Top 8 Web Application Firewall (WAF)

Prisma Cloud by Palo Alto NetworksFortinet FortiWebF5 Advanced WAFAWS WAFMicrosoft Azure Application GatewayImperva Web Application FirewallImperva DDoSBarracuda Web Application Firewall
  1. leader badge
    This solution helped us by allowing us to schedule and fix things. This is not an easy thing if you're managing 1,000 plus resources.The initial setup is seamless.
  2. leader badge
    The policies and the filtering are the most valuable features, especially traffic, URL, and application filtering. The solution is excellent at detecting vulnerabilities.
  3. Buyer's Guide
    Web Application Firewall (WAF)
    March 2023
    Find out what your peers are saying about Palo Alto Networks, Fortinet, F5 and others in Web Application Firewall (WAF). Updated: March 2023.
    690,226 professionals have used our research since 2012.
  4. leader badge
    iRules are quite appealing when it comes to F5.The most valuable features of F5 Advanced WAF are the overall capabilities, there is not a comparable solution on the market.
  5. leader badge
    What I like best about AWS WAF is that it's a simple tool, so I could understand the basics of AWS WAF in two to three hours.AWS WAF is something that someone from a cloud background or cloud security background leverages. If they want to natively use a solution in the cloud, AWS WAF comes in handy. It's very useful for that, and the way we can fine-tune the WAF rules is also nice.
  6. The most valuable feature of the solution is traffic management.The solution provides great automation and it is easy to upgrade service.
  7. I have had a positive experience with Imperva Web Application Firewall's tech support so far. They are knowledgeable and respond on time. The most valuable features of Imperva Web Application Firewall are the monitoring of databases and the dashboards are easy to understand.
  8. report
    Use our free recommendation engine to learn which Web Application Firewall (WAF) solutions are best for your needs.
    690,226 professionals have used our research since 2012.
  9. The three-second service level agreement is already better than the competition.The setup of Imperva DDoS was easy.
  10. If an attack is coming continuously, you can ask the device to block it temporarily for two to three minutes. F5 has not provided us with an option to block certain IPs for some time. Barracuda can help you block someone if the source is from a different IP. You can apply the rule to the device and block it for whatsoever time you want. The solution will unblock the IP after the prescribed time as well.

Advice From The Community

Read answers to top Web Application Firewall (WAF) questions. 690,226 professionals have gotten help from our community of experts.
Prasert Mahapol - PeerSpot reviewer
Prasert Mahapol
Sales Director with 51-200 employees

I am a Sales Director at a company with less than 1,000 employees. 

I am researching Web Application Firewalls (WAF). I am considering R&S (DenyAll) and Imperva. Which would you recommend? 

Are there others I should consider?

JimDavis - PeerSpot reviewer
JimDavisImperva is a strong choice, given their security focus and ongoing R&D into the… more »
5 Answers
it_user151011 - PeerSpot reviewer
Sr. Director of Growth at PeerSpot (formerly IT Central Station)

Hi community, 

There are so many firewall products in the market today. Who are we going to be talking about 3-5 years from now?

imadam - PeerSpot reviewer
imadamNetscope, Zscaler if they continue route they are on now. FIrewalls needs great… more »
25 Answers
VarunGoyal - PeerSpot reviewer

Hi community,

I'm trying to understand what limitations AWS WAF has vs other (alternative) Web Application Firewall (WAF) products.

John Rendy - PeerSpot reviewer
John RendyHi Varun, I have had experienced with several WAF deployments and deep… more »
2 Answers
Rony_Sklar - PeerSpot reviewer
Community Manager at a tech services company with 51-200 employees

Hi professionals,

There seems to be some controversy around whether or not SSL Inspection should be used by businesses. 

What is your opinion - should they be used, and if so when? Conversely, what are the reasons for not using SSL inspection?

