Our primary use case is to protect our cloud production environment.
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Gives me peace of mind, blocks everything we need it to block
Pros and Cons
- "It has threat intelligence and we are using Incapsula. With threat intelligence, we can separate HTTP and HTTPS traffic. We can use Incapsula to send all the threat intelligence to the WAF."
- "There could be some limitations that from the converged infrastructure perspective: when you want to converge with everything and you want Imperva to get there easily because it's not a cloud component. For example, when you want to build servers and you're using OneView to manage your software-defined networks, implementing Imperva right away is not that simple. But if you're doing just a simple cloud infrastructure with servers in there, you're good to go. Also, we are not able, with Imperva, to block by signatures. Imperva by itself needs to be complemented with another service to do URL filtering."
What is our primary use case?
How has it helped my organization?
We have a co-location that we do with our QA and Dev and our pre-production environment. We do everything there. We built it for the production environment so we deploy everything in the cloud. We have the web application firewall in the cloud, after the proxy.
What is most valuable?
It has threat intelligence and we are using Incapsula. With threat intelligence, we can separate HTTP and HTTPS traffic. We can use Incapsula to send all the threat intelligence to the WAF.
The interface is very user-friendly. You get used to it. It's very convenient.
What needs improvement?
There could be some limitations rom the converged infrastructure perspective: when you want to converge with everything and you want Imperva to get there easily, because it's not a cloud component. For example, when you want to build servers and you're using OneView to manage your software-defined networks, implementing Imperva right away is not that simple. But if you're doing just a simple cloud infrastructure with servers in there, you're good to go.
Also, we are not able, with Imperva, to block by signatures. Imperva by itself needs to be complemented with another service to do URL filtering. That's why you need Incapsula.
Buyer's Guide
Imperva Web Application Firewall
November 2024
Learn what your peers think about Imperva Web Application Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
815,854 professionals have used our research since 2012.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
No issues with stability. It has never crashed.
What do I think about the scalability of the solution?
Scalability is affordable. There are no issues with the process of scaling.
They have centralized management, in terms of scalability. They have centralized policy control, they have centralized application profile information. On the dashboard they have Signature Update, Monitoring, Reporting. They clearly thought about the large-scale when they made this product.
How are customer service and support?
We use a partner here in Puerto Rico for Imperva. We have a guy in our shop every day, full-time.
Which solution did I use previously and why did I switch?
We used Fortigate. We switched because it's not a WAF. When you have a WAF, you want that WAF to do all kinds of configurations, to promote the firewall, to work the way you want it. Imperva came with everything, the whole package.
How was the initial setup?
The initial setup was a little bit complex. But a third-party took care of everything. It's not like putting milk on cereal when you are working with these kinds of configurations. The effectiveness of a web application is going to come from the analysis of what your organization needs. If you don't have that information before you go into Imperva, you're going to have a lot to do when you get there. You need to know what you're doing. It's not something you can take out of the box and put in your infrastructure. It's somewhat hardcore to deal with these kinds of solutions.
What's my experience with pricing, setup cost, and licensing?
Make sure you understand the way that Imperva charges. It's very affordable. However, I would like to see a package with the Virtual Patching included. You get to do patching separately.
Which other solutions did I evaluate?
We had F5, Akamai, Fortinet, Barracuda. We may have looked at Juniper as well, I don't remember. Not too many companies have a WAF. Not all the firewall companies are WAF makers.
What other advice do I have?
I think it's perfect. It's a very good application. When you do large-scale deployment you want to protect your physical web application with Imperva, trust me. It gives me peace of mind.
These are guys are from Israel and you should see that place. These guys are the best I have ever seen. They do all kinds of stuff and there is nothing that they cannot do. These people are incredible. They can configure and develop anything, customized, if you want it. Everything has a price, but they can do it right now. They don't have a "no."
We use Imperva with Incapsula so we have web security, we have DDoS protection, we have content delivery networking, we have load-balancing. We do everything with Incapsula cloud. For example, if you have an internet threat, that threat is trying to access your web application. Depending on the threat that you are receiving, the activity monitor is going to be triggered. Once that activity monitor gets triggered, the vulnerability management is going to defend you. It doesn't work for everything the same way. It's very intelligent.
