F5 Advanced WAF Reviews

Our company uses the solution for customer use cases to replicate environments, perform integrations, and check for changes or issues. We have many internal users because we have a wide database of customers. 

Most customers have WAF or Advanced WAF but if you dig deep from a high-level perspective, then you find issues with configurations or missing security enhancements. 

The platform is capable of doing many API integrations and other things. Customers with public websites use our client-facing service to upload attachments. Often, customers are not integrating the solution with a malware sandboxing tool. This feature is natively in-the-box so protection can be enabled with a few steps. We determine if attachments are uploading malicious files because there isn't protection in the normal solution. We find out if customers are doing vulnerability or risk assessments. Integration tools such as Qualys help because we can import a file to resolve F5 issues. 

For one use case, a customer might have enabled the tech signature for a specific tech but an IP exclusion or public IP exclusion is a bit risky.

Another use case is for database security where we utilize the solution's very comprehensive security features. We can make a SQL database more visible to database security and order logs for the logins to the station tool. 

It is very powerful to be able to enable database security integration for an administrator or customers.

The integration between modules is good. You can license the APM policy manager, integrate, and make security posters for VPN clients. You can natively integrate the login pages to ensure client machines and websites are protected. 

The solution includes the typical load balancing offered by other vendors but has enhanced security compliance features that are powerful and easy to configure.

It is easy to obtain dashboard compliance because security policy views are included.  

The solution requires a bit of advanced knowledge. They are trying to make configurations less complicated by including guides, particularly for application protection in the cloud. Nothing is complicated but it takes a hands-on approach and a few hours to a few months to become familiar with how the solution works. 

The solution should include RASP which is runtime application security protection. Imperva includes RASP but the solution does not at this point. RASP would provide another level of application protection at the code itself.  

I am a certified F5 engineer and have been using the solution for four years. 

I am a partner so I use both the on-premises and the public cloud solution. To get certification, you need to complete a lot of labs and training on your own. You must go into detail with everything and get your hands dirty. 

I use the public cloud solution for my own labs. There is a free F5 public cloud tenant that includes other features for setting up a lab or application. 

The solution's virtual edition can be deployed in other cloud services such as Azure, AWS, and OCI. The virtual edition takes the on-premises version to the cloud so it is not difficult to implement. The only difference is the cloud-native version includes the WARP feature that is used for web application API protection. 

The solution is definitely stable so I rate stability a nine out of ten. 

The solution is quite scalable so I rate scalability a nine out of ten. 

To be honest, I have not needed support because I have the knowledge to fix anything unless it is a bug within the solution. 

The initial setup is not complex so I rate it a ten out of ten. 

For on-premises, it might take two weeks to deploy security policies which depend on application traffic. You choose a policy set type from fundamental, comprehensive, or rapid according to your needs. Then, you apply the policy. 

For example, you can deploy a quick policy for a nonfinancial side to protect from common threats. In this case, you choose the rapid security policy, choose the application language, and add the SQL or PHP server technology to implement the attack signature. This is helpful because you don't need to apply all of the OS signatures if you only have Windows. Just pull the Windows signature and it will be plugged. 

Then you proceed to the staging model for awhile to pick up the negative security model. You can proceed with a mix of negative and unboxing security models. After that, you start deploying, defining URL parameters, and setting other policies. You put it to staging and make edits. If you don't find too many suggestions or false positives, then you deploy it in blocking mode to the vendor. 

After two or three weeks, if the owner is fine with the policies and number of false positives, then you put it to blocking. 

We implement the solution for customers. Implementation can be done by one person who is knowledgeable about the product and procedures. 

IT managers generally do not dig deep inside the solution because there is quite a bit of detail. They have a high-level overview but certified experts dig deep into configurations. 

I am not sure about pricing but licenses are available on Google. 

The solution is not about improving functionality but about improving the security of an infrastructure itself. You are improving the security profile so that data is not exposed to an attacker. 

I definitely recommend that everyone use the solution and rate it a nine out of ten. 

