F5 Advanced WAF Reviews

Our company installs the solution for customers who require more features than are available with FortiADC. 

One of our customers is a bank that has API for both web and mobile applications. We use the solution to load balance and provide protection for the API requests that come from customers to the application server. With more than 200,000 DNS requests per second, the solution's advanced features are the best fit to the customer's needs. 

The solution uses AI to protect against botnet attacks. 

The solution has a vCMP-like feature that allows you to visualize more than two  TMOS at the same time on your hardware. This feature is not available with other solutions. 

The solution should include protection against web page attacks like what is available in FortiWeb. 

The solution should integrate with Kubernetes. I believe there is a new ADC planned for the end of 2022 that will accomplish this goal. 

I have been using the solution for six years. 

The solution is super stable with extra chassis space. 

We sometimes use solution to its maximum capacity and it is still stable with no crashes. 

The solution is super scalable. 

FortiADC is a good solution for small or mid-sized companies but F5 can handle the largest companies. 

Across all of our customers, we have more than a million users at the same time with no issues.

I have not needed technical support. 

The initial setup is more complex than FortiADC and takes about twice the amount of time. 

Our company provides setup and deployment for our customers. 

The solution is very expensive so should only be used in the right environment. I believe each device costs around $20,000 and includes a three-year license. 

I rate the cost a ten out of ten. 

We do not consider other options for large companies but do install FortiADC for small to mid-sized companies. 

It is important to know your network and assess your needs such as dust protection, VAT, and load balancing before deciding if FortiADC or F5 are the best solution.  

F5 is expensive so is only appropriate for large companies with high-level use. 

I rate the solution a nine out of ten. 

In Pakistan, the banking and financial sector requires F5 WAF solutions. I worked with other companies that had more clients, but my current company is a start-up. We have Palo Alto business, but we're trying to get F5 business.

F5 products are highly stable, top-notch solutions, and we have also the expertise to deploy and design the F5 and Palo Alto product lines. I have more than 10 years of experience with F5 and Palo Alto. I have deployed around F5 products for around seven or eight customers of F5.

F5 should consider adding network detection and response.

We have been using F5 solutions for two years, including load balancers and Advanced WAF.

Advanced WAF is highly stable.

F5 products are scalable, and they have an excellent R&D department. Their product is constantly maturing.

F5 technical support is excellent. They are experts who always provide the right solution, and they understand the problem. Their response and resolution times are good.

Advanced WAF is a difficult product for new users, but it's not too challenging if you have experience. Nevertheless, F5 products are generally considered to be hard to deploy. 

F5's hardware product line is called BIG-IP, and they have many software licenses for IP DNS, Advanced WAF, APM, anti-spam, etc. We have around 10 licenses.

I rate F5 Advanced WAF 10 out of 10. I would highly recommend the entire F5 product line.

It protects our public entities. Its use case is very directed at a resolution of security.

It protects our environment. It protects our entities.

Identification, ease of use, and ease of modifying it to most of our needs are valuable.

There should be more ability to rate limit certain scenarios. The majority of the time, it is either on or off. For certain types of use cases, there should be the ability to rate limit, not just enable or disable.

It is a very CPU-intensive application. I understand why, but I'm hoping that they could optimize the CPU utilization a little bit better.

I have been using this solution for eight years.

It is stable.

It is very scalable for what we need. It is a public-facing service. So, everybody on the internet would be able to utilize this type of service.

We are exploring areas to increase its usage.

I would rate them an eight out of ten.

Positive

We used other public entities for similar use cases.

It is pretty straightforward. A typical setup for these types of projects takes three months.

It is all done in-house. We do everything in-house. 

In its maintenance, I and other people are involved. The daily operations, which include modifying policies, are up to the individual application owners because they understand their applications a lot better than I or our standard operating team would. So, their usage might go higher than mine.

We have very much seen an ROI. It protects our revenue stream.

The way we deployed it, I would rate it a four out of five in terms of pricing.

I would advise doing your homework. It could be very simplified, or it could be very complex, but definitely, do your homework with the owners of the application because they understand the application more than certain people.

I would rate this solution an eight out of ten.