Bruce Bennett - PeerSpot reviewer
Bruce BennettI am a proponent of SSL inspection, as long as you have another function/service… more »
10 Answers
Rony_Sklar - PeerSpot reviewer
Community Manager at a tech services company with 51-200 employees

It seems that there is some overlap between these two types of solutions - how do Bot Managers and WAF differ? How can they work together to improve security?

it_user989274 - PeerSpot reviewer
it_user989274A Bot manager differs from a WAF in that it focuses on the management of Bots… more »
5 Answers
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)

Hi peers,

What are the OWASP Top 10 this year? 

What single web app security tool (or a minimum set of tools) would you recommend for overall web app protection (from the most critical security risks covered by these Top 10)?

Andrew Van Der Stock - PeerSpot reviewer
Andrew Van Der StockWe are due to release the OWASP Top 10 2021 on September 24, 2021. We will be… more »
4 Answers
Unmesh Deshpande - PeerSpot reviewer
Unmesh Deshpande
CTO at Kingsway Hospitals
Hello community,  I am the CTO for a large multi-specialty private hospital. We are currently researching WAF solutions. Which WAF solution would you recommend with no heritage for subscription charges? We are a hospital with many web apps that need to be published soon and quickly. We have dec...
Read More »
Srdjan - PeerSpot reviewer
SrdjanI would always recommend F5 WAF, it is probably the best one on the market… more »
17 Answers
reviewer988044 - PeerSpot reviewer
Regional Solutions Manager at a tech services company with 11-50 employees

Should one go for a URL Filtering as an add-on to NGFW or just deploy a Web proxy, instead?

I am one who advocates that firewalls with URL Filtering can't serve better than Web security solutions (i.e., a Web proxy).

What's your opinion?

Mike Hounsome - PeerSpot reviewer
Mike HounsomeOver 50% of security vulnerabilities are non-Web based traffic, such as DNS… more »
9 Answers

Web Application Firewall (WAF) Articles

Deena Nouril - PeerSpot reviewer
Deena Nouril
Tech Blogger
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures tha...
Read More »
Ben Arbeit - PeerSpot reviewer
Ben ArbeitThanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Jairo Willian PereiraOWASP is nice, but very specific and currently limited. How about trying… more »
Evgeny Belenky - PeerSpot reviewer
Evgeny Belenky
PeerSpot (formerly IT Central Station)
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microso...
Read More »

Web Application Firewall (WAF) Topics

How does a WAF work?

A WAF works by preventing unauthorized data from leaving the app by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe. A WAF acts as a transparent reverse proxy, or an intermediary that protects the web app server from a potentially malicious client. The proxy ensures that all traffic passes through it and separately sends filtered traffic to the application, hiding the IP address of the application service. In order to work properly, many WAFs require you to update their policies regularly to address new vulnerabilities. The policies tell the firewall what needs to be done if vulnerabilities or misconfigurations are found. Some WAFs, however, use machine learning to enable policy updates automatically.

What is the difference between WAF and firewall?
  • A standard firewall provides a barrier between external and internal network traffic. In contrast, a WAF protects web applications by targeting (HTTP) traffic.
  • A network firewall protects a secure LAN network from a less secured or unsecured network whereas a WAF filters traffic that enters through the application layer.
  • A network firewall is placed on the perimeter of the LAN network, acting as a barrier and controlling access to the LAN network by blocking illegitimate HTTP and HTTPS traffic from entering. In contrast, a WAF is placed close to the internet-facing applications.
  • A network firewall is run on a dedicated hardware appliance, and watches the network layer by blocking unauthorized access from less secure zones. A WAF is different because it is extremely adaptable and can be run on a dedicated hardware appliance, through a virtual machine, or deployed as SaaS in the cloud.
Does a web application need a firewall?

Yes, a web application needs a firewall. WAF solutions protect businesses from web-based attacks targeted at applications. Without an application firewall, hackers can easily infiltrate the broader network through web application vulnerabilities. A WAF offers critical protection for any online business that needs to securely handle private customer data.

What are the types of web application firewalls?

