you literally can just drop in and turn it on.  

F5's licensing varies. I do not know exactly what the individual WAF component costs because they bundle up services and the bundle is what I pay for. I do not pay for individual components.  

Advice that I would give to people considering F5 WAF is to look at and consider other products as well. They have to make sure they know what they are getting into. That is key to finding the right solution. I think WAF requires a lot of time and patience as well as an understanding of your applications in order to make the best use of its capabilities.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate the F5 Advanced WAF as a solid eight-out-of-ten.  

Our company uses the solution for customer use cases to replicate environments, perform integrations, and check for changes or issues. We have many internal users because we have a wide database of customers. 

Most customers have WAF or Advanced WAF but if you dig deep from a high-level perspective, then you find issues with configurations or missing security enhancements. 

The platform is capable of doing many API integrations and other things. Customers with public websites use our client-facing service to upload attachments. Often, customers are not integrating the solution with a malware sandboxing tool. This feature is natively in-the-box so protection can be enabled with a few steps. We determine if attachments are uploading malicious files because there isn't protection in the normal solution. We find out if customers are doing vulnerability or risk assessments. Integration tools such as Qualys help because we can import a file to resolve F5 issues. 

For one use case, a customer might have enabled the tech signature for a specific tech but an IP exclusion or public IP exclusion is a bit risky.

Another use case is for database security where we utilize the solution's very comprehensive security features. We can make a SQL database more visible to database security and order logs for the logins to the station tool. 

It is very powerful to be able to enable database security integration for an administrator or customers.

The integration between modules is good. You can license the APM policy manager, integrate, and make security posters for VPN clients. You can natively integrate the login pages to ensure client machines and websites are protected. 

The solution includes the typical load balancing offered by other vendors but has enhanced security compliance features that are powerful and easy to configure.

It is easy to obtain dashboard compliance because security policy views are included.  

The solution requires a bit of advanced knowledge. They are trying to make configurations less complicated by including guides, particularly for application protection in the cloud. Nothing is complicated but it takes a hands-on approach and a few hours to a few months to become familiar with how the solution works. 

The solution should include RASP which is runtime application security protection. Imperva includes RASP but the solution does not at this point. RASP would provide another level of application protection at the code itself.  

I am a certified F5 engineer and have been using the solution for four years. 

I am a partner so I use both the on-premises and the public cloud solution. To get certification, you need to complete a lot of labs and training on your own. You must go into detail with everything and get your hands dirty. 

I use the public cloud solution for my own labs. There is a free F5 public cloud tenant that includes other features for setting up a lab or application. 

The solution's virtual edition can be deployed in other cloud services such as Azure, AWS, and OCI. The virtual edition takes the on-premises version to the cloud so it is not difficult to implement. The only difference is the cloud-native version includes the WARP feature that is used for web application API protection. 

The solution is definitely stable so I rate stability a nine out of ten. 

The solution is quite scalable so I rate scalability a nine out of ten. 

To be honest, I have not needed support because I have the knowledge to fix anything unless it is a bug within the solution. 

The initial setup is not complex so I rate it a ten out of ten. 

For on-premises, it might take two weeks to deploy security policies which depend on application traffic. You choose a policy set type from fundamental, comprehensive, or rapid according to your needs. Then, you apply the policy. 

For example, you can deploy a quick policy for a nonfinancial side to protect from common threats. In this case, you choose the rapid security policy, choose the application language, and add the SQL or PHP server technology to implement the attack signature. This is helpful because you don't need to apply all of the OS signatures if you only have Windows. Just pull the Windows signature and it will be plugged. 

Then you proceed to the staging model for awhile to pick up the negative security model. You can proceed with a mix of negative and unboxing security models. After that, you start deploying, defining URL parameters, and setting other policies. You put it to staging and make edits. If you don't find too many suggestions or false positives, then you deploy it in blocking mode to the vendor. 

After two or three weeks, if the owner is fine with the policies and number of false positives, then you put it to blocking. 

We implement the solution for customers. Implementation can be done by one person who is knowledgeable about the product and procedures. 

IT managers generally do not dig deep inside the solution because there is quite a bit of detail. They have a high-level overview but certified experts dig deep into configurations. 

I am not sure about pricing but licenses are available on Google. 

