Imperva Web Application Firewall Reviews

We mostly use it for protecting web applications from online threats like DDoS attacks.

The most valuable feature of Imperva, in addition to its strong knowledge base, is its effective protection for web applications. This is crucial because it shields web applications from attacks. Another notable feature is its use of artificial intelligence for better security. Additionally, Imperva offers simulation for studying infrastructure and hybrid infrastructure protection, which are beneficial for overall security. However, the standout feature remains its knowledge base, as, without adequate attack signature knowledge, security can be compromised.

One potential improvement for Imperva is enhancing its alert system. While the core functionality isn't a problem, there is room for improvement in terms of the alerts' depth and comprehensiveness. Specifically, having more detailed and informative alerts could be beneficial, especially for mobile users and individuals. This would enable better visibility into security issues and facilitate more effective troubleshooting, ensuring that critical information doesn't get overlooked. Additionally, Imperva could see improvement in its integrations with other solutions. Integrations, such as those with QRadar, can sometimes be a bit challenging, falling between not being extremely difficult but also not very easy. Simplifying and enhancing these integration processes could be valuable.

I have been using Imperva Web Application Firewall for three years.

It is a stable solution.

When it comes to scalability, Imperva Web Application Firewall could use some improvement. I would rate the scalability as a seven out of ten. Three people use the solution at our company.

The technical support from Imperva is generally good. While we haven't encountered major issues with Imperva, I have found their support to be reliable and helpful. There haven't been significant problems, and the support seems to meet your needs effectively. I would rate the support as a nine out of ten.

Positive

Installation of the new version of Imperva in my organization was straightforward. I worked with an Imperva specialist, and it went smoothly and it only took a day. Maintaining Imperva is a standard process and not difficult. It is a typical level of effort for software maintenance. We have a team of three people at our company who maintain it.

My advice for people considering using Imperva is that it is crucial to first define what you need from a security solution. Once their requirements are clear, you should thoroughly evaluate Imperva and its features to ensure it aligns with their needs. Based on my experience, I highly recommend Imperva and would confidently endorse this solution to others. Overall, I would rate Imperva Web Application Firewall as a nine out of ten.

We use the latest version with all the functionality, not only WAF. Additionally, we use all the security capability that is possible to enable on Imperva including device security tools like API security.

We use this solution to protect the website for the company.

I find the configurability of the tools and the ease of operation to be the most valuable feature of Imperva.

I have three years of experience with Imperva Web Application Firewall.

This solution is very stable.

Scalability is very good.

Imperva's technical support is very good.

I used to work with Fortinet Web Application Firewall but it was not good.

The initial setup of Imperva is easy to do and only takes a few minutes to deploy.

Imperva Web Application Firewall is very expensive.

I have worked with Azure and find both solutions good. However, Imperva does have more advanced features than Azure.

I am very happy with this solution. I would rate the technical aspect a 10 out of 10, however because of the financial cost, I rate it an 8 out of 10.

Our primary use case is for protection of all our web applications.

Imperva Web Application Firewall is a very good solution and very feasible for any corporation. We can almost accommodate everything with this solution. We were able to accommodate almost all our use cases with this. This is one of the best solutions I have found so far.

The features I have found most valuable with Imperva Web Application Firewall are account takeover protection, advanced bot protection, and API security.

In terms of what could be improved, I would say reporting on the cloud side.

Additionally, I am looking for more data enrichment. We should have the ability to add our own custom data to the system, to the live traffic.

In the next release I would like to see more API security.

I have been using Imperva Web Application Firewall for almost five years.

We currently use a hybrid version but we are moving towards purely 100% cloud where we will shortly get rid of all the appliances.

Its stability is very good. In all aspects, it is very good. It is beyond my expectations actually.

In terms of scaling, Imperva Web Application Firewall is amazing. The product is really good so far.

We have very few users with direct usage - 10 users approximately.

There is zero maintenance.

Their customer support is very good. They are very quick.

I previously used F5 and something else whose name I don't remember.

We made the switch to Imperva because it is one of the best solutions on the market.

The initial setup is very easy.

It just took a few days.

We used the consultant. Our experience with them was not bad. But as I mentioned, things are not difficult here. It is fairly easy.

My advice to anyone considering Imperva Web Application Firewall is that they can safely go to this environment without having a second thought. I have done so much testing. I did so many use cases. It never failed so far.

On a scale of one to ten, I would give Imperva Web Application Firewall a 10.

We use Imperva for our web applications that we have hosted to protect them.

