F5 Advanced WAF Reviews

Our company uses the solution for customer use cases to replicate environments, perform integrations, and check for changes or issues. We have many internal users because we have a wide database of customers. 

Most customers have WAF or Advanced WAF but if you dig deep from a high-level perspective, then you find issues with configurations or missing security enhancements. 

The platform is capable of doing many API integrations and other things. Customers with public websites use our client-facing service to upload attachments. Often, customers are not integrating the solution with a malware sandboxing tool. This feature is natively in-the-box so protection can be enabled with a few steps. We determine if attachments are uploading malicious files because there isn't protection in the normal solution. We find out if customers are doing vulnerability or risk assessments. Integration tools such as Qualys help because we can import a file to resolve F5 issues. 

For one use case, a customer might have enabled the tech signature for a specific tech but an IP exclusion or public IP exclusion is a bit risky.

Another use case is for database security where we utilize the solution's very comprehensive security features. We can make a SQL database more visible to database security and order logs for the logins to the station tool. 

It is very powerful to be able to enable database security integration for an administrator or customers.

The integration between modules is good. You can license the APM policy manager, integrate, and make security posters for VPN clients. You can natively integrate the login pages to ensure client machines and websites are protected. 

The solution includes the typical load balancing offered by other vendors but has enhanced security compliance features that are powerful and easy to configure.

It is easy to obtain dashboard compliance because security policy views are included.  

The solution requires a bit of advanced knowledge. They are trying to make configurations less complicated by including guides, particularly for application protection in the cloud. Nothing is complicated but it takes a hands-on approach and a few hours to a few months to become familiar with how the solution works. 

The solution should include RASP which is runtime application security protection. Imperva includes RASP but the solution does not at this point. RASP would provide another level of application protection at the code itself.  

I am a certified F5 engineer and have been using the solution for four years. 

I am a partner so I use both the on-premises and the public cloud solution. To get certification, you need to complete a lot of labs and training on your own. You must go into detail with everything and get your hands dirty. 

I use the public cloud solution for my own labs. There is a free F5 public cloud tenant that includes other features for setting up a lab or application. 

The solution's virtual edition can be deployed in other cloud services such as Azure, AWS, and OCI. The virtual edition takes the on-premises version to the cloud so it is not difficult to implement. The only difference is the cloud-native version includes the WARP feature that is used for web application API protection. 

The solution is definitely stable so I rate stability a nine out of ten. 

The solution is quite scalable so I rate scalability a nine out of ten. 

To be honest, I have not needed support because I have the knowledge to fix anything unless it is a bug within the solution. 

The initial setup is not complex so I rate it a ten out of ten. 

For on-premises, it might take two weeks to deploy security policies which depend on application traffic. You choose a policy set type from fundamental, comprehensive, or rapid according to your needs. Then, you apply the policy. 

For example, you can deploy a quick policy for a nonfinancial side to protect from common threats. In this case, you choose the rapid security policy, choose the application language, and add the SQL or PHP server technology to implement the attack signature. This is helpful because you don't need to apply all of the OS signatures if you only have Windows. Just pull the Windows signature and it will be plugged. 

Then you proceed to the staging model for awhile to pick up the negative security model. You can proceed with a mix of negative and unboxing security models. After that, you start deploying, defining URL parameters, and setting other policies. You put it to staging and make edits. If you don't find too many suggestions or false positives, then you deploy it in blocking mode to the vendor. 

After two or three weeks, if the owner is fine with the policies and number of false positives, then you put it to blocking. 

We implement the solution for customers. Implementation can be done by one person who is knowledgeable about the product and procedures. 

IT managers generally do not dig deep inside the solution because there is quite a bit of detail. They have a high-level overview but certified experts dig deep into configurations. 

I am not sure about pricing but licenses are available on Google. 

The solution is not about improving functionality but about improving the security of an infrastructure itself. You are improving the security profile so that data is not exposed to an attacker. 

I definitely recommend that everyone use the solution and rate it a nine out of ten. 

The primary use case is to secure the organization's applications from web-based attacks, securing both web applications and APIs.

The product is used to secure web applications and has the ability to use API templates and bot protection features, such as blocking requests or presenting CAPTCHA pages to end users. We also implement Swagger files for API security and use custom profiles for device ID threshold management.

The main improvement needed is related to IP intelligence. Once we start receiving traffic from repetitive IP addresses, we have to report it to the SOC team to block it at the layer four level. Users would like to have an additional IP intelligence license to handle this within WAF itself without needing to engage with the SOC team.

The solution has been used for three years.

Customer service and support depend on the level of support subscribed to, such as silver or platinum support, which determines the response time.