Without tuning, it blocked 88 percent of the vulnerabilities, and when we tuned it, it blocked 98 percent. Whatever was not blocked didn't harm us. We use a third-party for tuning. We tell them what to do it and they do it. They get it done fast, sometimes in two to three days. It depends on what you're asking for. If you're asking for more accuracy, they go the distance to solve your problem. For example, the other day I had some keywords, some attack signatures that they were looking at for false-positives and false negatives, which are two different things. One of the main reasons we got Imperva is that we wanted to block attacks while limiting the number of false positives. I wanted the application scanner not to generate false positives by creating violations. I gave them the information, and the next day it was solved.
To put it in a high-level perspective, you are paying to see the things that are important, but you get a lot of noise. I wanted to reduce that noise. They allowed me to do that.
Make sure you have the right testing methodology for Virtual Patching. If you want to take your patching to under 30 days, this is the product for you. We reduced it to five days. I think we are the only company where the patching is under five days. We are only doing it at the database-level right now. But we took it down to five days.
There are proper ways to test a WAF, but the main advice I can give you is that you should not just generate attack traffic. The most effective method, for me, would be to generate both attack and legitimate traffic. That kind of approach will give you a way to rate the ability of the WAF to detect malicious traffic and to distinguish malicious traffic from good traffic. Provide real-world testing scenarios, in which the WAF must block attacks and avoid blocking good traffic at the same time. You will be able to measure how many false positives you're getting. That is the best way to test a WAF: Don't only to generate attack traffic.
Another piece of advice, and here I will jump to the main fears of this environment - SQL injections, cross-site scripting, which I hate, DT's (Directory Traversals) - is that you need to provide another layer here which is IPS. IPS products will all rely on signatures. They are going to be created by the scanner to stop anything, that's just the basics of threat prevention. If these signatures are easy to circumvent, by using comments and encoding at the same time, they will be available for the WAF to stop any kind of session or cookie tampering. What I'm saying is that there should be technical attack protection. You should be thinking not only about WAF but combining WAF and IPS.
You need to find an IPS that works with it. Imperva has something similar to an IPS, it's not an IPS per se. For example, an IPS cannot detect or stop fraud malware. For that, you need to add certain other levels of security and combine it with employee training. If you get the web application, which is called SecureSphere, the WAF, it will protect you against web page fraud because they go by black IPs. So you can help the IPS on that side and the IPS can help you letting you know what to block from the internal network. You should be considering a combination of WAF and IPS.
Another thing to take into consideration for people who are starting, with respect to deploying a WAF, is that they should validate the accuracy of the solution and the ability it has to protect any application and help you with monitoring and management. It's not just technical stuff.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Cyber Security Specialist Architect at Cyberlinx
Provides out-of-the-box security for web applications
Pros and Cons
- "There is a quick switch between any of the the nodes if something goes wrong, where there's a there's an attack against a specific area. The security setup is reasonably easy. It's not a problem to do setups and rules and integrations. And, yeah, just the the back end team is also very willing to insist if there's questions that that we cannot answer or with these questions that we do have"
- "The UI interface needs improvement."
What is our primary use case?
The solution is being used for communication.
What is most valuable?
If something goes wrong, there is a quick switch between nodes, wherever there's an attack against a specific area. The security setup is reasonably easy. It's easy to do setups, rules, and integrations. The backend team is also willing to help if there are questions that we cannot answer.
What needs improvement?
The UI interface needs improvement.
For how long have I used the solution?
I have been using Imperva Web Application Firewall for six months.
What do I think about the stability of the solution?
The solution is highly stable. I rate the stability a ten out of ten.
What do I think about the scalability of the solution?
It is a scalable solution. I would rate it a nine out of ten.
How was the initial setup?
The initial setup is easy. The deployment depends on the customer's solution but does not take more than a few hours. I rate the initial setup an eight out of ten.
What's my experience with pricing, setup cost, and licensing?
It is a very affordable solution.
What other advice do I have?
I would definitely recommend the solution. I rate the solution an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Imperva Web Application Firewall
November 2024
Learn what your peers think about Imperva Web Application Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
815,854 professionals have used our research since 2012.
Technical Support Engineer at PT. Sinergy Informasi Pratama
Improves security of web applications but UI needs enhancement
Pros and Cons
- "The tool's profiling feature maps all the web application directories and related components on the profile directory. It has improved the security of my client's website applications."
- "The tool's UI is complicated. It would be best to have a more accessible UI dashboard to make the job easier."
