IT Central Station is now PeerSpot: Here's why

F5 Advanced WAF OverviewUNIXBusinessApplication

F5 Advanced WAF is #5 ranked solution in top Web Application Firewalls. PeerSpot users give F5 Advanced WAF an average rating of 8 out of 10. F5 Advanced WAF is most commonly compared to Fortinet FortiWeb: F5 Advanced WAF vs Fortinet FortiWeb. F5 Advanced WAF is popular among the large enterprise segment, accounting for 60% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 23% of all views.
F5 Advanced WAF Buyer's Guide

Download the F5 Advanced WAF Buyer's Guide including reviews and more. Updated: July 2022

What is F5 Advanced WAF?

F5's Advanced WAF is built on proven F5 technology and goes beyond reactive security such as static signatures and reputation to proactively detect and mitigate bots, secure credentials and sensitive data, and defend against application denial-of-service (DoS). Advanced WAF redefines application security to address the most prevalent threats organizations face today.

Advanced WAF is offered as an appliance, virtual edition, and as a managed service—providing automated WAF services that meet complex deployment and management requirements while protecting your apps with great precision. It is the most effective solution for guarding modern applications and data from existing and emerging threats while maintaining compliance with key regulatory mandates.

Advanced WAF redefines application security to address the most prevalent threats organizations face today:

•Web attacks that steal credentials and gain unauthorized access across user accounts.
•Application layer attacks that evade static security based on reputation and manual signatures.
•New attack surfaces and threats due to the rapid adoption of APIs.
•OWASP Top 10 vulnerabilities

F5 Advanced WAF Customers

MAXIMUS, Vivo, American Systems, Bangladesh Post Office, City Bank

F5 Advanced WAF Video

F5 Advanced WAF Pricing Advice

What users are saying about F5 Advanced WAF pricing:
  • "F5 bundles up services and the bundle is what you pay for rather than individual components."
  • "Pricing for this solution is higher than average."
  • "Its price is fair. We have done a couple of deals where they were able to give some kind of discount to the customers. The price was initially high for the customers, but after a couple of negotiations, it came within their budget. They were happy with that."
  • "It is expensive. Its price should be better. Its licensing is on a yearly basis. Its licensing is also based on the model. There are no additional costs."
  • F5 Advanced WAF Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Jamshaid Dayar - PeerSpot reviewer
    Network Engineer at a tech services company with 11-50 employees
    Real User
    Top 20
    It is very stable as as a load balancer or a web application firewall
    Pros and Cons
    • "In terms of F5 Advanced WAF's most valuable features, I would definitely say its stability. F5 is one the most stable products. Either as the load balancer or the web application firewall, it is very stable."
    • "I would say their graphical interface, the GUI. I don't like the GUI as much as before."

    What is our primary use case?

    There is the Simple WAF and the Advanced WAF. We are currently working on the Advanced WAF, but previously, before the Advanced WAF came out, we were just using the Simple WAF. We use the on-prem version because the cloud solution is not that popular here. I have a customer here who has multiple applications dealing with the day to day operations. We have deployed the application firewall in the network and most of their web traffic from outside of their network comes into that WAF. This includes the email application Outlook and their own in-house application tools deployed that they use to sell their merchandise. They have a feature where you can transfer money to the other user based on their mobile phone number. So these web applications and in-house tools are the most used applications in their network.

    What is most valuable?

    In terms of F5 Advanced WAF's most valuable features, I would definitely say its stability. F5 is one of the most stable products. Either as the load balancer or the web application firewall, it is very stable. Additionally, the method it uses to block attacks and the logging and support are very good. You can see anything you want in the logging and reporting section of the device, it is very detailed. These are two valuable features from F5.

    What needs improvement?

    If I had to summarize what needed improvement, I'd say they are currently in the process of updating their software. But more specifically, I would say their graphical interface, the GUI. I don't like the GUI as much as before, but now I think they're focusing on it. We are getting some new good features in the latest update. But there is still room for improvement on the user interface as well. It's easy to use. It's not difficult but it is not pleasing to the eye. Most of the time you want to see something dynamic, something like the reporting section or the system usage, the CPU, some detailed graphs, anything of that sort. So I guess they have some room for improvement there. Don't make it more complicated, just make it more pleasing to the eye. We are using the most stable version. Because recently we got an email from F5 suggesting that if you have any user on the 14.1.2.0 that there was a vulnerability on that feature. And it was quite a severe one, so they asked us to immediately update that license to another version. They currently have 15 versions, but they are not stable. They didn't recommend them to us. So most of the customers in Pakistan are using the 14.1.2.6 version. That is the most stable version and is recommended by F5. My focus is normally on logging and reporting, because customers always ask for a clear reporting criteria. I would like it if they could simplify the reporting process. If I create something, I want to get a good report on it that I can read in seconds or in minutes. I don't want extra details in it. They should work on the exporting of the logging and reporting.