Positive

Deploying the solution involves an application learning and blocking phase. The process includes collecting application data, creating policies, and applying them to lower testing environments like QA or dev before moving to UAT and production. The learning phase is used to handle false positives and fine-tune the policies before going live.

The in-house team manages and supports the WAF, handling incidents reported by end users when legitimate traffic is blocked. They update the policies to prevent the recurrence of similar blocks.

The pricing and support service levels affect response times from customer service, depending on whether the support level is silver, platinum, etc.

We are exploring cloud-based solutions like Azure WAF and AWS WAF.

I rate F5 Advanced WAF an eight out of ten.

In Pakistan, the banking and financial sector requires F5 WAF solutions. I worked with other companies that had more clients, but my current company is a start-up. We have Palo Alto business, but we're trying to get F5 business.

F5 products are highly stable, top-notch solutions, and we have also the expertise to deploy and design the F5 and Palo Alto product lines. I have more than 10 years of experience with F5 and Palo Alto. I have deployed around F5 products for around seven or eight customers of F5.

F5 should consider adding network detection and response.

We have been using F5 solutions for two years, including load balancers and Advanced WAF.

Advanced WAF is highly stable.

F5 products are scalable, and they have an excellent R&D department. Their product is constantly maturing.

F5 technical support is excellent. They are experts who always provide the right solution, and they understand the problem. Their response and resolution times are good.

Advanced WAF is a difficult product for new users, but it's not too challenging if you have experience. Nevertheless, F5 products are generally considered to be hard to deploy. 

F5's hardware product line is called BIG-IP, and they have many software licenses for IP DNS, Advanced WAF, APM, anti-spam, etc. We have around 10 licenses.

I rate F5 Advanced WAF 10 out of 10. I would highly recommend the entire F5 product line.

Our company installs the solution for customers who require more features than are available with FortiADC. 

One of our customers is a bank that has API for both web and mobile applications. We use the solution to load balance and provide protection for the API requests that come from customers to the application server. With more than 200,000 DNS requests per second, the solution's advanced features are the best fit to the customer's needs. 

The solution uses AI to protect against botnet attacks. 

The solution has a vCMP-like feature that allows you to visualize more than two  TMOS at the same time on your hardware. This feature is not available with other solutions. 

The solution should include protection against web page attacks like what is available in FortiWeb. 

The solution should integrate with Kubernetes. I believe there is a new ADC planned for the end of 2022 that will accomplish this goal. 

I have been using the solution for six years. 

The solution is super stable with extra chassis space. 

We sometimes use solution to its maximum capacity and it is still stable with no crashes. 

The solution is super scalable. 

FortiADC is a good solution for small or mid-sized companies but F5 can handle the largest companies. 

Across all of our customers, we have more than a million users at the same time with no issues.

I have not needed technical support. 

The initial setup is more complex than FortiADC and takes about twice the amount of time. 

Our company provides setup and deployment for our customers. 

The solution is very expensive so should only be used in the right environment. I believe each device costs around $20,000 and includes a three-year license. 

I rate the cost a ten out of ten. 

We do not consider other options for large companies but do install FortiADC for small to mid-sized companies. 

It is important to know your network and assess your needs such as dust protection, VAT, and load balancing before deciding if FortiADC or F5 are the best solution.  

F5 is expensive so is only appropriate for large companies with high-level use. 

I rate the solution a nine out of ten. 

We are using F5 Advanced WAF to protect certain environments. It protects us against everything, such as botnets, web scraping attacks, and foreign entities attacks. It allows us to hone in on exactly the area that we need to focus on. It's a web-based firewall.

F5 Advanced WAF has benefited our company by protecting us against revenue loss. It's prevented hacks that would have taken us offline or caused us a loss of revenue in different areas.

The most valuable features of F5 Advanced WAF are the easy identification of events and customization. We can pinpoint our settings.

F5 Advanced WAF could improve resource usage, it is CPU intensive. Additionally, adding automated remediation would be a benefit. For example, an easy button alerts us of the events that are occurring, and what we want to do at the time. An automated approach where somebody could be alerted very quickly. Instead of going and reconfiguring everything, an automated approach is what I'm looking at.

I have been using F5 Advanced WAF for approximately five years.

We can scale the F5 Advanced WAF very easily. We could configure it to be a canned solution or a customized solution. It goes from canned to full customization to what we need.

After we sized F5 Advanced WAF just right and identified the correct way to configure it, it's very stable.

The solution is not being extensively used.

We have used other solutions previously and in parallel.