What is most valuable?
The tool's profiling feature maps all the web application directories and related components on the profile directory. It has improved the security of my client's website applications.
What needs improvement?
The tool's UI is complicated. It would be best to have a more accessible UI dashboard to make the job easier.
For how long have I used the solution?
I have been using the product for three years.
What do I think about the stability of the solution?
I rate the tool's stability an eight out of ten. We have encountered bugs, but they are fixed fast.
What do I think about the scalability of the solution?
I rate Imperva Web Application Firewall's scalability an eight to nine out of ten.
How are customer service and support?
Imperva Web Application Firewall's customer support is good and responsive. However, they are less responsive on public holidays.
How would you rate customer service and support?
Positive
How was the initial setup?
Imperva Web Application Firewall's deployment is easy. Onboarding a website on Imperva Web Application Firewall is much easier than Fortinet. With the product, the process is simplified, as you only need to enter your application's IP address on the website for the site, and the profiling firewall automates the process. For large-scale web applications, deployment can take four days to complete.
What's my experience with pricing, setup cost, and licensing?
Imperva Web Application Firewall's pricing is expensive.
What other advice do I have?
I rate Imperva Web Application Firewall a nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer:
Last updated: Feb 21, 2024
Flag as inappropriateSolutions Engineer at a tech services company with 1,001-5,000 employees
A proactive security solution that protects web applications and APIs and enables easy administration
Pros and Cons
- "We can prevent attacks or issues even before they happen."
- "Sometimes, support tickets don't get addressed quickly."
What is our primary use case?
The solution is used by SMBs and enterprises that have a lot of websites that they need to protect.
How has it helped my organization?
Since the product is categorized in Gartner as a Web Application and API Protection tool, it protects APIs and web applications. It provides bot and client-side protection. I have done POCs. Once the platform is configured to block DDoS attacks, no traffic regarding DDoS or bots gets into the application.
What is most valuable?
If the clients have requirements for APIs and microservices, we can offer such services with the help of the solution. We can offer it as a security solution that protects APIs and microservices. Imperva’s real-time monitoring makes it very easy for administrators to monitor their existing web applications.
What needs improvement?
My clients raised a concern that even if they need the tool only for DDoS protection, they still have to buy the WAF license. It’s difficult to position the tool if the client already has a WAF solution and needs Imperva only for DDoS protection.
For how long have I used the solution?
I have been using the solution since June last year.
What do I think about the stability of the solution?
I rate the tool’s stability a ten out of ten. Since I've been onboarded, I haven't had any issues.
What do I think about the scalability of the solution?
I rate the tool’s scalability a ten out of ten. Imperva allows only clean traffic. The scalability is based on the clean traffic and not the overall bandwidth of the client. Our clients are mostly enterprise businesses. I have some SMB customers.
How are customer service and support?
Sometimes, support tickets don't get addressed quickly. However, the support team gets to it eventually.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup is very easy. I rate the ease of setup a ten out of ten. The time taken for deployment depends on the number of applications we want to onboard. Usually, we can do it in a day.
What was our ROI?
Imperva is a very proactive solution. It is not reactive. We can prevent attacks or issues even before they happen. It is something people must consider since many enterprises are facing DDoS attacks, and their data is getting compromised.
What's my experience with pricing, setup cost, and licensing?
I rate the solution’s pricing a seven out of ten. Some solutions are cheaper than Imperva. Imperva’s pricing is a bit higher in the market since it offers a full-blown WAF.
What other advice do I have?
We are partners. I rate the product's integration with our client's IT infrastructure a nine out of ten. It is easily integrated since many configurations are needed to onboard Imperva into a client’s infrastructure fully. Overall, I rate the product a nine out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Technology Operations Manager, Global IT at a tech services company with 11-50 employees
Deploys easily; good, responsive customer service
Pros and Cons
- "I have had a positive experience with Imperva Web Application Firewall's tech support so far. They are knowledgeable and respond on time."
- "The Imperva Web Application Firewall automations are good, but there is still room for improvement with them."
What is our primary use case?
Our primary use case for the solution is securing our applications and customer-facing website.
What is most valuable?
The Imperva Web Application Firewall feature I have found the most valuable is the ease of deployment. The solution's customer service is good as well.
What needs improvement?
The Imperva Web Application Firewall automations are good, but there is still room for improvement with them. Fast rule propagation could also be improved.
