What is our primary use case?
We are using it for Web Application Firewall, Layer 7 Firewall. It protects us from denial-of-service attacks, cross-site scripting, as well as injection attacks.
It also has a good bot management system that informs us in advance about IP addresses that are not good for us, so we do not cater to their requests. It's like a Layer 7 defense for us.
What is most valuable?
The best thing about Reblaze, for us, is that it has been a game changer because previously, we were using Google's Web Application Firewall, but it wasn't up to the mark.
First things first, it's pretty easy to look at the current state of affairs when it comes to the attack scenario and the attack surface of our website and applications.
Second, the ease of writing rules is pretty standard because the Reblaze GUI helps us in creating and testing tools and even changing their hierarchy. For example, if we want to test a particular payload for a development service first and then for a SQL injection, we can easily change the priority of the rules in Reblaze.
Third, the support we have received from the staff has been really, really good. I do not wish to name them, but yes, there are a few people who have supported us a lot because they have a Slack channel and dedicated personnel within that channel. If anything goes wrong and if Reblaze is the cause, they troubleshoot for us.
So not just the technical bells and whistles within Reblaze, but the support from the staff has been really, really good.
What needs improvement?
There is still some room for improvement when it comes to bot management from Reblaze because they are relatively new compared to other vendors in the town. AWS WAF, the Web Application Firewall from AWS, has a vast database of bad IP addresses due to its long-standing presence in this business. Reblaze, being a new entrant, is still building its database of bad IP addresses and malicious systems.
So, Reblaze needs to work on that aspect. But other than that, I don't think scaling Reblaze has been an issue. There were some initial glitches, but they were all sorted out. So currently, I would say that the bot management and the database are areas they should focus on for further improvement.
For how long have I used the solution?
We have been using Reblaze for a year now.
We did POCs in May last year, and we onboarded Reblaze starting in July 2022. So it's almost a year now. It's a cloud-based system, because it's a SaaS solution. We have pointed our DNS to Reblaze, and Reblaze takes care of vetting the traffic and sending it back to us.
What do I think about the stability of the solution?
Reblaze is quite stable. During the initial phase, there were a few instances where the system went down, but that was mainly because both Reblaze and we were still learning about our environment, their support, and scalability.
However, once that phase was behind us, there haven't been any major issues due to Reblaze. We also have a kill switch as a backup. If we notice the load increasing and Reblaze may struggle to handle it, we can bypass Reblaze and direct traffic straight to us. Though we haven't used the kill switch yet, we have had no issues so far. It's been a year, and we plan to renew our contract with them once the current license expires. Overall, we are happy with the product.
What do I think about the scalability of the solution?
In our company, I manage the security team, which consists of eight people. Since we have a flat organization where everyone is involved in various tasks, all eight team members are using Reblaze. So currently, nine people are using Reblaze in our company.
How are customer service and support?
In terms of support only, I would rate them around eight out of ten. They are doing well. The reason I deducted two points is that they don't provide 24/7 support yet, and most of their team members are based in Israel, where Reblaze originates from. This creates a time gap, and we had to communicate with them asynchronously. We used Slack as a common group to exchange messages, and they would respond accordingly.
Initially, we had calls scheduled, sometimes even on weekends because one of their working days falls on Sunday. So we had calls on Sundays as well when they were available. These factors influenced my rating of eight out of ten, considering the time aspect.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
My company chose Reblaze over AWS because we are on the Google Cloud Platform (GCP), not AWS. We cannot use AWS unless we migrate everything to AWS, which is not feasible for us.
We opted for Reblaze since it was compatible with the Google Cloud Platform.
How was the initial setup?
The initial setup was pretty straightforward, to be honest. We had a test environment where we conducted the Proof of Concept (POC). We shared our DNS IP addresses, and the resolution IP addresses of our systems with the Reblaze team. This directed all traffic to Reblaze first, which performed traffic scanning before allowing it to reach our network.
So we simply had to change the IP addresses. We did need to purchase some certificates because most of our traffic was encrypted, and Reblaze acted as a man-in-the-middle. We obtained the certificates from LicenseScript, which is free for the test environment. After that, everything started working smoothly.
What was our ROI?
Reblaze is worth the money. You will see a hundred percent return on investment. We were using Google's web application firewall, but it wasn't effective at all. We had no other option but to look for alternatives, and Reblaze has proven to be a good choice for us.
What's my experience with pricing, setup cost, and licensing?
We negotiated a deal. So, we were able to secure a significant discount of around 40% off the quoted price. However, the precise figures remain confidential.
What other advice do I have?
My first question would be if you are currently using any Web Application Firewall (WAF).
Let's say, for example, you are using AWS as well. If you are already using AWS, I would advise against switching to Reblaze. Not because Reblaze is not good but because AWS WAF provides more comprehensive protection for your assets. Reblaze is catching up, and they are nearly there, but AWS WAF is currently more advanced. However, if you are using Google's WAF or any other vendor, then I would recommend considering Reblaze as the second-best option.
In my opinion, AWS is the number one choice, and Reblaze ranks as the second-best among all the vendors I have tested so far. Reblaze stands out due to its ease of use and the flexibility it offers in customizing rule sets.
Ten being the best, I would rate Reblaze somewhere between seven and a half and eight. They are still evolving as a product. I have previous experience using AWS WAF in another company, and I know how good it is. If you are in an AWS environment, I would recommend AWS WAF.
However, if you are not in an AWS environment or have the freedom to choose, Reblaze is a viable option. You cannot use AWS WAF on platforms like GCP or Azure, for example. That's why I say Reblaze is still developing. Their bot management capabilities are not yet at the same level, and their support is not fully refined either. We had to schedule calls on Sundays and sometimes late at night. But when it comes to value for money, Reblaze is a great choice. It is more cost-effective than AWS WAF and performs better than the other options available to us.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Google
Disclosure: I am a real user, and this review is based on my own experience and opinions.