The solution is not about improving functionality but about improving the security of an infrastructure itself. You are improving the security profile so that data is not exposed to an attacker. 

I definitely recommend that everyone use the solution and rate it a nine out of ten. 

F5 Advanced Web Application Firewall (AWAF) is primarily used in financial sectors like banking to secure web applications against advanced threats, ensuring compliance with industry regulations. Our Key use cases include:

1. Protection Against OWASP Top 10: Safeguarding banking applications from SQL injection, XSS, and other common vulnerabilities.
2. Bot Mitigation: Detecting and blocking malicious bots to prevent account takeovers, credential stuffing, and fraud.
3. DDoS Protection: Defending against application-layer DDoS attacks to ensure service availability.
4. PCI DSS Compliance: Enforcing security policies to meet compliance standards for protecting sensitive customer data.
5. API Security: Securing APIs used in banking platforms from abuse and unauthorized access.
6. Threat Intelligence: Leveraging threat intelligence to identify and mitigate zero-day attacks.
7. Application Traffic Control: Managing and monitoring application traffic to ensure optimal performance and security.

These use cases help financial institutions maintain secure and resilient applications, critical for trust and compliance.

F5 Advanced WAF has significantly enhanced our organization's security posture by protecting critical banking applications against sophisticated threats. It ensures compliance with regulatory standards, improves customer trust through robust bot mitigation, and enhances application performance by mitigating DDoS attacks and securing APIs. Additionally, it provides real-time threat intelligence and streamlined security management, reducing downtime and operational risks.

1. Ease of Deployment: Simplify initial setup and policy configuration.
2. UI Enhancements: Improve user interface for better navigation and usability.
3. Integration: Enhance compatibility with third-party tools like SIEMs and DevOps pipelines.
4. Performance Optimization: Reduce latency during high traffic volumes.

Suggested Features for Next Release:

1. AI-Driven Threat Detection: Advanced machine learning for proactive defense.
2. Comprehensive API Protection: Extended support for GraphQL and WebSocket APIs.
3. Cloud-Native Integration: Better functionality in hybrid and multi-cloud environments.
4. Automated Policy Suggestions: AI-based recommendations for policy tuning.

It's been two years that I've been working with this solution.

I am not experiencing any significant instability.

F5 AWAF offers excellent scalability, enabling organizations to protect applications seamlessly across on-premises, cloud, and hybrid environments. It can handle increasing traffic volumes with minimal latency, ensuring consistent security for both small-scale deployments and enterprise-grade architectures. With its ability to integrate into CI/CD pipelines and auto-scale in cloud environments, F5 AWAF supports dynamic application growth without compromising performance or protection.

Customer service is very responsive. If the issue persists beyond my local support capabilities, I open a ticket with F5, and they respond quickly. I rate their technical support 9 out of 10.

Positive

Not now just I have checked the comparision and collect reviews from peerspoot and Quadrant 

The initial setup experience is straightforward, and I did not face any complexities. I recommend deploying the F5 AWAF solution on a single appliance with LTM.

F5 is relatively less expensive compared to other solutions as F5 is considered the best.

Not Now

I rate F5 eight to nine out of ten. I recommend F5 to customers who require a robust solution and have the budget for it. However, for customers looking for modest pricing, I would not recommend the F5 solution.

I'd rate the solution eight out of ten.

I use and recommend F5 Advanced WAF as a web application firewall to protect various applications. It is particularly effective in load balancing and enforcing security policies.

F5 Advanced WAF efficiently handles traffic and secures web applications, protecting sensitive data best for  governmental organization. It ensures compliance with security standards by providing features like PCI DSS checks.

F5 Advanced WAF provides valuable features like signature-based protection, which includes up-to-date threat signatures for common attacks such as SQL injections and DoS protection. It also supports a load balancer for enhanced security and traffic management.

There are opportunities for improvement in updating the user interface to a more modern look. Additionally, the speed of technical support and community responses could be enhanced.

I have been working with F5 Advanced WAF for two years.

F5 Advanced WAF is very stable when configured properly.

F5 Advanced WAF is highly scalable and can handle large amounts of traffic due to its advanced load balancing capabilities.

The technical support team provides responses within a day for critical issues, however, the community support can be slow, sometimes taking up to two weeks for a response.

Negative

I have also used open-source WAF solutions such as OpenAppSec.

