F5 Advanced WAF Reviews

The DCI feature is very valuable. The solution is very robust, and I like the setup.

With this solution, you can set distinct perimeters that you can monitor. You can go very granular, which makes it possible to set up very specific perimeters that you are then able to secure.

The solution is tedious. It takes a lot of discrete settings so one needs to get detailed and granular when they use the solution. It takes you a whole lot of energy and concentration to configure. It needs to be much more straightforward, like other web solutions.

They need to have a way to define attack signatures. It might help improve the user experience.

The solution is quite stable. Since 2016, there hasn't been any concern in regards to security.

The solution is highly scalable.

Technical support is excellent. It's top-notch.

The initial setup was very straightforward. The solution is very compact. It takes more than one month for effective deployment.

The solution isn't too expensive. The license allows you to license what you need and leave out what you don't need.

We currently deal with the on-premises deployment model.

I would recommend the solution for use as an efficient firewall. Security is a complex thing, however, and I would advise others to use multiple vendors for different layers.

I would rate the solution ten out of ten.

We use F5 Advanced WAF to protect some of our web applications and web services. We use F5 Advanced WAF as a web application firewall in production. 

Our clients are liable for the security of applications on the internet because they are in the banking services sector.

In this case, we used a few long-term models because F5 Advanced WAF is a complete solution. Our customers do not only use this model. 

F5 Advanced WAF is similar to other solutions used for a lot of projects. 

It's feasible for our customers to improve on their protection ability within the applications from secondary attacks, i.e. MySQL injection.

Each company is liable for the security of the customers using the service.

With F5 Advanced WAF, it was protection for online publications and for our customers that caused us to choose the platform. It was integrated by our company and not the dealer. 

For F5 Advanced WAF, it's only 70% different over time with upgrades. F5 can still build AWS support after many long years of absence. It's difficult to use.

F5 Advanced WAF needs better integration within the application, like remote dashboards. The pricing is too high. It needs better security features with the interface or dashboard.

We go through some problems with the Disc Doctor services and F5 was recommended to fix or avoid the same situation in the future.

F5 now is the product we use for the web products to have a web application firewall.

We need better integration in the application and more security features in the future.

F5 Advanced WAF is very stable.

The technical support of F5 I didn't use, but I heard people like the feature. I haven't needed it personally.

We have used some other products but they didn't have enough functionality. You can launch media adaptation for variety with F5. That is one of the biggest advantages of this solution.

In the market now there is a lot of information on the setup of F5 Advanced WAF. You can look for it on the company website. I didn't use F5 support directly, just the materials.

F5 Advanced WAF is not a cheap product.

My advice is to recommend F5 Advanced WAF for use. On a scale of 1 to 10, I would rate F5 Advanced WAF a nine.

I work for a bank and our use case of WAF is to protect our applications, including mobile ones. We are users of this solution and I am an IT specialist engineer. 

Protection from attacks is the best feature of this product. 

We sometimes get pages with false positives. The F5 team does its best to deal with this problem. I'd like to see this product compatible with more mobile applications, like protecting something devices from a malicious server or from the mobile application itself.

We've been using this solution for one year. 

The stability is good. 

The version we are using is not very scalable. 

The technical support is generally good although in some cases they take a long time to respond and we then need to escalate the case to get an answer from a higher level. The team is mature and they are able to solve our problems.

Positive

F5 has good documentation available on their website so deployment is relatively straightforward. 

This is a mature solution and a very powerful device for protecting web applications. I rate this solution eight out of 10. 

We use this solution because we provide a platform that requires a lot of security.

The solution is deployed on cloud.

We have thousands of external users.

I like the security features, especially against SQL injection.

I would like to see additional controls.

I have been using this solution for a year.

The stability is reasonably good. There haven't been any major issues so far.

It's scalable. We haven't had any major issues so far.

We went through the managed service partner, so they did the deployment. Deployment took about 15 days.

We have a few IT experts for maintenance. 

Implementation was done in-house.