For how long have I used the solution?
My company has been using Imperva Web Application Firewall for four years. But, personally, I have been using it for three years. It was already operational in the organization when I joined.
What do I think about the stability of the solution?
We have not had any issues with stability.
What do I think about the scalability of the solution?
I think Imperva Web Application Firewall is scalable.
How are customer service and support?
I have had a positive experience with Imperva Web Application Firewall's tech support so far. They are knowledgeable and respond on time.
How would you rate customer service and support?
Positive
How was the initial setup?
I was not with the company when Imperva Web Application Firewall was initially deployed but I believe the process was straightforward.
Which other solutions did I evaluate?
F5 firewalls are clunky and that is why we do not use them. They are good and powerful, but it takes quite a bit to set them up. They are not as easy to set up as Imperva Web Application Firewall.
What other advice do I have?
I would say: take Imperva Web Application Firewall into consideration because of its simplicity.
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SOAR Consultant at a tech services company with 1,001-5,000 employees
Scalable and stable firewall for web applications with a good interface, but path and traffic visibility need improvement
Pros and Cons
- "Very scalable and very stable firewall for web applications, with a good interface in its cloud version. Mitigation is its most valuable feature. The technical support for this product is also good."
- "Imperva Web Application Firewall is a good system, but we found that the visibility of the diverse-path server, e.g. where the traffic is coming from, the different IPs, etc., needs improvement."
What is most valuable?
The mitigation feature is what I find most valuable in Imperva Web Application Firewall. The interface of the cloud version of this solution is also good.
What needs improvement?
Every product has a room for improvement, and in Imperva Web Application Firewall, we found a limitation when we need to check which email IP traffic is coming from, e.g. we cannot find it.
Imperva Web Application Firewall is a good system, but we found that the visibility of the diverse-path server, e.g. where the traffic is coming from, the different IPs, etc., needs improvement. If we can populate those information, we can block them in our firewalls, and that would make this solution better.
Though the cloud interface of Imperva Web Application Firewall is good, the interface of the on-premises version is not as appealing, and it's what I'd like to see improved in the next release of this solution.
What do I think about the stability of the solution?
Imperva Web Application Firewall is a very stable solution.
What do I think about the scalability of the solution?
The cloud version of Imperva Web Application Firewall is very scalable.
How are customer service and support?
Technical support for this solution is good.
How was the initial setup?
It's very easy to set up the cloud version of Imperva Web Application Firewall. It's not difficult, because you just need to map your DNS, and that's it. Setting up this solution is not a problem.
What other advice do I have?
I'm working as a cyber security consultant and I provide Imperva Web Application Firewall and other similar solutions to customers.
We are working in the Middle East, e.g. we are deploying solutions to different organizations.
I don't have any input on the pricing for Imperva Web Application Firewall, as that part is covered by the research team.
I don't have advice for people looking into implementing this solution, except that everyone has different opinions and different requirements. Every organization has different requirements, and their choices will be based on their requirements. If all their requirements are fulfilled by Imperva Web Application Firewall, then they'll want to implement or use it.
I've giving Imperva Web Application Firewall a score of seven out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CTO at CyberApp
Dual perspective of positive and negative security makes for optimal protection
Pros and Cons
- "Compared to other web application firewalls in the market, Imperva does things in the most accurate way."
- "I think that better bot protection is needed in this solution."
What is our primary use case?
For some time now, I have been the CTO of a consulting company and our main issue is web application security. We also handle database security.
This is one of the solutions that we implement for our clients.
The primary use of this solution is the protection of applications.
What is most valuable?
This product has a logical perspective of negative and positive security. Negative meaning all of the blacklisted websites, and the positive is the profiling of the website itself. Impera can see and activate the policy, based on what it has learned. Imperva learns things like how dynamic content is dealt with, and what the permitted values are. When you combine these two perspectives, the negative and the positive, you get the optimal protection of the application.
What needs improvement?
When you want to move to a higher version of the platform, it is not in the GUI and not very easy to do. I expect that this will be available in the next version.
I think that better bot protection is needed in this solution. Bot protection is one of the features in Imperva that lets you recognize if their request is coming from a human or coming from a bot. In this context, a bot is a mechanism being used by the attacker. Good bot protection will reduce a lot of the attacks coming into the applications.
For how long have I used the solution?
