Top 8 Web Application Firewall (WAF)

Prisma Cloud by Palo Alto NetworksFortinet FortiWebF5 Advanced WAFAWS WAFMicrosoft Azure Application GatewayImperva DDoSImperva Web Application FirewallBarracuda Web Application Firewall
  1. leader badge
    It also provides us with a single tool to manage our entire cloud architecture. In fact, we are using a multi-account strategy with our AWS organization. We use Prisma as a single source of truth to identify high- or medium-severity threats inside our organization.
  2. leader badge
    It helps us prevent attacks on servers.The solution has a good sandbox feature.
  3. Buyer's Guide
    Web Application Firewall (WAF)
    November 2022
    Find out what your peers are saying about Palo Alto Networks, Fortinet, F5 and others in Web Application Firewall (WAF). Updated: November 2022.
    653,584 professionals have used our research since 2012.
  4. leader badge
    F5 technical support is excellent. They are experts who always provide the right solution, and they understand the problem. Their response and resolution times are good.
  5. leader badge
    I believe the most impressive features are integration and ease of use. The best part of AWS WAF is the cloud-native WAF integration. There aren't any hidden deployments or hidden infrastructure which we have to maintain to have AWS WAF. AWS maintains everything; all we have to do is click the button, and WAF will be activated. Any packet coming through the internet will be filtered through.
  6. leader badge
    It does an excellent job of load balancing. The health probe is pretty good for your backend health. It tells you whether it's communicating and talking to the endpoint correctly. It is quite useful.
  7. The three-second service level agreement is already better than the competition.The setup of Imperva DDoS was easy.
  8. report
    Use our free recommendation engine to learn which Web Application Firewall (WAF) solutions are best for your needs.
    653,584 professionals have used our research since 2012.
  9. I have had a positive experience with Imperva Web Application Firewall's tech support so far. They are knowledgeable and respond on time. The most valuable features of Imperva Web Application Firewall are the monitoring of databases and the dashboards are easy to understand.
  10. The solution ensures layer seven is secure from attacks. It is stable and the performance is good.

Advice From The Community

Read answers to top Web Application Firewall (WAF) questions. 653,584 professionals have gotten help from our community of experts.
Prasert Mahapol - PeerSpot reviewer
Prasert Mahapol
Sales Director with 51-200 employees

I am a Sales Director at a company with less than 1,000 employees. 

I am researching Web Application Firewalls (WAF). I am considering R&S (DenyAll) and Imperva. Which would you recommend? 

Are there others I should consider?

JimDavis - PeerSpot reviewer
JimDavisImperva is a strong choice, given their security focus and ongoing R&D into the… more »
5 Answers
Menachem D Pritzker - PeerSpot reviewer
Menachem D Pritzker
Director of Growth
PeerSpot (formerly IT Central Station)

Hi community, 

There are so many firewall products in the market today. Who are we going to be talking about 3-5 years from now?

imadam - PeerSpot reviewer
imadamNetscope, Zscaler if they continue route they are on now. FIrewalls needs great… more »
25 Answers
VarunGoyal - PeerSpot reviewer
VarunGoyal
User

Hi community,

I'm trying to understand what limitations AWS WAF has vs other (alternative) Web Application Firewall (WAF) products.

John Rendy - PeerSpot reviewer
John RendyHi Varun, I have had experienced with several WAF deployments and deep… more »
2 Answers
Rony_Sklar - PeerSpot reviewer
Rony_Sklar
PeerSpot (formerly IT Central Station)

Hi professionals,

There seems to be some controversy around whether or not SSL Inspection should be used by businesses. 

What is your opinion - should they be used, and if so when? Conversely, what are the reasons for not using SSL inspection?

Bruce Bennett - PeerSpot reviewer
Bruce BennettI am a proponent of SSL inspection, as long as you have another function/service… more »
10 Answers
Rony_Sklar - PeerSpot reviewer
Rony_Sklar
PeerSpot (formerly IT Central Station)

It seems that there is some overlap between these two types of solutions - how do Bot Managers and WAF differ? How can they work together to improve security?

Oluwatosin Omojola - PeerSpot reviewer
Oluwatosin OmojolaA Bot manager differs from a WAF in that it focuses on the management of Bots… more »
5 Answers
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)

Hi peers,

What are the OWASP Top 10 this year? 

What single web app security tool (or a minimum set of tools) would you recommend for overall web app protection (from the most critical security risks covered by these Top 10)?

Andrew Van Der Stock - PeerSpot reviewer
Andrew Van Der StockWe are due to release the OWASP Top 10 2021 on September 24, 2021. We will be… more »
4 Answers
Unmesh Deshpande - PeerSpot reviewer
Unmesh Deshpande
CTO at Kingsway Hospitals
Hello community,  I am the CTO for a large multi-specialty private hospital. We are currently researching WAF solutions. Which WAF solution would you recommend with no heritage for subscription charges? We are a hospital with many web apps that need to be published soon and quickly. We have dec...
Read More »
Srdjan - PeerSpot reviewer
SrdjanI would always recommend F5 WAF, it is probably the best one on the market… more »
17 Answers

Web Application Firewall (WAF) Articles

Deena Nouril - PeerSpot reviewer
Deena Nouril
Tech Blogger
Aug 05 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures tha...
Read More »
Ben Arbeit - PeerSpot reviewer
Ben ArbeitThanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Jairo Willian PereiraOWASP is nice, but very specific and currently limited. How about trying… more »
2 Comments
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microso...
Read More »

Web Application Firewall (WAF) Topics

How does a WAF work?