    For how long have I used the solution?

    I have been using Advanced WAF since it came on the market last year. Advanced WAF is the advanced version of WAF which I have been using for three years.
    Buyer's Guide
    F5 Advanced WAF
    July 2022
    Learn what your peers think about F5 Advanced WAF. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    611,060 professionals have used our research since 2012.

    What do I think about the scalability of the solution?

    F5 basically starts their hardware model from a 10GB distribution. So it is a good device to start with and in Pakistan we mostly have up to 40 or 60 gigabytes of devices. As far as scalability is concerned, we already talked to the customer in detail about what kind of traffic they are expecting in the next five or seven years. Then we decide the box on that data basis and normally we don't have to worry about scaling later. In terms of adding more features on the F5 hardware, that is a question based on the module. If it takes too much of the CPU, then it is difficult and scaling would be difficult with that hardware. If the hardware is not so many CPU's, then we have to dedicate to each module. Then the scalability becomes a bit difficult. But if you already have hardware that has CPU's in abundance, you can add as many modules as you want. There's no problem. F5 lets you decide if you want to assign a specific module, a dedicated CPU or nominal resources. You can even decide if you want nominal resources or if you want full resources for that specific module. It all depends on the importance of that module in your business application. If they are a small company, 250 to 500 employees, or less than 250, then we can go for the virtual Edition of the F5, because as I said, the hardware solution starts from a 10GB box. This can handle thousands of requests per second. It would be a bit costly for a small scale business. If someone wants F5 and he has less applications and nominal users, he can go for the Virtual Edition. Most of the customers in Pakistan who are using F5 are in the banking sector. They have a good amount of users already, 1500, 3000. So mostly we have banks in Pakistan using F5. And I guess also a few in the education sector and businesses. Otherwise, not many small businesses have F5. The one I mentioned that is using AWAF is a big telecom in Pakistan and they have millions of users. It is not for the very small businesses, I guess.

    How are customer service and support?

    I have had many experiences with customer support, both good and bad. Truthfully, they can improve a bit. There are two methods to engage the F5 support. You either call or email them. It's your choice.  You decide which location you want to call, either the Singapore or UK office, because there is no support in Pakistan. We have to ask for support from either UAE, Singapore, the UK or the US. If I call, I normally prefer to call Singapore, because our region mostly deals with the Singapore head office. Sometimes there's a problem understanding Singaporean language and it's tough to talk to them.  But if you reach out over email, then obviously it is easier. Talking to them on the phone is quite a difficult task. Secondly, if you open a customer request from a portal, we have a customer support portal for the client as well. Normally we get the engineer from UK or Singapore. It also depends on the engineer - sometimes he's very responsive. He will just respond to you in an hour or day. And sometimes you get an engineer who is absent for two, three days and you have to call them and change engineers because the first one is not responding. In short they have to improve a bit on support.

    Which solution did I use previously and why did I switch?

    We mostly deal with F5 and we always ask our customers who want the web application firewall to go for F5. We do have other web solutions as well, like Fortinet FortiWeb, another popular solution. For small businesses, we don't suggest that.  We are gold partners with F5, so we always suggest F5.

    How was the initial setup?

    In terms of the initial setup, for a person who is a bit experienced it is not that difficult. It is a straightforward device. You follow the same principle and the same steps and you are good to go. Just follow the steps. F5 guides you through the initial configuration, which is another of their features. If you don't want to go for the manual config you can just follow their step by step. Press - next, next, next, next then you have the initial configuration done.  Then you can move to your own configuration according to your network and according to your need. It's an easy device to configure, it's not difficult.  Only the graphical user interface needs some kind of improvement to make it more modern. But as far as the straightforward install is concerned, it's good and easy. One person is enough for the deployment and for the check. In terms of how long it takes to deploy Advanced WAF, it depends on the number of applications you have to put behind the F5 number one.  The initial network configuration won't take so long if you have all the required data.  You can set up the initial configuration in an hour or two. But the more applications you add will determine the length of the configuration.  We mostly deploy Advanced WAF in automatic mode. We don't do the manual configuration of the security side. We just put application details there and we let F5 decide the learning process. It normally takes 15 to 20 days to get a good grip on the application, the language, and the do's and don'ts. We let F5 decide.  It takes around 15 to 20 days to get it into the blocking mode. But for the configuration for one application it will hardly take 30 minutes to be configured. It all depends on the amount of applications you have.

    What other advice do I have?