My clients often seek a comprehensive security solution for their hybrid environments, with both cloud and on-premise web applications. To address this, I recommend combining F5 Advanced WAF for web application security with Fortinet solutions, including FortiGate, FortiSign, and FortiAnalyzer, for broader network security aspects like vulnerability ranking, patch management, and remediation. I focus on FortiGate and FortiAnalyzer, collaborating with a colleague who manages firewall setup, ensuring a robust and unified security approach for our clients.

F5's user-friendly interface and seamless integration stand out as the most valuable features for us. The intuitive interface streamlines tasks, providing a straightforward experience. F5's adaptability in diverse environments sets it apart, especially when compared to alternatives like FortiGate. Despite being pricier, the ease of integration and user-friendly design make F5 Advanced WAF our preferred choice for securing web applications. F5's commitment to customer engagement, exemplified by hosting a certification event in Nigeria, further shows its support and involvement in our region.

One area for improvement in the product is its SSO integration, which posed challenges and required significant effort to resolve. The complexity of SSO deployment, coupled with high associated costs, could be addressed to enhance usability. Streamlining the SSO process and revisiting cost considerations would contribute to an improved user experience.

I have been working with F5 Advanced WAF for three years.

I would rate the stability as a nine out of ten.

I would give the scalability of the solution an eight out of ten. It is quite scalable and performs well. I would recommend F5 Advanced WAF for medium-sized businesses and enterprises, primarily due to considerations around cost and sustainability. The solution is well-suited for companies of this size, ensuring that not only is it deployed effectively, but it can also be sustained over time to meet ongoing security needs.

The technical support is good. I would rate it as a seven out of ten.

Neutral

For an end-to-end solution, Fortinet stands out over F5 Advanced WAF. Fortinet's comprehensive product suite, including FortiGate, FortiAnalyzer, and integrated features like CMDD, provides a more seamless and holistic approach to security. While F5 is strong in certain areas, the integrated capabilities of Fortinet make it my preferred choice for a comprehensive security solution.

The initial setup for F5 Advanced WAF is user-friendly and relatively straightforward.

The main drawback of F5 is the cost, which can be a challenge. 

Overall, I would rate F5 Advanced WAF as a nine out of ten.

We use this solution for load balancing and web application firewall (WAF) services. We use the solution standalone and not integrated with other solutions.

It provides web application security and reduces bot attacks.

The web attack signatures are very important for detecting attacks, and the bot detection capability is an important feature that works well with F5 Advanced WAF.

The product could be more user-friendly for administrators. The user interface could be easier.

I have been using it for almost three years.

The solution is very stable. I would rate its stability as nine out of ten.

Very scalable. We use this solution for multiple customers and across data centers.

The solution offers good support. That said, sometimes it takes too much time to reach the right person.

Positive

I have also worked with Citrix NetScaler and F5 products, depending on customer needs.

The initial configuration is not too difficult, but subsequent configurations can be complex because they depend on customer needs.

I don't have direct knowledge of the pricing. From what I know, it is not too expensive compared to other solutions.

I am familiar with F5 and Citrix NetScaler solutions.

I recommend this product to others because of its effectiveness in mitigating threats.

I'd rate the solution eight out of ten.

Our client has an internally hosted website, and they wanted us to help them in reducing the attack surface in their web application, so we use F5 Advanced WAF for that purpose.

The most valuable feature of F5 Advanced WAF is its ability to have a pool of resources that can distribute your traffic, and that is a plus for me. My company tried to look into a competitor, Imperva, but it was lacking that capability, so F5 Advanced WAF outperforms Imperva.

For me, an area for improvement in F5 Advanced WAF is the reporting as it isn't so clear. The vendor needs to work on the reporting capability of the solution.

What I'd like to see in the next release of F5 Advanced WAF is threat intelligence to protect your web application, particularly having that capability out-of-the-box, and not needing to pay extra for it, similar to what's offered in FortiWeb, for example, any request that originates from a malicious IP will be blocked automatically by FortiWeb. F5 Advanced WAF should have the intelligence for blocking malicious IPs, or automatically blocking threats included in the license, instead of making it an add-on feature that users have to pay for apart from the standard licensing fees.