I have been using this solution for about eight years.
What do I think about the stability of the solution?
This solution is pretty stable.
What do I think about the scalability of the solution?
If you build this solution properly then you have scalability.
How are customer service and technical support?
We do not use technical support very often. It is only in cases where we get something that looks like a bug. Their team is good.
How was the initial setup?
The initial setup of this solution is user-friendly and pretty straightforward.
However, the setup, in order to bring the application into inspection, is kind of complex. You need to know what you're doing. It takes approximately four hours to install, setup, and configure this platform.
What about the implementation team?
My team and I handle the integration of this solution for our clients.
The number of people required depends on the environment. Sometimes it is one person, whereas other times there are two.
We have three people who take care of maintaining this solution for our customers.
What's my experience with pricing, setup cost, and licensing?
The cost of this solution depends on the platform. For example, you may be buying virtual or you may be buying appliances. It also depends on the number of environments and the bandwidth that is required.
Which other solutions did I evaluate?
Compared to other web application firewalls in the market, Imperva does things in the most accurate way.
What other advice do I have?
Overall, Imperva is a pretty good product.
I am working with the development team for Imperva in Israel, and I have submitted some feature requests for things that I think should be changed. Everything that should be fixed, we have a discussion on it and it is probable that these things will be fixed.
My advice to anybody who is implementing this solution is to first go and learn the attack surfaces because you need to protect the assets from attack. In order to do this, you need to understand the attacks. Let's say that a good defense is a good offense.
The biggest lesson that I have learned from working with this solution is to back up the system all of the time. Do it step by step, and be very precise. Have plans for each and every move, all of the time.
I would rate this solution a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Manager, IS Security & Infrastructure at Fintech Kenya Limited
User-friendly with good performance and helps to secure digital assets
Pros and Cons
- "It mitigates all of the availabilities of risks around web applications."
- "Their portal is very limited and needs improvement."
What is our primary use case?
We are a reseller and integration partner, and we have customers who are using this solution in on-premises deployments.
How has it helped my organization?
This solution has helped in securing our clients' assets, which is key. It mitigates all of the availabilities of risks around web applications.
What is most valuable?
The most valuable feature of this solution is web application security.
This is a user-friendly solution.
This solution has good performance ratings.
What needs improvement?
I would like to see more support available for this product online. Some customers find this to be a real limitation.
The virtual processing could be improved.
Their portal is very limited and needs improvement.
For how long have I used the solution?
We have been using this solution for close to five years.
What do I think about the stability of the solution?
This is a very stable solution.
What do I think about the scalability of the solution?
The solution is very scalable, but of course, the scalability comes with a cost.
How are customer service and technical support?
I think that technical support needs to be improved by making it more localized, or regionalized. Our support is currently coming from the US, and it is not very good. They need to take care of their global customers.
Which solution did I use previously and why did I switch?
We previously used Fortinet, but this solution has better performance ratings.
How was the initial setup?
I don't want to say that the initial setup is straightforward, but it is manageable. It requires a bit of technical knowledge.
What other advice do I have?
This is a solution that I highly recommend.
The biggest lesson that I have learned from this solution is that Imperva is not a one-house solution. They create a specialized solution, and that comes with a lot of value.
I would rate this solution a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Imperva Web Application Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Web Application Firewall (WAF)Popular Comparisons
Prisma Cloud by Palo Alto Networks
Checkmarx One
Microsoft Azure Application Gateway
Azure Front Door
F5 BIG-IP Local Traffic Manager (LTM)
F5 Advanced WAF
Fortinet FortiWeb
Cloudflare Web Application Firewall
Imperva DDoS
Fortinet FortiADC
Akamai App and API Protector
Azure Web Application Firewall
Buyer's Guide
Download our free Imperva Web Application Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Imperva WAF vs. Barracuda: Which One is Better?
- Which Web Application Firewall (WAF) would you recommend? R&S or Imperva?
- Which WAF solution would you recommend to cater to 100 to 125 concurrent sessions?
- What do you recommend for a securing Web Application?
- Fortinet vs Sophos? Help choose a NGFW solution that can replace Microsoft TMG.
- Imperva WAF vs. Barracuda: Which One is Better?
- F5 vs. Imperva WAF?
- When should companies use SSL Inspection?
- NGFW with URL Filtering vs Web Proxy
- How does a WAF help to protect against DDoS attacks?