    My advice is that if you need a web application firewall you should go for F5. It is one of the best solutions in the past six or seven years. F5 has been the leader in this field. It's a stable solution. One just has to decide their organization's goals in the beginning for the next five years or so. Because if they wrongly select the hardware module, they cannot do the scalability if they want to add  a number of modules in the future. So selecting the product should be done with great care. Otherwise, I guess it's okay. If you want a good web application firewall go for F5. On a scale of one to ten, I would rate F5 Advanced WAF a nine.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Executive Director IT Security at a printing company with 501-1,000 employees
    Real User
    Top 20
    Time and patience in customizing this solution are rewarded in creating a solid line of defense
    Pros and Cons
    • "There is no need to worry about updating signatures because WAF will automatically update the signatures for you."
    • "The support experience is better than average."
    • "The contextual-based component needs a lot of help to catch up with the next-gen products."
    • "There is a learning curve that extends the time of implementation."

    What is our primary use case?

    What a WAF is happens to be exactly what we are using F5 WAF for: a firewall for our web applications. It is a totally customizable solution. You have our signature-based rule sets and then we can customize to our heart's content depending on what our application can and can not do or what we are trying to protect against.  

    So we are using this for anything that is internet-facing. We are applying the WAF there and we are putting it in block mode wherever possible.  

    What is most valuable?

    The features I think are the most valuable starts with the IP intelligence component. That is separately licensed and it is definitely one component that we have made heavy use of. Geo-blocking is another — which can be done without a WAF because you do not necessarily need a WAF to do it — but the F5 WAF has those capabilities.  

    The signature-based controls that F5 has are another one of the heavier-used components that Advanced WAF has. We do not have to worry about updating signatures, et cetera. WAF will automatically update the signatures for us. I think that is a nice feature.  

    Those are the biggest things that we are making use of month-to-month.  

    What needs improvement?

    I think the contextual-based component needs a lot of help. It is all based on regular-expressions. That is something I think companies like Signal Sciences are doing a really good job with. We are transitioning off to Signal Sciences on some of our WAF components because of the capabilities Signal Science has. I think that contextual-base signatures would definitely help in F5 WAF.  

    For how long have I used the solution?

    Within the enterprise, F5 Advanced WAF (Web Application Firewall) has been rolled out for about six or seven years. I have been working on it for about three to four years.  

    What do I think about the stability of the solution?

    It is a stable product.  

    What do I think about the scalability of the solution?

    F5 WAF is a scalable solution. A lot of the employees and other end-users (virtually anybody on the internet who is coming to your site) benefit from the solution. As far as the people who are directly dealing with the administration, maintenance, and deploying the updates, there are maybe two people. But it can certainly scale-out to service passive use.  

    How are customer service and technical support?

    The F5 tech supports is fairly decent. It is not the top of the line, but they do their job. They give you an account team. The account teams are normally really responsive. When you need to run something by them, they are unlike some other products. With other products you have to go through opening up a ticket — because that is the only way they will respond to you — and later they might come back and say it is not their problem and you need to figure it out on your own. The F5 is very different from that perspective in providing support. Your account team is your go-to group. They will walk you through solutions, help you design solutions, and it is part of the value add of using F5Advanced WAF. I really liked them for the extra effort they put in to provide good support. They do not upsell professional services or anything like that. Because of that, I would rate them a little on the higher side for support than just your average support experience.  

    How was the initial setup?

    The installation of F5 Advanced WAF is complex. Any WAF that you put in takes a lot of time to install correctly. You never really just drop it in and have it working right off the bat. The only exception I can say that I have come across to that right now is Signal Sciences. You can literally drop that solution in place and put it in blocking mode within the same day. With F5 there is a learning period where you allow it to learn and then you go back because it is based on regular expressions. So you have to go through and check to see that there is normal traffic going through your site, et cetera. In other words, there is training involved. It can take from seven to fourteen days before you get a good signature set up.  

    If you just need to turn on the licensing key, that might take 10 seconds to do and that is available essentially immediately when you implement WAF. But when you are talking about implementation — and this is true with any WAF — it is time-consuming. You are integrating a piece of technology with applications that have already been written. It might be a legacy app, it might be a new app or whatever that you use for whatever your use case might be for that application. You are using WAF in order to protect that app. You have to invest time in creating the signatures. That period of time where you are creating the signature is what is complex and extends the period of the implementation.  

    That is what I think the true difference is between F5 WAF and the new-gen stuff like Signal Sciences is. With Signal Sciences you literally can just drop in and turn it on.  

    What's my experience with pricing, setup cost, and licensing?

    F5's licensing varies. I do not know exactly what the individual WAF component costs because they bundle up services and the bundle is what I pay for. I do not pay for individual components.  

    What other advice do I have?

