F5 Advanced WAF Reviews

The anti-bot protection has been the most valuable.

I think the deployment template can be better, like the iApps they have in the F5 MPM. I think the deployment templates can be better.

The solution is pretty stable.

The technical support is very good. I'm using the F5 technical support, maybe once a quarter. Something like three to five times a year. When I find a bug then I post them to their forum because I'm using it a lot. I can find the bugs. But its very good support.

The initial setup was very simple. The initial setup is done by the machine. The ASM HS, the WAF itself, not the deployment of the application. So it was very simple, I am working with VIP for almost a full year. Something like ninety percent of my activities are F5 related. I specialize in F5 now and everything in F5 is very, very simple.

I'm an integrator.

I think the price is very high. This is what I hear from the customers. Sometimes we cannot sell the product because it is a higher price.

I evaluated a few other options. Kemp, for example, but Kemp is not a WAF it's a load balancer, it's for another model of the F5 so its not related to do WAF. And we're speaking about the WAF. 

I would recommend this solution. It would be the best solution for WAF.

I think the dashboard can be improved. When you move from the policy to policy, the logs and the integration of the logs are without a system. Maybe make it like other SIEM systems and system servers like Splunk. They do have a lot of training videos and manuals. This helps. But not really about integration or feature improvement.

I would rate this solution a ten out of ten.

F5 is a web application firewall and load balancer. 

The primary use case of this solution is for data protection and security.

I like all of the features, but the main one is the attack signatures.

If they could separate the control plane from the data plane, it would give us more flexibility, especially with the Hyper Cloud. This could be the reason they purchased NGINX.

They have released the first production release but they are not there yet. It would be good to have this separation in the near future.

Also, automation on the cloud is not easy. It's a bit of a job, and it doesn't auto-scale very well.

They need to work on the BIG-IQ, which is centralized management. There are too many devices. Managing them individually is inconvenient. Essentially, BIG-IQ is supposed to centralize the management for all of the boxes but it's not very effective.

I have been using this solution for more than five years.

The stability is very good.

There is no solution that is bug-free, but when comparing it with other vendors, I would say that F5 is less buggy than the others.

The scalability is an issue at the moment, which is the reason they need to separate the control plane from the data plane.

We are using this solution daily. It runs 24/7.

The technical support is very good. They are knowledgeable and helpful.

The initial setup was simple and it took an hour to deploy.

This solution does not require a lot of maintenance but we need to do the patching regularly.

We do the implementation but at times we get consultations from F5.

It's more expensive than other solutions and depending on the modules, there can be additional fees.

If I would compare F5 with other solutions, the main differences are the support and the stability of the code, it has fewer bugs.

For on-premises deployments I would recommend F5, but for the cloud, it would be questionable.

I would rate this solution a seven of ten.

We use F5 Advanced WAF to protect our web applications.

What I found most valuable in F5 Advanced WAF is its automatic policy feature.

What needs to be improved in this solution is the accuracy of its automatic learning feature, because we frequently have to help it manually, particularly to stop blocking things it isn't supposed to block.

The technical support for F5 Advanced WAF, though fast and accurate, is costly. The cost could be improved.

I find F5 Advanced WAF a very stable solution.

The scalability of F5 Advanced WAF is very good.

The technical support for this tool is fast and accurate, but it's expensive.

The initial setup for F5 Advanced WAF was straightforward.

We are the integrator and reseller, so we deployed the solution in-house.

F5 Advanced WAF technical support comes at a cost, and it's expensive.

I'm using the latest version of F5 Advanced WAF: version 16.0.

We don't only use this solution for ourselves, as we also have some customers we implemented it for, because we are a reseller.

Deployment of F5 Advanced WAF took two to three days.

The advice I'd like to give to people who are looking into implementing this product is for them to read the documentation. It's all there.

I'm rating F5 Advanced WAF eight out of ten.

I use F5 for on-premises infrastructure to provide protection.

The most valuable features of this solution are the WAF protection, Data Safe, and the seven-layer DDoS.

I would like to see the API Protection improved.

I have been using F5 Advanced WAF for two years.

We are using the latest version.

It's a stable product. We have no issues with the stability of the F5 Advanced WAF.

We have not yet tried to scale with this solution. We have increased by 15% to 20%. 

There are approximately 100 people in our company who use this solution.

I have contacted technical support several times. They have support consultants to provide help with your cases. I have received advice from them when I have tried to build new systems.

Overall, the technical support is excellent.

I am using it on my personal account on Google Cloud. It is used with cloud solutions. I use Google, Gmail, and Google Drive.

I was not a part of the initial setup.

The solution does not require any maintenance.