I would rate this solution eight out of ten. 

My advice is to do a thorough testing of the application.

F5 Advanced WAF could improve the precision of the scanning. There are many false positives. They should improve their threat database.

I have been using F5 Advanced WAF for three years.

F5 Advanced WAF is a stable solution, we are satisfied. It is more stable than ForiWeb.

I have found F5 Advanced WAF to be scalable.

The local support is good and they have been helpful. However, if we raise an issue to the global support they take a lot of time to return our inquiry.

The price of the enterprise solution is reasonable. However, if you are a small to medium-sized business the price could be difficult to afford.

F5 Advanced WAF pricing structure should be adjusted to meet the need of small to medium-sized companies.

I rate F5 Advanced WAF an eight out of ten.

The anti-bot protection has been the most valuable.

I think the deployment template can be better, like the iApps they have in the F5 MPM. I think the deployment templates can be better.

The solution is pretty stable.

The technical support is very good. I'm using the F5 technical support, maybe once a quarter. Something like three to five times a year. When I find a bug then I post them to their forum because I'm using it a lot. I can find the bugs. But its very good support.

The initial setup was very simple. The initial setup is done by the machine. The ASM HS, the WAF itself, not the deployment of the application. So it was very simple, I am working with VIP for almost a full year. Something like ninety percent of my activities are F5 related. I specialize in F5 now and everything in F5 is very, very simple.

I'm an integrator.

I think the price is very high. This is what I hear from the customers. Sometimes we cannot sell the product because it is a higher price.

I evaluated a few other options. Kemp, for example, but Kemp is not a WAF it's a load balancer, it's for another model of the F5 so its not related to do WAF. And we're speaking about the WAF. 

I would recommend this solution. It would be the best solution for WAF.

I think the dashboard can be improved. When you move from the policy to policy, the logs and the integration of the logs are without a system. Maybe make it like other SIEM systems and system servers like Splunk. They do have a lot of training videos and manuals. This helps. But not really about integration or feature improvement.

I would rate this solution a ten out of ten.

We use F5 Advanced WAF to secure our public cloud. We also use it to secure firewalls for applications and websites. Whether on-premises or on public cloud, these are the usual use cases for WAF.

The most valuable feature of F5 Advanced WAF is its ability to mitigate attacks: DDoS and DNS, or layer seven application attacks, OWASP, and email.

The vendor needs to work on developing an MSP model for this solution as that is what's trending on the market, plus integrating this solution under a SASE model. Not all vendors' products are compatible with SASE, and not compatible with delivering multi-deployment options from hardware appliance, VM-based, shared cluster, etc.

The compatibility of F5 Advanced WAF with multiple public cloud environments also needs to be improved, and not to be overlooked with the VMware environment.

This solution shouldn't only focus on Azure public cloud compatibility, as they need to also work with and be compatible with private cloud on multiple environments.

I'm not aware of the latest updates in terms of features, but they need to work on enhancing their product, because it seems they have an issue in the market. Day by day, they seem to be lagging behind all the new products in the market.

We've been working with this solution for one year.

The stability of this solution is not great. It's stable, but you are aware of the performance stability when you are relying on a VM-based environment, so there is another layer of performance of the infrastructure itself which you need to take into consideration when talking about stability.

Sometimes the product performance is good, but the infrastructure you are using causes some performance issues.

Now VMware is doing great when it comes to performance, so the performance of the F5 Advanced WAF licensed on our VMware environment is good as well.

This solution is not easy to scale. F5 is suffering from scalability issues. They are struggling with scalability.

I never contacted F5's technical support team because we are the main service provider, and this means we have our own support.

The initial setup for F5 Advanced WAF is complex.

We implemented this solution through our in-house team.

Pricing for this solution is higher than average in the market, when compared to its competitors. They should revise their prices in the market.

There is no additional cost besides the licensing, and it will also depend on the service delivery model: VM-based or hardware-based. The licensing model, however, is similar among all the vendors.

I evaluated FortiWeb.