    Advice that I would give to people considering F5 WAF is to look at and consider other products as well. They have to make sure they know what they are getting into. That is key to finding the right solution. I think WAF requires a lot of time and patience as well as an understanding of your applications in order to make the best use of its capabilities.  

    On a scale from one to ten (where one is the worst and ten is the best), I would rate the F5 Advanced WAF as a solid eight-out-of-ten.  

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Buyer's Guide
    F5 Advanced WAF
    July 2022
    Learn what your peers think about F5 Advanced WAF. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    611,060 professionals have used our research since 2012.
    Georges Samaha - PeerSpot reviewer
    Security Consultant at a tech services company with 501-1,000 employees
    Reseller
    Top 5Leaderboard
    Extremely stable hardware with great plug-ins and excellent features
    Pros and Cons
    • "Feature-wise, they are always cutting edge and up-to-date. Many features aren't available via competitors. There's always a lot of enhanced critical features that just aren't available through anyone else, or, if they are, are too lightweight."
    • "We usually use a third-party tool for logging and reporting. It would be nice if we could do that right on this solution. They have one, but it's not very stable. Logging and reporting effectively would be a big enhancement."

    What is our primary use case?

    We primarily use the solution to protect web and API applications. You can choose either web classic or API to protect against different types of attacks.

    How has it helped my organization?

    With Advanced WAF protection, F5 was able to protect multiple kind of Web Application, supporting both HTTP & API protocols access

    What is most valuable?

    There are two main features that we love on F5.

    The first is the hardware itself. It's extremely stable and reliable. We never face any issues with it and performance is never affected. 

    The second is the features on offer. Feature-wise, they are always cutting edge and up-to-date. Many features aren't available via competitors. There's always a lot of enhanced critical features that just aren't available through anyone else, or, if they are, are too lightweight. They're the leaders in the space.

    What needs improvement?

    We usually use a third-party tool for logging and reporting. It would be nice if we could do that right on this solution. They have one, but it's not very stable. Logging and reporting effectively would be a big enhancement.

    The solution still needs some development to handle more traffic, especially in huge environments. In small environments, it's not an issue. 

    For how long have I used the solution?

    I've bee using the solution for more than ten years.

    What do I think about the stability of the solution?

    The solution is extremely stable and robust. There are no issues with bugs or glitches. It doesn't crash or freeze. It's great. The stability is a huge selling feature.

    What do I think about the scalability of the solution?

    It's scalable. There's always options to upgrade the hardware. Any hardware you buy from a store, you have the basic model and the upgraded model. For example, if you buy the 4600 appliance, you can upgrade up to 4800. You get double specs for everything, so you can just upgrade the license of the hardware. However, hardware eventually has a limitation. If you buy too small of a size of hardware, eventually there's some development limitations for the hardware. You can, however, do a cluster. You can add multiple hardware devices. This makes it very scalable.

    The solution is not user-based. It's more connection-based, so there's no limitation on the number of users. It's more of a limitation on total throughput or total connection. Limitations depend on the application and how much traffic it generates. We've seen it in Telco environment where there's more than millions of users. We've also seen it do well with online banking where there are thousands of users. Small companies can use it too. It can vary, however, we've seen it in millions of users at Telco.

    How are customer service and support?

    Technical support is great. We always open tickets. They're always very fast and very professional, and they always solve the issues. We're extremely satisfied with the level of support we receive.

    How was the initial setup?

    If you want to do the basic installation and get the system up and running, then it's pretty straightforward. However, you have the flexibility to go very advanced and you can get into very complicated scenarios. That's what we like about the solution. There's a lot of use cases where you're required to have the ability to create some advanced features or some complicated scenarios. It gives you the capabilities to handle them.

    You have the flexibility to go beyond that and have advanced scripting rules and advanced features in order to have more capability to do new things that are not as common. You need to have the space to improvise things if you need to.

    While a straightforward deployment may only take a few hours, as it has a pre-defined rough template, there's always tuning to be done. It's a security product. It's not like it's plug-and-play. There's always a learning phase and tuning is necessary. This is common with any security product. That said, to get it up and operational, it's a matter of hours.

    For a proper work deployment, to be frank, you need an ether professional because there's an ether configuration change. You also need a security professional to do the rules and policies and everything. Then, you need the involvement of the web application developer, so you can understand the content of the web application. Security people don't know which link is good and which link is bad inside the application. Usually, you need three people from the team - one each from network, security, and application - to have a proper deployment.

    What other advice do I have?

    We're an integrator.

    We have a big customer base, therefore we always have to be up to date with the latest versions. We feed to constantly look at things so that we know the new features.

