F5 Advanced WAF Reviews

It protects our public entities. Its use case is very directed at a resolution of security.

It protects our environment. It protects our entities.

Identification, ease of use, and ease of modifying it to most of our needs are valuable.

There should be more ability to rate limit certain scenarios. The majority of the time, it is either on or off. For certain types of use cases, there should be the ability to rate limit, not just enable or disable.

It is a very CPU-intensive application. I understand why, but I'm hoping that they could optimize the CPU utilization a little bit better.

I have been using this solution for eight years.

It is stable.

It is very scalable for what we need. It is a public-facing service. So, everybody on the internet would be able to utilize this type of service.

We are exploring areas to increase its usage.

I would rate them an eight out of ten.

Positive

We used other public entities for similar use cases.

It is pretty straightforward. A typical setup for these types of projects takes three months.

It is all done in-house. We do everything in-house. 

In its maintenance, I and other people are involved. The daily operations, which include modifying policies, are up to the individual application owners because they understand their applications a lot better than I or our standard operating team would. So, their usage might go higher than mine.

We have very much seen an ROI. It protects our revenue stream.

The way we deployed it, I would rate it a four out of five in terms of pricing.

I would advise doing your homework. It could be very simplified, or it could be very complex, but definitely, do your homework with the owners of the application because they understand the application more than certain people.

I would rate this solution an eight out of ten.

My clients often seek a comprehensive security solution for their hybrid environments, with both cloud and on-premise web applications. To address this, I recommend combining F5 Advanced WAF for web application security with Fortinet solutions, including FortiGate, FortiSign, and FortiAnalyzer, for broader network security aspects like vulnerability ranking, patch management, and remediation. I focus on FortiGate and FortiAnalyzer, collaborating with a colleague who manages firewall setup, ensuring a robust and unified security approach for our clients.

F5's user-friendly interface and seamless integration stand out as the most valuable features for us. The intuitive interface streamlines tasks, providing a straightforward experience. F5's adaptability in diverse environments sets it apart, especially when compared to alternatives like FortiGate. Despite being pricier, the ease of integration and user-friendly design make F5 Advanced WAF our preferred choice for securing web applications. F5's commitment to customer engagement, exemplified by hosting a certification event in Nigeria, further shows its support and involvement in our region.

One area for improvement in the product is its SSO integration, which posed challenges and required significant effort to resolve. The complexity of SSO deployment, coupled with high associated costs, could be addressed to enhance usability. Streamlining the SSO process and revisiting cost considerations would contribute to an improved user experience.

I have been working with F5 Advanced WAF for three years.

I would rate the stability as a nine out of ten.

I would give the scalability of the solution an eight out of ten. It is quite scalable and performs well. I would recommend F5 Advanced WAF for medium-sized businesses and enterprises, primarily due to considerations around cost and sustainability. The solution is well-suited for companies of this size, ensuring that not only is it deployed effectively, but it can also be sustained over time to meet ongoing security needs.

The technical support is good. I would rate it as a seven out of ten.

Neutral

For an end-to-end solution, Fortinet stands out over F5 Advanced WAF. Fortinet's comprehensive product suite, including FortiGate, FortiAnalyzer, and integrated features like CMDD, provides a more seamless and holistic approach to security. While F5 is strong in certain areas, the integrated capabilities of Fortinet make it my preferred choice for a comprehensive security solution.

The initial setup for F5 Advanced WAF is user-friendly and relatively straightforward.

The main drawback of F5 is the cost, which can be a challenge. 

Overall, I would rate F5 Advanced WAF as a nine out of ten.

I use and recommend F5 Advanced WAF as a web application firewall to protect various applications. It is particularly effective in load balancing and enforcing security policies.

F5 Advanced WAF efficiently handles traffic and secures web applications, protecting sensitive data best for  governmental organization. It ensures compliance with security standards by providing features like PCI DSS checks.

F5 Advanced WAF provides valuable features like signature-based protection, which includes up-to-date threat signatures for common attacks such as SQL injections and DoS protection. It also supports a load balancer for enhanced security and traffic management.

There are opportunities for improvement in updating the user interface to a more modern look. Additionally, the speed of technical support and community responses could be enhanced.

I have been working with F5 Advanced WAF for two years.

F5 Advanced WAF is very stable when configured properly.

F5 Advanced WAF is highly scalable and can handle large amounts of traffic due to its advanced load balancing capabilities.

The technical support team provides responses within a day for critical issues, however, the community support can be slow, sometimes taking up to two weeks for a response.