F5 Advanced WAF is used for the protection of applications from current web threats, including DDoS attacks. It provides a comprehensive security solution that incorporates different protection levels.

The most valuable feature of F5 Advanced WAF is its extensive set of capabilities for application protection, including DDoS prevention, and its ability to work with Pentesters and external scanners to observe user activity and eliminate false positives. This comprehensive approach to application security enables an organization to protect its web applications from diverse web threats effectively.

All features of Advanced WAF offer numerous functions, which means tuning configuration is not simple. It's a powerful tool yet can be complex for new users. Future updates should ensure not to break the current state, as users are concerned the new version may not meet current standards.

I have been using F5 Advanced WAF for more than ten years.

F5 Advanced WAF is considered a stable product, and I would rate it as ten out of ten in terms of stability.

The solution's scalability is solid, with the option to increase capabilities through licensing and adding modules in the virtual edition. However, it requires additional expenses, so I would rate it as a seven or eight out of ten.

F5 provides one of the best technical supports, though there have been a few cases where customers were dissatisfied due to response speed. However, in general, their support is highly efficient and knowledgeable.

Positive

In the past, Imperva was the leading solution, however, now F5 is preferred as it offers a superior solution according to customer feedback.

Deploying the solution, including initial configuration, licensing, addressing, and enabling WAF, could take one to three hours. However, for a comprehensive setup, considering external factors and optimizations, the process could take up to a month.

I handle installations and other related aspects by myself, without any additional help.

There are numerous benefits for end customers, as a secure application helps prevent potential breaches and ensures the safety of customers' data, especially in sensitive sectors like banking.

F5 Advanced WAF is not cheap. That said, it offers numerous features and is known as one of the best solutions in its segment. It provides significant value by offering comprehensive protection for high-stakes environments.

I work with other vendors, such as Broadcom, Qualys, BeyondTrust, and Trend Micro, depending on the customer's needs and the vision of my company.

I would fully recommend F5 Advanced WAF for its feature-rich offerings and high detection rate of threats. I rate it a ten out of ten as it is one of the best solutions available.

We use it for ASM and ATF. I am working at the PCI company, and I am a manager of F5. I work with F5 WAF and ASF.

Currently, I use version 50.1.4, and I'm going to update to the new version, 50.144.1.

I like the solution for ASM. There is an online update certification, but access is locked so we couldn't use it.

I would like to see a better interface and better documentation compatibility with other products. It's more complicated with OWASP.

F5 has a learning university, but it's very complex. I teach other people, and it can be confusing with the different versions of software. It's very hard to support that.

I've been working with this solution for four years.

The product is very stable. It is a PCI company, so there are 10,000-12,000 people using the solution. 

My TLS connection is unlimited, so I have a lot of clients because of internet payments. All of the internet payments are behind the ASM for the F5.

It's scalable and very easy to manage.

I worked with FortiWeb for a few years. It's a good product, but it's not very good for a big company. So we decided to migrate to F5.

The initial setup is from a configuration utility.

I would rate this solution 9 out of 10.

In APM or IT intelligence, it's the best. But in the ASM model, it's not as good as a 40G for Palo Alto.

The primary use case is to secure the organization's applications from web-based attacks, securing both web applications and APIs.

The product is used to secure web applications and has the ability to use API templates and bot protection features, such as blocking requests or presenting CAPTCHA pages to end users. We also implement Swagger files for API security and use custom profiles for device ID threshold management.

The main improvement needed is related to IP intelligence. Once we start receiving traffic from repetitive IP addresses, we have to report it to the SOC team to block it at the layer four level. Users would like to have an additional IP intelligence license to handle this within WAF itself without needing to engage with the SOC team.

The solution has been used for three years.

Customer service and support depend on the level of support subscribed to, such as silver or platinum support, which determines the response time.

Positive

Deploying the solution involves an application learning and blocking phase. The process includes collecting application data, creating policies, and applying them to lower testing environments like QA or dev before moving to UAT and production. The learning phase is used to handle false positives and fine-tune the policies before going live.

The in-house team manages and supports the WAF, handling incidents reported by end users when legitimate traffic is blocked. They update the policies to prevent the recurrence of similar blocks.