    I highly recommend the solution to other companies. F5 has a huge portfolio of plug-ins. You can add it to the top of the web. On the same appliance, you can have your balancer, you can have your application authentication, and those things that turn on. You can have multiple other features on the same hardware. It is definitely a technology that adapts. I can use the application in different ways beyond just security.

    On a scale from one to ten, I'd rate it at a perfect ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator.
    Flag as inappropriate
    Product Manager at a comms service provider with 501-1,000 employees
    Real User
    Top 20
    Mitigates DDoS, DNS, and layer seven application attacks, but has issues with scalability and stability
    Pros and Cons
    • "Good technology for mitigating different application attacks, e.g. DDoS, DNS, and layer seven attacks."
    • "Compatibility with multiple cloud environments needs improvement. Both stability and scalability need to be improved."

    What is our primary use case?

    We use F5 Advanced WAF to secure our public cloud. We also use it to secure firewalls for applications and websites. Whether on-premises or on public cloud, these are the usual use cases for WAF.

    What is most valuable?

    The most valuable feature of F5 Advanced WAF is its ability to mitigate attacks: DDoS and DNS, or layer seven application attacks, OWASP, and email.

    What needs improvement?

    The vendor needs to work on developing an MSP model for this solution as that is what's trending on the market, plus integrating this solution under a SASE model. Not all vendors' products are compatible with SASE, and not compatible with delivering multi-deployment options from hardware appliance, VM-based, shared cluster, etc.

    The compatibility of F5 Advanced WAF with multiple public cloud environments also needs to be improved, and not to be overlooked with the VMware environment.

    This solution shouldn't only focus on Azure public cloud compatibility, as they need to also work with and be compatible with private cloud on multiple environments.

    I'm not aware of the latest updates in terms of features, but they need to work on enhancing their product, because it seems they have an issue in the market. Day by day, they seem to be lagging behind all the new products in the market.

    For how long have I used the solution?

    We've been working with this solution for one year.

    What do I think about the stability of the solution?

    The stability of this solution is not great. It's stable, but you are aware of the performance stability when you are relying on a VM-based environment, so there is another layer of performance of the infrastructure itself which you need to take into consideration when talking about stability.

    Sometimes the product performance is good, but the infrastructure you are using causes some performance issues.

    Now VMware is doing great when it comes to performance, so the performance of the F5 Advanced WAF licensed on our VMware environment is good as well.

    What do I think about the scalability of the solution?

    This solution is not easy to scale. F5 is suffering from scalability issues. They are struggling with scalability.

    How are customer service and support?

    I never contacted F5's technical support team because we are the main service provider, and this means we have our own support.

    How was the initial setup?

    The initial setup for F5 Advanced WAF is complex.

    What about the implementation team?

    We implemented this solution through our in-house team.

    What's my experience with pricing, setup cost, and licensing?

    Pricing for this solution is higher than average in the market, when compared to its competitors. They should revise their prices in the market.

    There is no additional cost besides the licensing, and it will also depend on the service delivery model: VM-based or hardware-based. The licensing model, however, is similar among all the vendors.

    Which other solutions did I evaluate?

    I evaluated FortiWeb.

    What other advice do I have?

    I work with F5 Advanced WAF (Web Application Firewall). It's hardware-based and VM-based.

    We are a partner of F5 as a technology vendor.

    Deployment of this solution could either be on-premises, via cloud, or both. F5 and VMware has a partnership, so our infrastructure is based on the VMware environment which comes with the F5 capabilities for the WAF.

    The technology is evolving every day and vendors are doing well. Each technology has its pros and cons, and it will take a long time to discuss areas for improvement.

    One of the issues of this solution is that it is complex.

    How long deployment will take will depend on the customer's environment and use cases.

    Maintenance of this solution requires patching the vendor update which is most important for product maintenance or solution maintenance, and doing monitoring for availability and performance.

    F5 Advanced WAF works among all segmentations and all market size: small, medium, or large companies. However, I am seeing based on my experience, that Fortinet's WAF technology: FortiWeb, is now doing much better than F5.

    Fortinet is doing much better in all aspects: in the protection itself, user-friendliness, threat intelligence, etc. The capabilities of FortiWeb is doing good in the market. Both pricing and delivery models are also more competitive than F5 Advanced WAF's.

    My advice to future customers of F5 Advanced WAF or to people thinking of using it is that there is a much better product in the market. One of the better products is Fortinet (FortiWeb).

    I'm rating this solution a six out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    Head of Presales at a tech vendor with 10,001+ employees
    MSP
    Top 20
    Expandable with helpful support and great threat intelligence functionality
    Pros and Cons
    • "The solution is stable."
    • "The deployment side is quite complex."

    What is our primary use case?

    It's considered one of the modules for the LTM box. It's all modules for the LTM box.