The initial setup of F5 Advanced WAF is complex and requires detailed planning, especially for configuration files and management interfaces.

Our internal team implemented F5 Advanced WAF with support from F5's sales engineers.

While F5 Advanced WAF is expensive, the investment is justified by its comprehensive security features.

F5 Advanced WAF is notably costly, especially for small companies, however, it provides strong protection for its price.

l evaluated open-appsec as an alternative WAF solution.

I would rate F5 Advanced WAF a seven out of ten. 

It is important to learn the network and security landscape before deploying. Understanding cybersecurity concepts and signature-based attacks is crucial.

My clients often seek a comprehensive security solution for their hybrid environments, with both cloud and on-premise web applications. To address this, I recommend combining F5 Advanced WAF for web application security with Fortinet solutions, including FortiGate, FortiSign, and FortiAnalyzer, for broader network security aspects like vulnerability ranking, patch management, and remediation. I focus on FortiGate and FortiAnalyzer, collaborating with a colleague who manages firewall setup, ensuring a robust and unified security approach for our clients.

F5's user-friendly interface and seamless integration stand out as the most valuable features for us. The intuitive interface streamlines tasks, providing a straightforward experience. F5's adaptability in diverse environments sets it apart, especially when compared to alternatives like FortiGate. Despite being pricier, the ease of integration and user-friendly design make F5 Advanced WAF our preferred choice for securing web applications. F5's commitment to customer engagement, exemplified by hosting a certification event in Nigeria, further shows its support and involvement in our region.

One area for improvement in the product is its SSO integration, which posed challenges and required significant effort to resolve. The complexity of SSO deployment, coupled with high associated costs, could be addressed to enhance usability. Streamlining the SSO process and revisiting cost considerations would contribute to an improved user experience.

I have been working with F5 Advanced WAF for three years.

I would rate the stability as a nine out of ten.

I would give the scalability of the solution an eight out of ten. It is quite scalable and performs well. I would recommend F5 Advanced WAF for medium-sized businesses and enterprises, primarily due to considerations around cost and sustainability. The solution is well-suited for companies of this size, ensuring that not only is it deployed effectively, but it can also be sustained over time to meet ongoing security needs.

The technical support is good. I would rate it as a seven out of ten.

Neutral

For an end-to-end solution, Fortinet stands out over F5 Advanced WAF. Fortinet's comprehensive product suite, including FortiGate, FortiAnalyzer, and integrated features like CMDD, provides a more seamless and holistic approach to security. While F5 is strong in certain areas, the integrated capabilities of Fortinet make it my preferred choice for a comprehensive security solution.

The initial setup for F5 Advanced WAF is user-friendly and relatively straightforward.

The main drawback of F5 is the cost, which can be a challenge. 

Overall, I would rate F5 Advanced WAF as a nine out of ten.

Our clients mostly have their own applications, such as banking apps, and use F5 Advanced WAF to avoid vulnerabilities and threats on both the application layer and transport layer. 

We create web policies for their apps and configure ASM signatures to prevent vulnerabilities. After configuring the policies, I monitor logs continuously to block vulnerability attacks and assist clients in addressing any issues.

One of the things that surprised me the most about F5 devices is their compatibility with the existing infrastructure of most customers. They can be easily integrated between the main firewall and back end servers, making it a seamless addition to enhance security.

The traffic learning feature stands out as the most valuable. When an app is accessed, the log generated in F5 Advanced WAF provides suggestions on what actions to take. This feature is particularly beneficial in new vulnerability scenarios, offering guidance based on learned data. 

Additionally, I appreciate the way F5 Advanced WAF builds policies by configuring a basic policy and queuing it in learning mode. The solution learns from logs, and based on that learning, I configure ASM signatures.

The GUI interface can be confusing due to similar-looking tabs for policy building, traffic learning, and event logs. A more explanatory GUI would be beneficial. However, F5 solutions are a bit expensive compared to others, although they provide the best service and options.

I have been working with F5 Advanced WAF for around six months.

The solution is very stable. I would rate it a nine out of ten for stability.

F5 Advanced WAF is very scalable, and I would rate its scalability as nine out of ten.

F5 support is excellent and deserves a ten out of ten. Their technical support is responsive and helpful, making the overall experience very satisfactory.