I work with F5 Advanced WAF (Web Application Firewall). It's hardware-based and VM-based.

We are a partner of F5 as a technology vendor.

Deployment of this solution could either be on-premises, via cloud, or both. F5 and VMware has a partnership, so our infrastructure is based on the VMware environment which comes with the F5 capabilities for the WAF.

The technology is evolving every day and vendors are doing well. Each technology has its pros and cons, and it will take a long time to discuss areas for improvement.

One of the issues of this solution is that it is complex.

How long deployment will take will depend on the customer's environment and use cases.

Maintenance of this solution requires patching the vendor update which is most important for product maintenance or solution maintenance, and doing monitoring for availability and performance.

F5 Advanced WAF works among all segmentations and all market size: small, medium, or large companies. However, I am seeing based on my experience, that Fortinet's WAF technology: FortiWeb, is now doing much better than F5.

Fortinet is doing much better in all aspects: in the protection itself, user-friendliness, threat intelligence, etc. The capabilities of FortiWeb is doing good in the market. Both pricing and delivery models are also more competitive than F5 Advanced WAF's.

My advice to future customers of F5 Advanced WAF or to people thinking of using it is that there is a much better product in the market. One of the better products is Fortinet (FortiWeb).

I'm rating this solution a six out of ten.

There is the Simple WAF and the Advanced WAF. We are currently working on the Advanced WAF, but previously, before the Advanced WAF came out, we were just using the Simple WAF.

We use the on-prem version because the cloud solution is not that popular here.

I have a customer here who has multiple applications dealing with the day to day operations. We have deployed the application firewall in the network and most of their web traffic from outside of their network comes into that WAF. This includes the email application Outlook and their own in-house application tools deployed that they use to sell their merchandise. They have a feature where you can transfer money to the other user based on their mobile phone number. So these web applications and in-house tools are the most used applications in their network.

In terms of F5 Advanced WAF's most valuable features, I would definitely say its stability. F5 is one of the most stable products. Either as the load balancer or the web application firewall, it is very stable.

Additionally, the method it uses to block attacks and the logging and support are very good. You can see anything you want in the logging and reporting section of the device, it is very detailed. These are two valuable features from F5.

If I had to summarize what needed improvement, I'd say they are currently in the process of updating their software. But more specifically, I would say their graphical interface, the GUI. I don't like the GUI as much as before, but now I think they're focusing on it. We are getting some new good features in the latest update. But there is still room for improvement on the user interface as well. It's easy to use. It's not difficult but it is not pleasing to the eye. Most of the time you want to see something dynamic, something like the reporting section or the system usage, the CPU, some detailed graphs, anything of that sort. So I guess they have some room for improvement there. Don't make it more complicated, just make it more pleasing to the eye.

We are using the most stable version. Because recently we got an email from F5 suggesting that if you have any user on the 14.1.2.0 that there was a vulnerability on that feature. And it was quite a severe one, so they asked us to immediately update that license to another version.

They currently have 15 versions, but they are not stable. They didn't recommend them to us. So most of the customers in Pakistan are using the 14.1.2.6 version. That is the most stable version and is recommended by F5.

My focus is normally on logging and reporting, because customers always ask for a clear reporting criteria. I would like it if they could simplify the reporting process. If I create something, I want to get a good report on it that I can read in seconds or in minutes. I don't want extra details in it. They should work on the exporting of the logging and reporting.

I have been using Advanced WAF since it came on the market last year. Advanced WAF is the advanced version of WAF which I have been using for three years.

F5 basically starts their hardware model from a 10GB distribution. So it is a good device to start with and in Pakistan we mostly have up to 40 or 60 gigabytes of devices.

As far as scalability is concerned, we already talked to the customer in detail about what kind of traffic they are expecting in the next five or seven years. Then we decide the box on that data basis and normally we don't have to worry about scaling later.