    It is actually to protect the customer web application which is published on the internet. It's actually to protect that, and nowadays, we also have this threat intelligence. You will link to the F5 centra, the depository of the threat intelligence database. We always have the latest update on the common threat that is happening currently. You will notify the customer if there's an issue.

    What is most valuable?

    The threat intelligence function is great. Nowadays, there is more awareness on the security side. They'd have a real-time update from F5. It provides peace of mind on the security side for the customer.

    It is an add-on module to protect the web application.

    The solution can scale with planning.

    The solution is stable.

    Support is helpful.

    What needs improvement?

    The deployment side is quite complex. We'd like them to simplify the implementation process. I'm not sure whether they can do that, however, they have to be very detailed on configurations, and sharing of the policy. Anybody that configures this box, the WAF, they have to have knowledge of the application and some of the security portions there as well.

    For how long have I used the solution?

    We've had the solution since last year. We have deployed it to a customer.

    What do I think about the stability of the solution?

    It is stable. Actually, it evolved from ASM, what they call the Application Security Manager, and now they name it Advanced WAF. It's been around for a while. There are no bugs or glitches. It doesn't crash or freeze. 

    What do I think about the scalability of the solution?

    We'll size up based on the customer requirement with some buffer, maybe 20% to 30% for the future extension. There is also some consideration on the capacity planning and the size of the box. You can scale. You just need to plan ahead. 

    In terms of users, with Advanced WAF, normally their role is more related to the security side.

    We just implemented the solution recently and we'll have to wait another three or four years before we change or upgrade the solution. 

    How are customer service and support?

    I've dealt with technical support. We're quite satisfied with them. They're good. 

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    F5 WAF is a web application, in the firewall domain, they have been in the market for a very long time. They know the requirements and the market trends very well. This is the reason why we normally chose F5.

    How was the initial setup?

    The solution is pretty difficult to set up. You really have to have a grasp o the product to configure it correctly.

    The setup takes approximately two months. It's quite a long time. If the application is not ready, then the dependency will be on the application side. Therefore, the cycle is quite long. It depends on the application readiness.

    We just need one to two people to handle deployment and maintenance. 

    What's my experience with pricing, setup cost, and licensing?

    The licensing is charged yearly. It's considered expensive, however, there are more expensive WAFs on the market - like Imperva. F5 is second after Imperva in terms of cost. L1 to L3 support is included in the cost.

    I'd rate the price of the solution at a four out of five in terms of how expensive it is.

    Which other solutions did I evaluate?

    We tend to stay with F5, however, we will look at pricing and try to negotiate based on that. We'd like to get a discount and look at the market to see the costs. 

    What other advice do I have?

    I'd advise that new users need to know the requirement expectations, and then the criticality of the application that they're going to let the user use. Sometimes the application is public to the internet for a public user to log into and query the database. In that case, we're exposed to all kinds of external parties. So if you put something that is cheap in place, something that is not able to do the protection properly, then it will be a very big risk to the company. 

    I'd rate the solution ten out of ten. Our clients have been very happy with it.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partners
    Flag as inappropriate
    Richard Polyak - PeerSpot reviewer
    Sr. Architect Individual Contributor at a media company with 10,001+ employees
    Real User
    Top 10
    Easy event identification, highly stable, and customizable
    Pros and Cons
    • "The most valuable features of F5 Advanced WAF are the easy identification of events and customization. We can pinpoint our settings."
    • "F5 Advanced WAF could improve resource usage, it is CPU intensive. Additionally, adding automated remediation would be a benefit. For example, an easy button alerts us of the events that are occurring, and what we want to do at the time. An automated approach where somebody could be alerted very quickly. Instead of going and reconfiguring everything, an automated approach is what I'm looking at."

    What is our primary use case?

    We are using F5 Advanced WAF to protect certain environments. It protects us against everything, such as botnets, web scraping attacks, and foreign entities attacks. It allows us to hone in on exactly the area that we need to focus on. It's a web-based firewall.

    How has it helped my organization?

    F5 Advanced WAF has benefited our company by protecting us against revenue loss. It's prevented hacks that would have taken us offline or caused us a loss of revenue in different areas.

    What is most valuable?

    The most valuable features of F5 Advanced WAF are the easy identification of events and customization. We can pinpoint our settings.

    What needs improvement?

    F5 Advanced WAF could improve resource usage, it is CPU intensive. Additionally, adding automated remediation would be a benefit. For example, an easy button alerts us of the events that are occurring, and what we want to do at the time. An automated approach where somebody could be alerted very quickly. Instead of going and reconfiguring everything, an automated approach is what I'm looking at.

    For how long have I used the solution?

    I have been using F5 Advanced WAF for approximately five years.

    What do I think about the stability of the solution?