This solution was installed by a third party. It may have been the reseller.

I don't have any issue with the pricing of this solution. I am only involved with the technical portion of it.

I am not sure about recommending solutions.

I would rate F5 Advance WAF a nine out of ten.

We are using it to secure a few applications for our customers. 

The valuable features vary from customers to customers. Some customers are okay with the basic features of the WAF, and some customers use advanced WAF with a few other features.

It should be a little bit easy to deploy in terms of the overall deployment session. 

One of our customers is a bit unhappy about the reporting options. Currently, it automatically deletes event logs after some limit if a customer doesn't have any external Syslog server. It is a problem for those customers who want to review event logs after a week or so because they won't get proper reports or event logs. They should increase the duration to at least a month or two for storing the data on the device.

F5 is not a leader in Gartner Quadrant, which affects us when we go and pitch this solution. Customers normally go and take a look at such annual reports, and because F5 is currently not there as a leader, the customers ask about it even though we are saying it is good in all things. 

F5 is not known for something totally different or unique. They were a major player in ADP, and they are just rebranding themselves into security. They should improve or increase their marketing as a security company now. They have already started to do that, but they should do it more so that when it comes to security, customers can easily remember F5. At the moment, if we say F5, load balancing comes to mind. With rebranding and marketing, all customers should get the idea that F5 is now mainly focusing on the security part of it, and it is a security company instead of load balancing. This is the first solution that should come to a customer's mind for a web application firewall.

I have been using this solution almost for a year.

It has good stability. Our customers are happy with the implementation. So far, we haven't faced many issues.

Overall, it has been good. We get proper support, and we haven't faced any challenges. However, F5 doesn't provide support during the demo or POC time. Other vendors provide technical support for demo or POC, but F5 does not. We have to reach out to the local AC every now and then, which is a difficult task because most of the time, he is in some other meeting or busy with something else. So, he isn't able to support us. They should give us some kind of technical support for demos and POCs. We should be able to reach out to them for completing a POC. It would be an added advantage.

The implementation was quite smooth. We migrated from CloudFlare to F5 without any major issues. The deployment took almost ten months, and it included the implementation and fine-tuning. The customer had three applications.

Its price is fair. We have done a couple of deals where they were able to give some kind of discount to the customers. The price was initially high for the customers, but after a couple of negotiations, it came within their budget. They were happy with that.

I would recommend this solution because it is overall a very good solution. As a company, they are very established and stable, and they have a long legacy in the industry. They have been there in the industry for a long time. On top of that, they have very good solutions. They can just improve their offerings and marketing in terms of the new rebranding.

I would rate F5 Advanced WAF an eight out of ten.

I work for a bank and our use case of WAF is to protect our applications, including mobile ones. We are users of this solution and I am an IT specialist engineer. 

Protection from attacks is the best feature of this product. 

We sometimes get pages with false positives. The F5 team does its best to deal with this problem. I'd like to see this product compatible with more mobile applications, like protecting something devices from a malicious server or from the mobile application itself.

We've been using this solution for one year. 

The stability is good. 

The version we are using is not very scalable. 

The technical support is generally good although in some cases they take a long time to respond and we then need to escalate the case to get an answer from a higher level. The team is mature and they are able to solve our problems.

Positive

F5 has good documentation available on their website so deployment is relatively straightforward. 

This is a mature solution and a very powerful device for protecting web applications. I rate this solution eight out of 10. 

We use this solution because we provide a platform that requires a lot of security.

The solution is deployed on cloud.

We have thousands of external users.

I like the security features, especially against SQL injection.

I would like to see additional controls.

I have been using this solution for a year.

The stability is reasonably good. There haven't been any major issues so far.

It's scalable. We haven't had any major issues so far.

We went through the managed service partner, so they did the deployment. Deployment took about 15 days.

We have a few IT experts for maintenance. 

Implementation was done in-house.

I would rate this solution eight out of ten. 

My advice is to do a thorough testing of the application.

This solution inspects your traffic and based on that, automatically create distinct qualities for you, so you can add this to the policy already created. That's what I like most.

I would not expect traffic details to pass through the web application firewall across the length of the whole application. I think that there is a web application where it can let the application function without traffic going in into the WAF.

I think the solution is already being phased out. They are now going for a more advanced option but I'm referring to the web crawler. The web crawler should be able to allow a web application on its own to create policies, rather than wait for traffic to go to the WAF.

There are templates for creating policies, so the initial setup is very straightforward.

I would want to use ASM, or Area Security Manager, which I would rate as seven of ten. That offers lending passability, where the device should be able to lend or call the application and know the component of an application.