Generally, F5 Advanced WAF initial setup is straightforward. However, our environment was more complex and it took us a little more time to customize the solution to where we needed it to be. Additionally, the customization didn't rectify everything. We had to do customization to a certain event to prevent attacks that it wasn't catching, but that might not necessarily be the solutions' fault. It could be more of our setup than the solution's fault and not being able to run the latest version or the newer version could be more of a limitation on our ability to put it in the right place.

The whole implementation to have the solution run at the level we wanted it to take approximately five months.

Our company's environment is one that we can't put a canned solution in front of. Our environment, cannot have a canned solution that might fit everybody else because of how customized this environment is. It does need a lot of tuning to meet our environment's requirements.

I rate the initial setup of F5 Advanced WAF a three out of five.

We did the implementation of this solution in-house. We have a very small group that is managing it. However, because it's for external users it's not a company use solution. Managing it, it's a very small subset of users that will manage the solution and the environment behind it. It is for external customers only.

We have received a return on investment by using F5 Advanced WAF which has saved us from losing revenue.

I rate the return of investment from F5 Advanced WAF a four out of five.

My advice to others would be to define the parameters well in the beginning, and then they will be fine. They could define it as a regular canned solution and go from there, instead of working it as not a canned solution. Define the environment and what you need to protect, that way you can build a base protection profile that you could deploy elsewhere instead of building the policy to the environment first because then customizing cannot be deployed easily.

I rate F5 Advanced WAF an eight out of ten.

We are using F5 Advanced WAF for the applications that we are publishing mainly for intrusion prevention and proxy features.

The most valuable features of F5 Advanced WAF are the overall capabilities, there is not a comparable solution on the market.

F5 Advanced WAF could improve the reporting. It's a bit difficult to populate, them. If you're not so familiar with the functions, such as where to find the logs and other settings.

In a future release, it would be beneficial to have a DNS boost feature.

I have been using F5 Advanced WAF for approximately five years.

I rate the stability of F5 Advanced WAF a ten out of ten.

We have approximately 300 users using this solution in my organization.

I rate the scalability of F5 Advanced WAF a nine out of ten.

I was previously using NGINX App Protect and we switched to F5 Advanced WAF because the GUI was better.

The full implementation of the solution took approximately eight hours. There are sections of the configuration at can be difficult.

We used a third party to do the implementation.

I rate F5 Advanced WAF an eight out of ten.

F5 Advanced WAF can be deployed on-premise or in the cloud. When it comes to local governmental organizations, it's mostly on-premises solutions they use. However, we recommend using virtual ones.

F5 Advanced WAF is used for protecting applications.

The most valuable features of F5 Advanced WAF are the balancer and you can change policies very easily.

The overall price of F5 Advanced WAF could improve.

I have been familiar with F5 Advanced WAF for approximately one year.

I have not had any customers complaining about the stability.

F5 Advanced WAF is scalable.

The initial setup of F5 Advanced WAF is easy.

I rate the setup of F5 Advanced WAF a four out of five.

The ease of maintenance of F5 Advanced WAF depends from customer to customer. If the company had someone trained or they have an inside person who is reliable for this maintenance, they typically do not have any problems.

The price of F5 Advanced WAF could improve it is expensive.

There can be extra features added at an additional cost.

I rate the price of F5 Advanced WAF a three out of five.

Our clients pick this solution over others because it is one of the leading companies in the category.

I can recommend F5 Advanced WAF to any customer because we have experience, and referrals from customers using it within different models. If it comes to WAF, LTM, or whatever. I'm very happy to sell it because it is one of the leading vendors within its line. Our customers within the financial market, such as banking organizations, are very happy with it.

I rate F5 Advanced WAF a nine out of ten.

We use the solution for load balancing and web application firewall (WAF) balancing. We operate in a data center and use it for web application security and services.

The solution provides strong web security, particularly against web attacks, and has effective bot detection that helps reduce bot attacks.

Web attack signatures are very important for detecting web attacks. The bot detection feature is also crucial in reducing bot attacks.

The product could be more user-friendly, particularly the user interface for administrators. Additionally, configuration can be quite complex and needs improvement to be less complex.

I've been using it for almost three years.

The product is very stable. From one to ten, I would rate its stability at a nine out of ten.

The solution is scalable. We use it for multiple customers and data centers, and I would rate its scalability as nine.

The customer service is good. That siad, sometimes it takes too long to reach the right person. I would rate their effectiveness as an eight.

Positive

I am familiar with Citrix NetScaler and F5.

The initial setup was not too challenging. Post-initial configurations can be complex.

Two to three engineers are typically involved in maintenance operations.

I don't know the exact pricing. It is not the cheapest yet not the most expensive. It depends on needs, budget, and vision.

I have experience with Citrix solutions.

I recommend this product to others.

I'd rate the solution eight out of ten.