I've been using F5 Advanced WAF for about two years.

F5 Advanced WAF is a super stable solution. I've not been aware of any issues with the solution whenever my company uses it.

How scalable F5 Advanced WAF is would depend on what resources your client or the virtual server has. It all boils down to the allocated resources. For me, F5 Advanced WAF is pretty much scalable in terms of the resources I've assigned.

I contact the technical support team of F5 Advanced WAF from time to time, and I would rate support eight out of ten. What the support team needs to improve is the SLA, particularly the speed of response.

Positive

In terms of setting up F5 Advanced WAF, what was challenging was the network part, but the rest wasn't that difficult. It took almost two weeks to complete the setup for F5 Advanced WAF.

We implemented F5 Advanced WAF ourselves.

It's hard to tell if the customer got ROI from F5 Advanced WAF because it's based on the initial deployment and approach. It would've been just a matter of time before the customer enjoyed ROI from the solution. My company never experienced a serious incident with the use of F5 Advanced WAF for the customer, so my assumption is at some point, the customer is realizing the ROI.

The pricing for F5 Advanced WAF is comparable to a Rolls-Royce. Its price is a bit high when you compare it with other vendors. F5 Advanced WAF is a bit expensive. The customer was on a three-year plan and it was around $560,000.

We evaluated Imperva, but F5 Advanced WAF was able to outperform Imperva.

I'm an administrator of F5 Advanced WAF for my customer, so I'm more of a user. I'm not a partner or reseller of F5. I'm just a consultant and administrator.

From what I recall, during the time of deployment, my company was using version 15 of F5 Advanced WAF, but I'm not so sure if there's been a new version or an upgrade after that version.

My company has less than ten users/administrators of F5 Advanced WAF.

My advice for people who want to implement the solution, though I might be biased because I've not used other solutions, but as far as I am concerned, F5 Advanced WAF is one of the most stable solutions I've ever used, so it's good to implement.

My rating for F5 Advanced WAF is nine out of ten.

We are using F5 Advanced WAF to protect certain environments. It protects us against everything, such as botnets, web scraping attacks, and foreign entities attacks. It allows us to hone in on exactly the area that we need to focus on. It's a web-based firewall.

F5 Advanced WAF has benefited our company by protecting us against revenue loss. It's prevented hacks that would have taken us offline or caused us a loss of revenue in different areas.

The most valuable features of F5 Advanced WAF are the easy identification of events and customization. We can pinpoint our settings.

F5 Advanced WAF could improve resource usage, it is CPU intensive. Additionally, adding automated remediation would be a benefit. For example, an easy button alerts us of the events that are occurring, and what we want to do at the time. An automated approach where somebody could be alerted very quickly. Instead of going and reconfiguring everything, an automated approach is what I'm looking at.

I have been using F5 Advanced WAF for approximately five years.

We can scale the F5 Advanced WAF very easily. We could configure it to be a canned solution or a customized solution. It goes from canned to full customization to what we need.

After we sized F5 Advanced WAF just right and identified the correct way to configure it, it's very stable.

The solution is not being extensively used.

We have used other solutions previously and in parallel.

Generally, F5 Advanced WAF initial setup is straightforward. However, our environment was more complex and it took us a little more time to customize the solution to where we needed it to be. Additionally, the customization didn't rectify everything. We had to do customization to a certain event to prevent attacks that it wasn't catching, but that might not necessarily be the solutions' fault. It could be more of our setup than the solution's fault and not being able to run the latest version or the newer version could be more of a limitation on our ability to put it in the right place.

The whole implementation to have the solution run at the level we wanted it to take approximately five months.

Our company's environment is one that we can't put a canned solution in front of. Our environment, cannot have a canned solution that might fit everybody else because of how customized this environment is. It does need a lot of tuning to meet our environment's requirements.