Negative

I have also used open-source WAF solutions such as OpenAppSec.

The initial setup of F5 Advanced WAF is complex and requires detailed planning, especially for configuration files and management interfaces.

Our internal team implemented F5 Advanced WAF with support from F5's sales engineers.

While F5 Advanced WAF is expensive, the investment is justified by its comprehensive security features.

F5 Advanced WAF is notably costly, especially for small companies, however, it provides strong protection for its price.

l evaluated open-appsec as an alternative WAF solution.

I would rate F5 Advanced WAF a seven out of ten. 

It is important to learn the network and security landscape before deploying. Understanding cybersecurity concepts and signature-based attacks is crucial.

We use F5 Advanced WAF to restrict attacks on our remote access VPN. We've implemented geolocations. Our APIs are exposed over the Internet, so we've utilized F5 Advanced WAF to protect those APIs, and it's integrated with our other applications.

The WAF solution works perfectly fine. If we face any issues, we get hotfixes from the solution experts. It is a little bit difficult to engage with a solution expert firsthand, but once they're engaged, they do whatever is best to resolve the issue.

We faced a lot of outside attacks on our VPNs and APIs, so the geolocation feature works perfectly fine for us. We use iRules as well. Our internal access VPN is advertised from a Cisco firewall, and above that, we have an F5 LTM. We have written some iRules on it to minimize the effects of attacks.

We are a PCI DSS-compliant organization, and we have a lot of security balance to improve our infrastructure. So we use this software to meet those requirements. It works well. So, F5 helped to meet compliance and regulatory requirements.

It's pretty smooth. Whichever load we put on it, we've observed minimal chances of the WAF exploiting the memory or sessions hanging. 

The bot protection aspect works perfectly fine. All the solutions and features are renewed and they're working well. I don't see anything that can be improved.

We also leveraged AI initiatives. 

Support is a little slow, but the solution itself is great. If I compare F5 and Fortinet, the main issue is the support. With Fortinet, it takes less time to engage a support engineer and get things sorted compared to F5.

I have been using F5 Advanced WAF since last January.

I work for a US-based firm, and the project I deal with relies heavily on F5 and F5 LTMs.

I work on both F5 BIG-IP cloud and on-premises and F5 LTM.

It is a stable product. 

The physical hardware is not as scalable. We have to decide which version is best for us to procure because it is a costly device. So we try our best to get all the juice out of one box.

There's around 2500 users getting services from the F5. In my team, we are twelve engineers who are managing the infrastructure.

Support is a little slow, but the solution itself is great. If I compare F5 and Fortinet, the main issue is the support. With Fortinet, it takes less time to engage a support engineer and get things sorted compared to F5.

I'll give F5 a five because it is difficult to engage an engineer and get the issue sorted. For Fortinet, I'd give them a nine.

Neutral

The initial setup process of the F5 WAF product is straightforward. There isn't an issue in setting up from scratch. We use F5 with the cloud as well, especially in Azure and AWS.

The deployment took around half an hour for an engineer to get the basic infrastructure done.

It is not difficult to manage bug fixes, upgrades, and everything. It doesn't take much time. The dashboards are good. All the basic information is given to us on the first page, and it's easy to manage.

It brings a return on investment.

It is a little bit costly, but it has all the features that are required.

I would recommend F5 Advanced WAF to other users looking to implement it.

My advice:

A lot of organizations are financially constrained when buying devices. So if the organization is capable of maintaining and managing a device like F5, we suggest F5. Otherwise, we suggest other solutions, like Fortinet or Citrix.

Overall, I would rate it an eight out of ten because of the support.

Our client has an internally hosted website, and they wanted us to help them in reducing the attack surface in their web application, so we use F5 Advanced WAF for that purpose.

The most valuable feature of F5 Advanced WAF is its ability to have a pool of resources that can distribute your traffic, and that is a plus for me. My company tried to look into a competitor, Imperva, but it was lacking that capability, so F5 Advanced WAF outperforms Imperva.

For me, an area for improvement in F5 Advanced WAF is the reporting as it isn't so clear. The vendor needs to work on the reporting capability of the solution.

What I'd like to see in the next release of F5 Advanced WAF is threat intelligence to protect your web application, particularly having that capability out-of-the-box, and not needing to pay extra for it, similar to what's offered in FortiWeb, for example, any request that originates from a malicious IP will be blocked automatically by FortiWeb. F5 Advanced WAF should have the intelligence for blocking malicious IPs, or automatically blocking threats included in the license, instead of making it an add-on feature that users have to pay for apart from the standard licensing fees.