With our deployment setup, the benefit is regarding the security and how threats have been blocked. It's not studied in terms of resources or speed. The threat prevention is the aspect we are monitoring.

Empower administration is user-friendly, and we do not need much for managing day-to-day operations. It is easy to use and has good security. Also, it is very customizable, especially for controlling web browsers and devices.

I would prefer AI integrations for user administration, visualization, log analytics, and risk analysis. If they can bring in generative AI features, that would be useful.

I am working with Imperva at the moment and have been using it for maybe six to seven years.

It's very stable. We haven't had any issues.

Scalability is not a problem since we have enough resources as it's an on-premises version.

We have escalated to tech support and it's quite good. I would rate them a seven point five out of ten.

We didn't use any WAF product before Imperva.

The initial deployment was seamless, and there weren't many complexities.

The deployment was done by a separate company within the company.

I do not have much understanding about F5 yet as I am currently evaluating their solution.

I suggest looking for a cloud-based solution rather than on-premises, which might improve availability, stability, and security.

I'd rate the solution nine out of ten.

We use the solution to protect applications.

Imperva has a complete picture of how the applications are utilizing it. It is handy. DDoS is good. It has an internally managed database. It is very easy to integrate. We have integrated it with SIEM services.

Apart from predefined templates, it would be helpful if the solution provided an option to customize any new rules or additions based on the requirement.

I have been using Imperva Web Application Firewall for three years.

I rate the solution’s stability an eight out of ten.

The tool is pretty scalable. Around 1,000 users are using this solution.

I rate the solution’s scalability an eight out of ten.

We have used Barracuda. We switched to Imperva because Barracuda was not user-friendly and didn't offer predefined data.

The initial setup is simple.

The product's pricing is flexible.

I rate the product's pricing a seven out of ten, where one is cheap and ten is expensive.

I recommend the solution.

Overall, I rate the solution an eight out of ten.

We primarily use the solution as a firewall.

One good thing about Imperva Web Application Firewall is it can be on the cloud and also it can be on-premise. Either way, you can use it, and it's quite easy. 

It's quite easy to deploy. It is also a self-managed service. It's quite straightforward.

They do provide updates on a quarterly or half-yearly basis.

I don't really use it and therefore can't speak to areas of improvement. 

We've been using it for probably three or four years.

The solution is stable. 

Scalability-wise, it is not so scalable as the solution is quite straightforward. There's not much you can scale with the solution.

Mainly, the IT department uses the solution and there are ten to 20 of them.

Technical support is quite helpful and responsive. They support us well and they are available worldwide so it's quite easy to get help.

The product is very easy to deploy. It's simple and straightforward. It's not an overly complex solution.

Within half a day you can have it up and running. You just need two people to deploy and maintain the solution. 

We are users and also we are resellers.

The version we are using is the latest version. 

It has many valuable options or features. You just need to know what you need for your organization. If not, Imperva will probably tend to sell you almost everything. You just need to know what are the options that you need for your organization. Apart from that, the whole process is quite fast and it's quite reliable.

I'd rate the solution an eight out of ten.

I use the service for protection due to the fact that it has profile functionality.

Protection is the best solution since it has profile functionality.

Interesting alternatives are Akamai and some cloud solutions do exist.

Our primary use case is to protect our cloud production environment.

We have a co-location that we do with our QA and Dev and our pre-production environment. We do everything there. We built it for the production environment so we deploy everything in the cloud. We have the web application firewall in the cloud, after the proxy.

It has threat intelligence and we are using Incapsula. With threat intelligence, we can separate HTTP and HTTPS traffic. We can use Incapsula to send all the threat intelligence to the WAF.

The interface is very user-friendly. You get used to it. It's very convenient.

There could be some limitations rom the converged infrastructure perspective: when you want to converge with everything and you want Imperva to get there easily, because it's not a cloud component. For example, when you want to build servers and you're using OneView to manage your software-defined networks, implementing Imperva right away is not that simple. But if you're doing just a simple cloud infrastructure with servers in there, you're good to go.

Also, we are not able, with Imperva, to block by signatures. Imperva by itself needs to be complemented with another service to do URL filtering. That's why you need Incapsula.

No issues with stability. It has never crashed.

Scalability is affordable. There are no issues with the process of scaling.

They have centralized management, in terms of scalability. They have centralized policy control, they have centralized application profile information. On the dashboard they have Signature Update, Monitoring, Reporting. They clearly thought about the large-scale when they made this product.