Positive

I have not worked with many other vendors as extensively as F5, but I have some knowledge of FortiWAF. FortiWAF has fewer options compared to F5, particularly in features like iRULES, which offers more flexibility for traffic management and coding.

The initial setup is not very lengthy. Once the device is on-premises, configuring and managing it is quite efficient, though the entire project from start to end may take about a month to a month and a half.

I work with a team of five to six network engineers across different cities, providing support and collaboration for client deployments.

The return on investment is quite high with F5 solutions. Customers prefer F5 for their superior service and features, despite the higher cost.

F5 is on the expensive side but offers superior solutions and options. Customers are willing to pay for the quality and features provided.

I have some knowledge of FortiWAF, but F5 provides more options, especially with features like iRULES for managing traffic.

I would recommend F5 Advanced WAF to other users. It provides excellent features, flexibility, and support.

I'd rate the solution ten out of ten.

Primarily, the Advanced WAF sits behind our network perimeter. It centralizes traffic flow to our network, filters requests, and identifies any potential threats.

It helps us detect threats or malicious requests coming into the network, protecting it from being hacked. It helps guard against issues like cross-site scripting (XSS) and other similar threats.

So, F5 Advanced WAF helped mitigate bot traffic for our web applications.

Moreover, my experience is that it's pretty straightforward to use. Our firewall team handles requests through a change management tool within scheduled change windows. However, F5 is our only firewall solution.

It's a valuable tool to protect web servers exposed to the external network. With numerous web applications running on Apache or IIS servers, the F5 Advanced WAF's threat detection capabilities protect the network before traffic reaches those servers.

It's a fairly easy-to-use and user-friendly tool. My administrators and team also like its ability to customize the rules per the requirements. 

The self-service aspect could be improved. 

The user interface (UI) also seems a bit outdated. Making it more user-friendly would be beneficial.

We've been using it for approximately five to six years.

I would rate the stability a ten out of ten. It is a stable product. 

It is pretty good. I would rate the scalability a seven out of ten.

Ssometimes, the way our enterprise handles change requests might slow things down because of the internal rules and processes. But these changes, once approved, do take effect immediately on the firewall itself. 

We have a change window twice a week for these requests. I don't think the limitation is with the firewall itself; it's more about our internal procedures.

Overall, I would rate the solution an eight out of ten because I have seen that not too much customization is required during setup. The change requests we submit are usually clear and easily applied. 

Overall, the policies work well, and the threat detection is good. It catches deviations and anomalies effectively.

From a recommendation standpoint, it's a fairly easy tool to use. However, you definitely need some knowledge about scripting, OWASP fundamentals, threat detection, and general cybersecurity principles to get the most out of it.

I was in charge of the F5 on-premises solution, where I published several applications for certificate verification and protected various applications. Additionally, I was working with botnets.

F5 Advanced WAF is a comprehensive community platform with a strong commitment, making it valuable for businesses. The capabilities on GitHub are highly appreciated, allowing me to count on F5 for reliability.

I would like to see improved features in the F5 Advanced WAF solution, especially with a focus on enabling Kubernetes fully. The database needs better service discussions and updates on communication. Additional improvements could also be made in asset management for the data.

I've been working with F5 for what seems like a lengthy period.

F5 is logistics-oriented, ensuring that the Webpack performs well in making every single case for the Stereo platform.

F5 is scalable, especially for Stellar and virtualization processes. Customers can scale efficiently.

F5's technical support team is commendable. They are professional and take high-priority prompts seriously.

Positive

My experience includes comparing F5 with FortiWeb. F5 provides more security capabilities for applications than FortiWeb.

The initial setup of the F5 Advanced WAF solution involves multiple stages and might require revisiting configurations based on customer needs. The setup can be complex compared to other options.

I am part of the deployment and implementation team, and we follow a strategy that involves providing quality assurance to ensure data integrity and server protection. Collaboration and dialogue with customers are part of the implementation.

Customers have shown consistent ROI with F5 solutions, especially when daily requests come in for assistance.

The user interface and sub-management prices can be a concern, however, they generally align with the industry's needs.

I recommend the F5 Advanced WAF solution for everyone with critical applications. Security needs to be embedded within the full visualization pipeline, allowing significant savings. I rate F5 Advanced WAF at a nine out of ten.