I rate the initial setup of F5 Advanced WAF a three out of five.

We did the implementation of this solution in-house. We have a very small group that is managing it. However, because it's for external users it's not a company use solution. Managing it, it's a very small subset of users that will manage the solution and the environment behind it. It is for external customers only.

We have received a return on investment by using F5 Advanced WAF which has saved us from losing revenue.

I rate the return of investment from F5 Advanced WAF a four out of five.

My advice to others would be to define the parameters well in the beginning, and then they will be fine. They could define it as a regular canned solution and go from there, instead of working it as not a canned solution. Define the environment and what you need to protect, that way you can build a base protection profile that you could deploy elsewhere instead of building the policy to the environment first because then customizing cannot be deployed easily.

I rate F5 Advanced WAF an eight out of ten.

We are using F5 Advanced WAF for the applications that we are publishing mainly for intrusion prevention and proxy features.

The most valuable features of F5 Advanced WAF are the overall capabilities, there is not a comparable solution on the market.

F5 Advanced WAF could improve the reporting. It's a bit difficult to populate, them. If you're not so familiar with the functions, such as where to find the logs and other settings.

In a future release, it would be beneficial to have a DNS boost feature.

I have been using F5 Advanced WAF for approximately five years.

I rate the stability of F5 Advanced WAF a ten out of ten.

We have approximately 300 users using this solution in my organization.

I rate the scalability of F5 Advanced WAF a nine out of ten.

I was previously using NGINX App Protect and we switched to F5 Advanced WAF because the GUI was better.

The full implementation of the solution took approximately eight hours. There are sections of the configuration at can be difficult.

We used a third party to do the implementation.

I rate F5 Advanced WAF an eight out of ten.

The primary use case is to secure the organization's applications from web-based attacks, securing both web applications and APIs.

The product is used to secure web applications and has the ability to use API templates and bot protection features, such as blocking requests or presenting CAPTCHA pages to end users. We also implement Swagger files for API security and use custom profiles for device ID threshold management.

The main improvement needed is related to IP intelligence. Once we start receiving traffic from repetitive IP addresses, we have to report it to the SOC team to block it at the layer four level. Users would like to have an additional IP intelligence license to handle this within WAF itself without needing to engage with the SOC team.

The solution has been used for three years.

Customer service and support depend on the level of support subscribed to, such as silver or platinum support, which determines the response time.

Positive

Deploying the solution involves an application learning and blocking phase. The process includes collecting application data, creating policies, and applying them to lower testing environments like QA or dev before moving to UAT and production. The learning phase is used to handle false positives and fine-tune the policies before going live.

The in-house team manages and supports the WAF, handling incidents reported by end users when legitimate traffic is blocked. They update the policies to prevent the recurrence of similar blocks.

The pricing and support service levels affect response times from customer service, depending on whether the support level is silver, platinum, etc.

We are exploring cloud-based solutions like Azure WAF and AWS WAF.

I rate F5 Advanced WAF an eight out of ten.

We use the solution for load balancing.

They should improve the capability, and then they should work on the virtualization of NGINX. Currently, most environments are virtualized. F5 Advanced WAF will not be able to protect it.

I have been using F5 Advanced WAF as a reseller for 5 years.

Technical support is good but not enough. It takes a lot of time to get support.

Neutral

The initial setup is not so easy nor not so complex. There is a learning phase, and there are policies to apply. It complies with regulations. Recently, we used it for Formula One, and it proved very effective.

ROI is covered in one year. You can see how it protects and mitigates damages in the network.

The product is not so expensive. It depends on the assets.

There are other solutions for data loss prevention, such as Symantec and IP solutions. There are options available for DNS blocking. While these solutions may specialize in certain aspects, They offer comprehensive coverage across various areas. Each vendor specializes in different aspects, but F5 Advanced WAF excels in its particular domain.

I recommend the solution. Most of the environment is going to virtualization.

Overall, I rate the solution an 8 out of 10.