We use a partner here in Puerto Rico for Imperva. We have a guy in our shop every day, full-time.

We used Fortigate. We switched because it's not a WAF. When you have a WAF, you want that WAF to do all kinds of configurations, to promote the firewall, to work the way you want it. Imperva came with everything, the whole package.

The initial setup was a little bit complex. But a third-party took care of everything. It's not like putting milk on cereal when you are working with these kinds of configurations. The effectiveness of a web application is going to come from the analysis of what your organization needs. If you don't have that information before you go into Imperva, you're going to have a lot to do when you get there. You need to know what you're doing. It's not something you can take out of the box and put in your infrastructure. It's somewhat hardcore to deal with these kinds of solutions. 

Make sure you understand the way that Imperva charges. It's very affordable. However, I would like to see a package with the Virtual Patching included. You get to do patching separately.

We had F5, Akamai, Fortinet, Barracuda. We may have looked at Juniper as well, I don't remember. Not too many companies have a WAF. Not all the firewall companies are WAF makers.

I think it's perfect. It's a very good application. When you do large-scale deployment you want to protect your physical web application with Imperva, trust me. It gives me peace of mind.

These are guys are from Israel and you should see that place. These guys are the best I have ever seen. They do all kinds of stuff and there is nothing that they cannot do. These people are incredible. They can configure and develop anything, customized, if you want it. Everything has a price, but they can do it right now. They don't have a "no."

We use Imperva with Incapsula so we have web security, we have DDoS protection, we have content delivery networking, we have load-balancing. We do everything with Incapsula cloud. For example, if you have an internet threat, that threat is trying to access your web application. Depending on the threat that you are receiving, the activity monitor is going to be triggered. Once that activity monitor gets triggered, the vulnerability management is going to defend you. It doesn't work for everything the same way. It's very intelligent.

Without tuning, it blocked 88 percent of the vulnerabilities, and when we tuned it, it blocked 98 percent. Whatever was not blocked didn't harm us. We use a third-party for tuning. We tell them what to do it and they do it. They get it done fast, sometimes in two to three days. It depends on what you're asking for. If you're asking for more accuracy, they go the distance to solve your problem. For example, the other day I had some keywords, some attack signatures that they were looking at for false-positives and false negatives, which are two different things. One of the main reasons we got Imperva is that we wanted to block attacks while limiting the number of false positives. I wanted the application scanner not to generate false positives by creating violations. I gave them the information, and the next day it was solved.

To put it in a high-level perspective, you are paying to see the things that are important, but you get a lot of noise. I wanted to reduce that noise. They allowed me to do that. 

Make sure you have the right testing methodology for Virtual Patching. If you want to take your patching to under 30 days, this is the product for you. We reduced it to five days. I think we are the only company where the patching is under five days. We are only doing it at the database-level right now. But we took it down to five days. 

There are proper ways to test a WAF, but the main advice I can give you is that you should not just generate attack traffic. The most effective method, for me, would be to generate both attack and legitimate traffic. That kind of approach will give you a way to rate the ability of the WAF to detect malicious traffic and to distinguish malicious traffic from good traffic. Provide real-world testing scenarios, in which the WAF must block attacks and avoid blocking good traffic at the same time. You will be able to measure how many false positives you're getting. That is the best way to test a WAF: Don't only to generate attack traffic.

Another piece of advice, and here I will jump  to the main fears of this environment - SQL injections, cross-site scripting, which I hate, DT's (Directory Traversals) - is that you need to provide another layer here which is IPS. IPS products will all rely on signatures. They are going to be created by the scanner to stop anything, that's just the basics of threat prevention. If these signatures are easy to circumvent, by using comments and encoding at the same time, they will be available for the WAF to stop any kind of session or cookie tampering. What I'm saying is that there should be technical attack protection. You should be thinking not only about WAF but combining WAF and IPS.

You need to find an IPS that works with it. Imperva has something similar to an IPS, it's not an IPS per se. For example, an IPS cannot detect or stop fraud malware. For that, you need to add certain other levels of security and combine it with employee training. If you get the web application, which is called SecureSphere, the WAF, it will protect you against web page fraud because they go by black IPs. So you can help the IPS on that side and the IPS can help you letting you know what to block from the internal network. You should be considering a combination of WAF and IPS.

Another thing to take into consideration for people who are starting, with respect to deploying a WAF, is that they should validate the accuracy of the solution and the ability it has to protect any application and help you with monitoring and management. It's not just technical stuff.