The pricing and support service levels affect response times from customer service, depending on whether the support level is silver, platinum, etc.

We are exploring cloud-based solutions like Azure WAF and AWS WAF.

I rate F5 Advanced WAF an eight out of ten.

It's considered one of the modules for the LTM box. It's all modules for the LTM box.

It is actually to protect the customer web application which is published on the internet. It's actually to protect that, and nowadays, we also have this threat intelligence. You will link to the F5 centra, the depository of the threat intelligence database. We always have the latest update on the common threat that is happening currently. You will notify the customer if there's an issue.

The threat intelligence function is great. Nowadays, there is more awareness on the security side. They'd have a real-time update from F5. It provides peace of mind on the security side for the customer.

It is an add-on module to protect the web application.

The solution can scale with planning.

The solution is stable.

Support is helpful.

The deployment side is quite complex. We'd like them to simplify the implementation process. I'm not sure whether they can do that, however, they have to be very detailed on configurations, and sharing of the policy. Anybody that configures this box, the WAF, they have to have knowledge of the application and some of the security portions there as well.

We've had the solution since last year. We have deployed it to a customer.

It is stable. Actually, it evolved from ASM, what they call the Application Security Manager, and now they name it Advanced WAF. It's been around for a while. There are no bugs or glitches. It doesn't crash or freeze. 

We'll size up based on the customer requirement with some buffer, maybe 20% to 30% for the future extension. There is also some consideration on the capacity planning and the size of the box. You can scale. You just need to plan ahead. 

In terms of users, with Advanced WAF, normally their role is more related to the security side.

We just implemented the solution recently and we'll have to wait another three or four years before we change or upgrade the solution. 

I've dealt with technical support. We're quite satisfied with them. They're good. 

Positive

F5 WAF is a web application, in the firewall domain, they have been in the market for a very long time. They know the requirements and the market trends very well. This is the reason why we normally chose F5.

The solution is pretty difficult to set up. You really have to have a grasp o the product to configure it correctly.

The setup takes approximately two months. It's quite a long time. If the application is not ready, then the dependency will be on the application side. Therefore, the cycle is quite long. It depends on the application readiness.

We just need one to two people to handle deployment and maintenance. 

The licensing is charged yearly. It's considered expensive, however, there are more expensive WAFs on the market - like Imperva. F5 is second after Imperva in terms of cost. L1 to L3 support is included in the cost.

I'd rate the price of the solution at a four out of five in terms of how expensive it is.

We tend to stay with F5, however, we will look at pricing and try to negotiate based on that. We'd like to get a discount and look at the market to see the costs. 

I'd advise that new users need to know the requirement expectations, and then the criticality of the application that they're going to let the user use. Sometimes the application is public to the internet for a public user to log into and query the database. In that case, we're exposed to all kinds of external parties. So if you put something that is cheap in place, something that is not able to do the protection properly, then it will be a very big risk to the company. 

I'd rate the solution ten out of ten. Our clients have been very happy with it.

We use F5 Advanced WAF to protect web applications on HTTPS, APIs, and portals.

F5 Advanced WAF helps our engineers to learn the complete configuration, including fundamental and advanced policies.

Most customers encounter stability issues with the product's Big-IP logs. It works slowly while retrieving logs.

We have been using F5 Advanced WAF since this year.

The product is more stable than Fortinet.

The product has modular appliances. It works well, scalability-wise.

The technical support services are good. The team includes professional engineers to communicate with the customers regarding cases.

It is easy to set up F5 Advanced WAF. Although, it is difficult to deploy and maintain compared to Fortinet. The deployment process involves gathering customer information regarding virtual servers to be protected. Later, we select the best design suitable for their requirements and start with license provisioning. Further, we configure LTM with special servers and nodes and proceed with configuring the security policy and advanced directory. It takes a week to protect the infrastructure fully. Once we have license provisioning, it is good to run.

F5 Advanced WAF's pricing is high. Fortinet and some other vendors are more affordable.

F5 Advanced WAF has good capabilities, powerful tools, and professional services. I advise others to compare pricing with vendors in terms of their use cases before purchasing the product.

I rate it a ten out of ten.