    We can scale the F5 Advanced WAF very easily. We could configure it to be a canned solution or a customized solution. It goes from canned to full customization to what we need.

    What do I think about the scalability of the solution?

    After we sized F5 Advanced WAF just right and identified the correct way to configure it, it's very stable.

    The solution is not being extensively used.

    Which solution did I use previously and why did I switch?

    We have used other solutions previously and in parallel.

    How was the initial setup?

    Generally, F5 Advanced WAF initial setup is straightforward. However, our environment was more complex and it took us a little more time to customize the solution to where we needed it to be. Additionally, the customization didn't rectify everything. We had to do customization to a certain event to prevent attacks that it wasn't catching, but that might not necessarily be the solutions' fault. It could be more of our setup than the solution's fault and not being able to run the latest version or the newer version could be more of a limitation on our ability to put it in the right place.

    The whole implementation to have the solution run at the level we wanted it to take approximately five months.

    Our company's environment is one that we can't put a canned solution in front of. Our environment, cannot have a canned solution that might fit everybody else because of how customized this environment is. It does need a lot of tuning to meet our environment's requirements.

    I rate the initial setup of F5 Advanced WAF a three out of five.

    What about the implementation team?

    We did the implementation of this solution in-house. We have a very small group that is managing it. However, because it's for external users it's not a company use solution. Managing it, it's a very small subset of users that will manage the solution and the environment behind it. It is for external customers only.

    What was our ROI?

    We have received a return on investment by using F5 Advanced WAF which has saved us from losing revenue.

    I rate the return of investment from F5 Advanced WAF a four out of five.

    What other advice do I have?

    My advice to others would be to define the parameters well in the beginning, and then they will be fine. They could define it as a regular canned solution and go from there, instead of working it as not a canned solution. Define the environment and what you need to protect, that way you can build a base protection profile that you could deploy elsewhere instead of building the policy to the environment first because then customizing cannot be deployed easily.

    I rate F5 Advanced WAF an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Priyesh MP - PeerSpot reviewer
    Solution Architect at Softcell Technologies Limited
    Real User
    Top 5
    Good stability, valuable features, and fair price
    Pros and Cons
    • "The valuable features vary from customers to customers. Some customers are okay with the basic features of the WAF, and some customers use advanced WAF with a few other features."
    • "It should be a little bit easy to deploy in terms of the overall deployment session. One of our customers is a bit unhappy about the reporting options. Currently, it automatically deletes event logs after some limit if a customer doesn't have any external Syslog server. It is a problem for those customers who want to review event logs after a week or so because they won't get proper reports or event logs. They should increase the duration to at least a month or two for storing the data on the device. F5 is not a leader in Gartner Quadrant, which affects us when we go and pitch this solution. Customers normally go and take a look at such annual reports, and because F5 is currently not there as a leader, the customers ask about it even though we are saying it is good in all things. F5 is not known for something totally different or unique. They were a major player in ADP, and they are just rebranding themselves into security. They should improve or increase their marketing as a security company now. They have already started to do that, but they should do it more so that when it comes to security, customers can easily remember F5. At the moment, if we say F5, load balancing comes to mind. With rebranding and marketing, all customers should get the idea that F5 is now mainly focusing on the security part of it, and it is a security company instead of load balancing. This is the first solution that should come to a customer's mind for a web application firewall."

    What is our primary use case?

    We are using it to secure a few applications for our customers. 

    What is most valuable?

    The valuable features vary from customers to customers. Some customers are okay with the basic features of the WAF, and some customers use advanced WAF with a few other features.

    What needs improvement?

    It should be a little bit easy to deploy in terms of the overall deployment session. 

    One of our customers is a bit unhappy about the reporting options. Currently, it automatically deletes event logs after some limit if a customer doesn't have any external Syslog server. It is a problem for those customers who want to review event logs after a week or so because they won't get proper reports or event logs. They should increase the duration to at least a month or two for storing the data on the device.

    F5 is not a leader in Gartner Quadrant, which affects us when we go and pitch this solution. Customers normally go and take a look at such annual reports, and because F5 is currently not there as a leader, the customers ask about it even though we are saying it is good in all things. 

    F5 is not known for something totally different or unique. They were a major player in ADP, and they are just rebranding themselves into security. They should improve or increase their marketing as a security company now. They have already started to do that, but they should do it more so that when it comes to security, customers can easily remember F5. At the moment, if we say F5, load balancing comes to mind. With rebranding and marketing, all customers should get the idea that F5 is now mainly focusing on the security part of it, and it is a security company instead of load balancing. This is the first solution that should come to a customer's mind for a web application firewall.

    For how long have I used the solution?

    I have been using this solution almost for a year.

    What do I think about the stability of the solution?