A WAF works by preventing unauthorized data from leaving the app by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe. A WAF acts as a transparent reverse proxy, or an intermediary that protects the web app server from a potentially malicious client. The proxy ensures that all traffic passes through it and separately sends filtered traffic to the application, hiding the IP address of the application service. In order to work properly, many WAFs require you to update their policies regularly to address new vulnerabilities. The policies tell the firewall what needs to be done if vulnerabilities or misconfigurations are found. Some WAFs, however, use machine learning to enable policy updates automatically.

What is the difference between WAF and firewall?
  • A standard firewall provides a barrier between external and internal network traffic. In contrast, a WAF protects web applications by targeting (HTTP) traffic.
  • A network firewall protects a secure LAN network from a less secured or unsecured network whereas a WAF filters traffic that enters through the application layer.
  • A network firewall is placed on the perimeter of the LAN network, acting as a barrier and controlling access to the LAN network by blocking illegitimate HTTP and HTTPS traffic from entering. In contrast, a WAF is placed close to the internet-facing applications.
  • A network firewall is run on a dedicated hardware appliance, and watches the network layer by blocking unauthorized access from less secure zones. A WAF is different because it is extremely adaptable and can be run on a dedicated hardware appliance, through a virtual machine, or deployed as SaaS in the cloud.
Does a web application need a firewall?

Yes, a web application needs a firewall. WAF solutions protect businesses from web-based attacks targeted at applications. Without an application firewall, hackers can easily infiltrate the broader network through web application vulnerabilities. A WAF offers critical protection for any online business that needs to securely handle private customer data.

What are the types of web application firewalls?

There are three different types of WAFs:

1. Hardware-based WAF: A hardware-based WAF is deployed through a hardware appliance, installed within the LAN close to the web and application servers. Hardware-based WAFs have fast speed and high performance. Due to their physical proximity to the server, they track and filter data packets to and from the website with very low latency. They are most suitable for large businesses.

    2. Software-based WAF: Different from a hardware-based WAF, a software-based WAF is installed in a virtual machine instead of a physical hardware appliance. All the WAF components are essentially the same as a hardware WAF. The one difference is that users would need to have their own hypervisor to run the virtual machine. The biggest benefit of a software-based WAF is its flexibility. It can be used within an on-premises system, and can also be deployed in the cloud, connecting to cloud-based web and application servers. It is not as fast as a hardware-based WAF, since a higher latency is experienced during the monitoring and filtering process. Software-based WAFs are suitable for small and medium-sized organizations.

      3. Cloud-based WAF: A cloud-based WAF is provided and managed directly by a service provider in the form of a SaaS. With a cloud-based WAF, the WAF components are entirely located in the cloud, so that the user does not need to install anything locally or in any virtual machines. Because these WAFs are cloud-based, they are very simple. The user does not need to install any software physically and only needs to enroll in a subscription plan. The user is not required to manage the WAF by themselves because the service provider is responsible for providing all the optimization and updates. However, the disadvantage is that there is not much room for customization, since the WAF is managed entirely by the service provider,

        Where is WAF placed?

        A WAF is usually placed close to the internet-facing applications. In most application architectures, a WAF is typically positioned behind the load-balancing tier to maximize utilization, reliability, performance, and visibility.

        Why do I need a WAF?

        Without properly securing web applications, organizations face a very high risk of leaking their data. Attackers can always exploit the vulnerabilities of an application to gain access to the database, after which they could view, change, delete, and even exfiltrate data. If you do not have a WAF in place, data breaches are more likely to occur, which could potentially lead to the deterioration of customer trust, reputation, brand value, and share value, as well as direct financial loss due to heavy fines. In addition, a WAF is necessary because it helps meet compliance requirements, apart from also providing data encryption and multi-factor authentication.

        What should I look for in a web application firewall?

        When choosing a WAF, look for the following:

        • Deployment options: Choose a WAF that offers different deployment options. An in-line WAF can be used to stop a live attack. On the flip side, in-line WAFs can slow traffic, and they are also more likely to block legitimate traffic. The other option is a passive WAF, also known as a tap/span WAF, which is placed outside the path and monitors traffic from a tap/span port. These types of WAFs cannot block attacks, but they can be set up to communicate with other systems that can be used to block traffic, such as the network firewall. You may also want a WAF that protects servers both on site and in the cloud. For this, a cloud-based WAF, or a WAF that allows you to use an API to monitor VM traffic, would be the better choice.
        • Availability: It is important to take latency into account, especially if high availability is critical for your website and applications. It will also be essential that the WAF you choose does not become a single point of failure. You need to consider whether multiple WAF nodes can be configured, how many are possible, etc.
        • Detection techniques: Most WAFs employ a combination of detection techniques. Choosing a WAF with more options is better. Some WAFs are also capable of behavioral analysis. With this type of WAF, suspicious traffic can be detected regardless of rules and signature updates. When evaluating WAFs, make sure to ask vendors for proof of false positives to negative rates as well as third-party test results to give you a better understanding of how successful the WAF’s detection features will be.
        Web Application Firewall Benefits

        Of the many benefits that a WAF offers, here are the biggest advantages:

        • WAFs prevent attacks, including SQL injections, cross-site scripting (XSS) attacks, and distributed denial of service (DDoS) attacks.
        • WAFs stop customer data from being compromised.
        • They ensure compliance with regulations like HIPAA and PCI.
        • They free up your team’s resources by automatically running security tests and monitoring traffic.
        Buyer's Guide
        Web Application Firewall (WAF)
        November 2022
        Find out what your peers are saying about Palo Alto Networks, Fortinet, F5 and others in Web Application Firewall (WAF). Updated: November 2022.
        653,584 professionals have used our research since 2012.