In terms of adding more features on the F5 hardware, that is a question based on the module. If it takes too much of the CPU, then it is difficult and scaling would be difficult with that hardware. If the hardware is not so many CPU's, then we have to dedicate to each module. Then the scalability becomes a bit difficult. But if you already have hardware that has CPU's in abundance, you can add as many modules as you want. There's no problem.

F5 lets you decide if you want to assign a specific module, a dedicated CPU or nominal resources. You can even decide if you want nominal resources or if you want full resources for that specific module. It all depends on the importance of that module in your business application.

If they are a small company, 250 to 500 employees, or less than 250, then we can go for the virtual Edition of the F5, because as I said, the hardware solution starts from a 10GB box. This can handle thousands of requests per second.

It would be a bit costly for a small scale business. If someone wants F5 and he has less applications and nominal users, he can go for the Virtual Edition. Most of the customers in Pakistan who are using F5 are in the banking sector. They have a good amount of users already, 1500, 3000. So mostly we have banks in Pakistan using F5. And I guess also a few in the education sector and businesses. Otherwise, not many small businesses have F5. The one I mentioned that is using AWAF is a big telecom in Pakistan and they have millions of users. It is not for the very small businesses, I guess.

I have had many experiences with customer support, both good and bad. Truthfully, they can improve a bit. There are two methods to engage the F5 support. You either call or email them. It's your choice. 

You decide which location you want to call, either the Singapore or UK office, because there is no support in Pakistan. We have to ask for support from either UAE, Singapore, the UK or the US. If I call, I normally prefer to call Singapore, because our region mostly deals with the Singapore head office. Sometimes there's a problem understanding Singaporean language and it's tough to talk to them. 

But if you reach out over email, then obviously it is easier. Talking to them on the phone is quite a difficult task. Secondly, if you open a customer request from a portal, we have a customer support portal for the client as well. Normally we get the engineer from UK or Singapore. It also depends on the engineer - sometimes he's very responsive. He will just respond to you in an hour or day. And sometimes you get an engineer who is absent for two, three days and you have to call them and change engineers because the first one is not responding.

In short they have to improve a bit on support.

We mostly deal with F5 and we always ask our customers who want the web application firewall to go for F5. We do have other web solutions as well, like Fortinet FortiWeb, another popular solution. For small businesses, we don't suggest that. 

We are gold partners with F5, so we always suggest F5.

In terms of the initial setup, for a person who is a bit experienced it is not that difficult. It is a straightforward device. You follow the same principle and the same steps and you are good to go. Just follow the steps. F5 guides you through the initial configuration, which is another of their features. If you don't want to go for the manual config you can just follow their step by step. Press - next, next, next, next then you have the initial configuration done. 

Then you can move to your own configuration according to your network and according to your need. It's an easy device to configure, it's not difficult. 

Only the graphical user interface needs some kind of improvement to make it more modern. But as far as the straightforward install is concerned, it's good and easy.

One person is enough for the deployment and for the check.

In terms of how long it takes to deploy Advanced WAF, it depends on the number of applications you have to put behind the F5 number one. 

The initial network configuration won't take so long if you have all the required data. 

You can set up the initial configuration in an hour or two. But the more applications you add will determine the length of the configuration. 

We mostly deploy Advanced WAF in automatic mode. We don't do the manual configuration of the security side. We just put application details there and we let F5 decide the learning process. It normally takes 15 to 20 days to get a good grip on the application, the language, and the do's and don'ts. We let F5 decide. 

It takes around 15 to 20 days to get it into the blocking mode. But for the configuration for one application it will hardly take 30 minutes to be configured. It all depends on the amount of applications you have.

My advice is that if you need a web application firewall you should go for F5. It is one of the best solutions in the past six or seven years.

F5 has been the leader in this field. It's a stable solution. One just has to decide their organization's goals in the beginning for the next five years or so. Because if they wrongly select the hardware module, they cannot do the scalability if they want to add  a number of modules in the future. So selecting the product should be done with great care. Otherwise, I guess it's okay. If you want a good web application firewall go for F5.

On a scale of one to ten, I would rate F5 Advanced WAF a nine.