    It has good stability. Our customers are happy with the implementation. So far, we haven't faced many issues.

    How are customer service and technical support?

    Overall, it has been good. We get proper support, and we haven't faced any challenges. However, F5 doesn't provide support during the demo or POC time. Other vendors provide technical support for demo or POC, but F5 does not. We have to reach out to the local AC every now and then, which is a difficult task because most of the time, he is in some other meeting or busy with something else. So, he isn't able to support us. They should give us some kind of technical support for demos and POCs. We should be able to reach out to them for completing a POC. It would be an added advantage.

    How was the initial setup?

    The implementation was quite smooth. We migrated from CloudFlare to F5 without any major issues. The deployment took almost ten months, and it included the implementation and fine-tuning. The customer had three applications.

    What's my experience with pricing, setup cost, and licensing?

    Its price is fair. We have done a couple of deals where they were able to give some kind of discount to the customers. The price was initially high for the customers, but after a couple of negotiations, it came within their budget. They were happy with that.

    What other advice do I have?

    I would recommend this solution because it is overall a very good solution. As a company, they are very established and stable, and they have a long legacy in the industry. They have been there in the industry for a long time. On top of that, they have very good solutions. They can just improve their offerings and marketing in terms of the new rebranding.

    I would rate F5 Advanced WAF an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Security Expert at a aerospace/defense firm with 10,001+ employees
    Real User
    Top 5
    A reliable and user-friendly solution that provides positive and negative security and has antivirus and DDoS mitigation capabilities
    Pros and Cons
    • "The web application firewall itself is most valuable. It provides positive security and negative security. In negative security, it blocks a task such as cross-site scripting, code injection, etc. In positive security, it lets you specify and enforce things, such as the parameters allowed in username and password fields and the number of characters allowed in a field."
    • "It also has antivirus and DDoS mitigation capabilities. We have enabled these features."
    • "It is also quite intuitive and user-friendly. They have several webinars that are actually like labs. You can use these webinars to learn about how to use all features of the product."
    • "Its price should be better. It is expensive."

    What is our primary use case?

    We have several websites that are exposed to external users. We have a website for interaction with supply chain customers. We also have a website that gives access to CRM functionality to allow our customers to open tickets and disputes. F5 WAF is at the front for security and attack mitigation. It ensures that users are able to access only allowed pages.

    What is most valuable?

    The web application firewall itself is most valuable. It provides positive security and negative security. In negative security, it blocks a task such as cross-site scripting, code injection, etc. In positive security, it lets you specify and enforce things, such as the parameters allowed in username and password fields and the number of characters allowed in a field.

    It also has antivirus and DDoS mitigation capabilities. We have enabled these features. 

    It is also quite intuitive and user-friendly. They have several webinars that are actually like labs. You can use these webinars to learn about how to use all features of the product.

    What needs improvement?

    Its price should be better. It is expensive.

    What do I think about the stability of the solution?

    In general, it is stable and reliable. Over the past few months, several vulnerabilities were found in the product, but which product doesn't have vulnerabilities? The main question is how fast do you get the fix for it, and they provided the fix quite quickly. We had to upgrade it as soon as possible to mitigate the risks.

    What do I think about the scalability of the solution?

    I didn't try to expand it. We have two staff members who are using F5 Advanced WAF.

    In terms of its usage, we are deploying it on all points through which we are exposing services, but we are currently not exposing too many services.

    How are customer service and technical support?

    I had only one case for which I had to call tech support. It wasn't a straightforward ticket. It was quite a challenging ticket. Eventually, they found a solution, but it took some time. It was challenging to find the bug in one of the previous versions. They also didn't know about it. We did the troubleshooting together until we found the problem.

    Which solution did I use previously and why did I switch?

    We were using another solution before switching to F5 Advanced WAF. We didn't have success with that solution because the integrator failed to deploy it properly. It was more complex and not user-friendly.

    How was the initial setup?

    It was a little bit complex. If you want to add an additional layer or model like APM with two-factor authentication, then it requires a little bit more integration.

    What's my experience with pricing, setup cost, and licensing?

    It is expensive. Its price should be better.

    Its licensing is on a yearly basis. Its licensing is also based on the model. There are no additional costs.

    What other advice do I have?

    I would recommend this solution to other users. I will advise others to learn a little bit about how the HTTP protocol works. They should be familiar with the functionality of the product. They should not use it without understanding what they are actually doing.

    I would rate F5 Advanced WAF a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Buyer's Guide
    Download our free F5 Advanced WAF Report and get advice and tips from experienced pros sharing their opinions.
    Updated: July 2022
    Buyer's Guide
    Download our free F5 Advanced WAF Report and get advice and tips from experienced pros sharing their opinions.