I've been using F5 Advanced WAF for about two years.

F5 Advanced WAF is a super stable solution. I've not been aware of any issues with the solution whenever my company uses it.

How scalable F5 Advanced WAF is would depend on what resources your client or the virtual server has. It all boils down to the allocated resources. For me, F5 Advanced WAF is pretty much scalable in terms of the resources I've assigned.

I contact the technical support team of F5 Advanced WAF from time to time, and I would rate support eight out of ten. What the support team needs to improve is the SLA, particularly the speed of response.

Positive

In terms of setting up F5 Advanced WAF, what was challenging was the network part, but the rest wasn't that difficult. It took almost two weeks to complete the setup for F5 Advanced WAF.

We implemented F5 Advanced WAF ourselves.

It's hard to tell if the customer got ROI from F5 Advanced WAF because it's based on the initial deployment and approach. It would've been just a matter of time before the customer enjoyed ROI from the solution. My company never experienced a serious incident with the use of F5 Advanced WAF for the customer, so my assumption is at some point, the customer is realizing the ROI.

The pricing for F5 Advanced WAF is comparable to a Rolls-Royce. Its price is a bit high when you compare it with other vendors. F5 Advanced WAF is a bit expensive. The customer was on a three-year plan and it was around $560,000.

We evaluated Imperva, but F5 Advanced WAF was able to outperform Imperva.

I'm an administrator of F5 Advanced WAF for my customer, so I'm more of a user. I'm not a partner or reseller of F5. I'm just a consultant and administrator.

From what I recall, during the time of deployment, my company was using version 15 of F5 Advanced WAF, but I'm not so sure if there's been a new version or an upgrade after that version.

My company has less than ten users/administrators of F5 Advanced WAF.

My advice for people who want to implement the solution, though I might be biased because I've not used other solutions, but as far as I am concerned, F5 Advanced WAF is one of the most stable solutions I've ever used, so it's good to implement.

My rating for F5 Advanced WAF is nine out of ten.

The primary use case is to secure the organization's applications from web-based attacks, securing both web applications and APIs.

The product is used to secure web applications and has the ability to use API templates and bot protection features, such as blocking requests or presenting CAPTCHA pages to end users. We also implement Swagger files for API security and use custom profiles for device ID threshold management.

The main improvement needed is related to IP intelligence. Once we start receiving traffic from repetitive IP addresses, we have to report it to the SOC team to block it at the layer four level. Users would like to have an additional IP intelligence license to handle this within WAF itself without needing to engage with the SOC team.

The solution has been used for three years.

Customer service and support depend on the level of support subscribed to, such as silver or platinum support, which determines the response time.

Positive

Deploying the solution involves an application learning and blocking phase. The process includes collecting application data, creating policies, and applying them to lower testing environments like QA or dev before moving to UAT and production. The learning phase is used to handle false positives and fine-tune the policies before going live.

The in-house team manages and supports the WAF, handling incidents reported by end users when legitimate traffic is blocked. They update the policies to prevent the recurrence of similar blocks.

The pricing and support service levels affect response times from customer service, depending on whether the support level is silver, platinum, etc.

We are exploring cloud-based solutions like Azure WAF and AWS WAF.

I rate F5 Advanced WAF an eight out of ten.

F5 Advanced WAF is used for the protection of applications from current web threats, including DDoS attacks. It provides a comprehensive security solution that incorporates different protection levels.

The most valuable feature of F5 Advanced WAF is its extensive set of capabilities for application protection, including DDoS prevention, and its ability to work with Pentesters and external scanners to observe user activity and eliminate false positives. This comprehensive approach to application security enables an organization to protect its web applications from diverse web threats effectively.

All features of Advanced WAF offer numerous functions, which means tuning configuration is not simple. It's a powerful tool yet can be complex for new users. Future updates should ensure not to break the current state, as users are concerned the new version may not meet current standards.

I have been using F5 Advanced WAF for more than ten years.

F5 Advanced WAF is considered a stable product, and I would rate it as ten out of ten in terms of stability.

The solution's scalability is solid, with the option to increase capabilities through licensing and adding modules in the virtual edition. However, it requires additional expenses, so I would rate it as a seven or eight out of ten.

F5 provides one of the best technical supports, though there have been a few cases where customers were dissatisfied due to response speed. However, in general, their support is highly efficient and knowledgeable.

Positive

In the past, Imperva was the leading solution, however, now F5 is preferred as it offers a superior solution according to customer feedback.

Deploying the solution, including initial configuration, licensing, addressing, and enabling WAF, could take one to three hours. However, for a comprehensive setup, considering external factors and optimizations, the process could take up to a month.