There are three different types of WAFs:

1. Hardware-based WAF: A hardware-based WAF is deployed through a hardware appliance, installed within the LAN close to the web and application servers. Hardware-based WAFs have fast speed and high performance. Due to their physical proximity to the server, they track and filter data packets to and from the website with very low latency. They are most suitable for large businesses.

    2. Software-based WAF: Different from a hardware-based WAF, a software-based WAF is installed in a virtual machine instead of a physical hardware appliance. All the WAF components are essentially the same as a hardware WAF. The one difference is that users would need to have their own hypervisor to run the virtual machine. The biggest benefit of a software-based WAF is its flexibility. It can be used within an on-premises system, and can also be deployed in the cloud, connecting to cloud-based web and application servers. It is not as fast as a hardware-based WAF, since a higher latency is experienced during the monitoring and filtering process. Software-based WAFs are suitable for small and medium-sized organizations.

      3. Cloud-based WAF: A cloud-based WAF is provided and managed directly by a service provider in the form of a SaaS. With a cloud-based WAF, the WAF components are entirely located in the cloud, so that the user does not need to install anything locally or in any virtual machines. Because these WAFs are cloud-based, they are very simple. The user does not need to install any software physically and only needs to enroll in a subscription plan. The user is not required to manage the WAF by themselves because the service provider is responsible for providing all the optimization and updates. However, the disadvantage is that there is not much room for customization, since the WAF is managed entirely by the service provider,

        Where is WAF placed?

        A WAF is usually placed close to the internet-facing applications. In most application architectures, a WAF is typically positioned behind the load-balancing tier to maximize utilization, reliability, performance, and visibility.

        Why do I need a WAF?

        Without properly securing web applications, organizations face a very high risk of leaking their data. Attackers can always exploit the vulnerabilities of an application to gain access to the database, after which they could view, change, delete, and even exfiltrate data. If you do not have a WAF in place, data breaches are more likely to occur, which could potentially lead to the deterioration of customer trust, reputation, brand value, and share value, as well as direct financial loss due to heavy fines. In addition, a WAF is necessary because it helps meet compliance requirements, apart from also providing data encryption and multi-factor authentication.

        What should I look for in a web application firewall?

        When choosing a WAF, look for the following:

        • Deployment options: Choose a WAF that offers different deployment options. An in-line WAF can be used to stop a live attack. On the flip side, in-line WAFs can slow traffic, and they are also more likely to block legitimate traffic. The other option is a passive WAF, also known as a tap/span WAF, which is placed outside the path and monitors traffic from a tap/span port. These types of WAFs cannot block attacks, but they can be set up to communicate with other systems that can be used to block traffic, such as the network firewall. You may also want a WAF that protects servers both on site and in the cloud. For this, a cloud-based WAF, or a WAF that allows you to use an API to monitor VM traffic, would be the better choice.
        • Availability: It is important to take latency into account, especially if high availability is critical for your website and applications. It will also be essential that the WAF you choose does not become a single point of failure. You need to consider whether multiple WAF nodes can be configured, how many are possible, etc.
        • Detection techniques: Most WAFs employ a combination of detection techniques. Choosing a WAF with more options is better. Some WAFs are also capable of behavioral analysis. With this type of WAF, suspicious traffic can be detected regardless of rules and signature updates. When evaluating WAFs, make sure to ask vendors for proof of false positives to negative rates as well as third-party test results to give you a better understanding of how successful the WAF’s detection features will be.
        Web Application Firewall Benefits

        Of the many benefits that a WAF offers, here are the biggest advantages:

        • WAFs prevent attacks, including SQL injections, cross-site scripting (XSS) attacks, and distributed denial of service (DDoS) attacks.
        • WAFs stop customer data from being compromised.
        • They ensure compliance with regulations like HIPAA and PCI.
        • They free up your team’s resources by automatically running security tests and monitoring traffic.
        Buyer's Guide
        Web Application Firewall (WAF)
        March 2023
        Find out what your peers are saying about Palo Alto Networks, Fortinet, F5 and others in Web Application Firewall (WAF). Updated: March 2023.
        690,226 professionals have used our research since 2012.