I handle installations and other related aspects by myself, without any additional help.

There are numerous benefits for end customers, as a secure application helps prevent potential breaches and ensures the safety of customers' data, especially in sensitive sectors like banking.

F5 Advanced WAF is not cheap. That said, it offers numerous features and is known as one of the best solutions in its segment. It provides significant value by offering comprehensive protection for high-stakes environments.

I work with other vendors, such as Broadcom, Qualys, BeyondTrust, and Trend Micro, depending on the customer's needs and the vision of my company.

I would fully recommend F5 Advanced WAF for its feature-rich offerings and high detection rate of threats. I rate it a ten out of ten as it is one of the best solutions available.

What a WAF is happens to be exactly what we are using F5 WAF for: a firewall for our web applications. It is a totally customizable solution. You have our signature-based rule sets and then we can customize to our heart's content depending on what our application can and can not do or what we are trying to protect against.  

So we are using this for anything that is internet-facing. We are applying the WAF there and we are putting it in block mode wherever possible.  

The features I think are the most valuable starts with the IP intelligence component. That is separately licensed and it is definitely one component that we have made heavy use of. Geo-blocking is another — which can be done without a WAF because you do not necessarily need a WAF to do it — but the F5 WAF has those capabilities.  

The signature-based controls that F5 has are another one of the heavier-used components that Advanced WAF has. We do not have to worry about updating signatures, et cetera. WAF will automatically update the signatures for us. I think that is a nice feature.  

Those are the biggest things that we are making use of month-to-month.  

I think the contextual-based component needs a lot of help. It is all based on regular-expressions. That is something I think companies like Signal Sciences are doing a really good job with. We are transitioning off to Signal Sciences on some of our WAF components because of the capabilities Signal Science has. I think that contextual-base signatures would definitely help in F5 WAF.  

Within the enterprise, F5 Advanced WAF (Web Application Firewall) has been rolled out for about six or seven years. I have been working on it for about three to four years.  

It is a stable product.  

F5 WAF is a scalable solution. A lot of the employees and other end-users (virtually anybody on the internet who is coming to your site) benefit from the solution. As far as the people who are directly dealing with the administration, maintenance, and deploying the updates, there are maybe two people. But it can certainly scale-out to service passive use.  

The F5 tech supports is fairly decent. It is not the top of the line, but they do their job. They give you an account team. The account teams are normally really responsive. When you need to run something by them, they are unlike some other products. With other products you have to go through opening up a ticket — because that is the only way they will respond to you — and later they might come back and say it is not their problem and you need to figure it out on your own. The F5 is very different from that perspective in providing support. Your account team is your go-to group. They will walk you through solutions, help you design solutions, and it is part of the value add of using F5Advanced WAF. I really liked them for the extra effort they put in to provide good support. They do not upsell professional services or anything like that. Because of that, I would rate them a little on the higher side for support than just your average support experience.  

The installation of F5 Advanced WAF is complex. Any WAF that you put in takes a lot of time to install correctly. You never really just drop it in and have it working right off the bat. The only exception I can say that I have come across to that right now is Signal Sciences. You can literally drop that solution in place and put it in blocking mode within the same day. With F5 there is a learning period where you allow it to learn and then you go back because it is based on regular expressions. So you have to go through and check to see that there is normal traffic going through your site, et cetera. In other words, there is training involved. It can take from seven to fourteen days before you get a good signature set up.  

If you just need to turn on the licensing key, that might take 10 seconds to do and that is available essentially immediately when you implement WAF. But when you are talking about implementation — and this is true with any WAF — it is time-consuming. You are integrating a piece of technology with applications that have already been written. It might be a legacy app, it might be a new app or whatever that you use for whatever your use case might be for that application. You are using WAF in order to protect that app. You have to invest time in creating the signatures. That period of time where you are creating the signature is what is complex and extends the period of the implementation.  

That is what I think the true difference is between F5 WAF and the new-gen stuff like Signal Sciences is. With Signal Sciences you literally can just drop in and turn it on.  

F5's licensing varies. I do not know exactly what the individual WAF component costs because they bundle up services and the bundle is what I pay for. I do not pay for individual components.  

Advice that I would give to people considering F5 WAF is to look at and consider other products as well. They have to make sure they know what they are getting into. That is key to finding the right solution. I think WAF requires a lot of time and patience as well as an understanding of your applications in order to make the best use of its capabilities.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate the F5 Advanced WAF as a solid eight-out-of-ten.