F5 Advanced WAF Reviews

We use the product for load-balancing purposes.

The product has valuable features for load balancing, monitoring tools, and HPXpress services.

They could provide better pricing.

We have been using F5 Advanced WAF for a year.

I rate the product's stability an eight out of ten. 

The product is highly scalable. It is suitable for enterprise businesses. I rate its scalability an eight out of ten.

I rate the initial setup process a seven out of ten.

I rate F5 Advanced WAF's pricing a three out of ten.

I rate F5 Advanced WAF an eight out of ten.

We use F5 Advanced WAF to protect our web applications.

What I found most valuable in F5 Advanced WAF is its automatic policy feature.

What needs to be improved in this solution is the accuracy of its automatic learning feature, because we frequently have to help it manually, particularly to stop blocking things it isn't supposed to block.

The technical support for F5 Advanced WAF, though fast and accurate, is costly. The cost could be improved.

I find F5 Advanced WAF a very stable solution.

The scalability of F5 Advanced WAF is very good.

The technical support for this tool is fast and accurate, but it's expensive.

The initial setup for F5 Advanced WAF was straightforward.

We are the integrator and reseller, so we deployed the solution in-house.

F5 Advanced WAF technical support comes at a cost, and it's expensive.

I'm using the latest version of F5 Advanced WAF: version 16.0.

We don't only use this solution for ourselves, as we also have some customers we implemented it for, because we are a reseller.

Deployment of F5 Advanced WAF took two to three days.

The advice I'd like to give to people who are looking into implementing this product is for them to read the documentation. It's all there.

I'm rating F5 Advanced WAF eight out of ten.

We have several websites that are exposed to external users. We have a website for interaction with supply chain customers. We also have a website that gives access to CRM functionality to allow our customers to open tickets and disputes. F5 WAF is at the front for security and attack mitigation. It ensures that users are able to access only allowed pages.

The web application firewall itself is most valuable. It provides positive security and negative security. In negative security, it blocks a task such as cross-site scripting, code injection, etc. In positive security, it lets you specify and enforce things, such as the parameters allowed in username and password fields and the number of characters allowed in a field.

It also has antivirus and DDoS mitigation capabilities. We have enabled these features. 

It is also quite intuitive and user-friendly. They have several webinars that are actually like labs. You can use these webinars to learn about how to use all features of the product.

Its price should be better. It is expensive.

In general, it is stable and reliable. Over the past few months, several vulnerabilities were found in the product, but which product doesn't have vulnerabilities? The main question is how fast do you get the fix for it, and they provided the fix quite quickly. We had to upgrade it as soon as possible to mitigate the risks.

I didn't try to expand it. We have two staff members who are using F5 Advanced WAF.

In terms of its usage, we are deploying it on all points through which we are exposing services, but we are currently not exposing too many services.

I had only one case for which I had to call tech support. It wasn't a straightforward ticket. It was quite a challenging ticket. Eventually, they found a solution, but it took some time. It was challenging to find the bug in one of the previous versions. They also didn't know about it. We did the troubleshooting together until we found the problem.

We were using another solution before switching to F5 Advanced WAF. We didn't have success with that solution because the integrator failed to deploy it properly. It was more complex and not user-friendly.

It was a little bit complex. If you want to add an additional layer or model like APM with two-factor authentication, then it requires a little bit more integration.

It is expensive. Its price should be better.

Its licensing is on a yearly basis. Its licensing is also based on the model. There are no additional costs.

I would recommend this solution to other users. I will advise others to learn a little bit about how the HTTP protocol works. They should be familiar with the functionality of the product. They should not use it without understanding what they are actually doing.

I would rate F5 Advanced WAF a nine out of ten.

We are using it to secure a few applications for our customers. 

The valuable features vary from customers to customers. Some customers are okay with the basic features of the WAF, and some customers use advanced WAF with a few other features.

It should be a little bit easy to deploy in terms of the overall deployment session. 

One of our customers is a bit unhappy about the reporting options. Currently, it automatically deletes event logs after some limit if a customer doesn't have any external Syslog server. It is a problem for those customers who want to review event logs after a week or so because they won't get proper reports or event logs. They should increase the duration to at least a month or two for storing the data on the device.

F5 is not a leader in Gartner Quadrant, which affects us when we go and pitch this solution. Customers normally go and take a look at such annual reports, and because F5 is currently not there as a leader, the customers ask about it even though we are saying it is good in all things. 

F5 is not known for something totally different or unique. They were a major player in ADP, and they are just rebranding themselves into security. They should improve or increase their marketing as a security company now. They have already started to do that, but they should do it more so that when it comes to security, customers can easily remember F5. At the moment, if we say F5, load balancing comes to mind. With rebranding and marketing, all customers should get the idea that F5 is now mainly focusing on the security part of it, and it is a security company instead of load balancing. This is the first solution that should come to a customer's mind for a web application firewall.

I have been using this solution almost for a year.

It has good stability. Our customers are happy with the implementation. So far, we haven't faced many issues.

Overall, it has been good. We get proper support, and we haven't faced any challenges. However, F5 doesn't provide support during the demo or POC time. Other vendors provide technical support for demo or POC, but F5 does not. We have to reach out to the local AC every now and then, which is a difficult task because most of the time, he is in some other meeting or busy with something else. So, he isn't able to support us. They should give us some kind of technical support for demos and POCs. We should be able to reach out to them for completing a POC. It would be an added advantage.

The implementation was quite smooth. We migrated from CloudFlare to F5 without any major issues. The deployment took almost ten months, and it included the implementation and fine-tuning. The customer had three applications.

Its price is fair. We have done a couple of deals where they were able to give some kind of discount to the customers. The price was initially high for the customers, but after a couple of negotiations, it came within their budget. They were happy with that.

I would recommend this solution because it is overall a very good solution. As a company, they are very established and stable, and they have a long legacy in the industry. They have been there in the industry for a long time. On top of that, they have very good solutions. They can just improve their offerings and marketing in terms of the new rebranding.

I would rate F5 Advanced WAF an eight out of ten.

What a WAF is happens to be exactly what we are using F5 WAF for: a firewall for our web applications. It is a totally customizable solution. You have our signature-based rule sets and then we can customize to our heart's content depending on what our application can and can not do or what we are trying to protect against.  

So we are using this for anything that is internet-facing. We are applying the WAF there and we are putting it in block mode wherever possible.  

The features I think are the most valuable starts with the IP intelligence component. That is separately licensed and it is definitely one component that we have made heavy use of. Geo-blocking is another — which can be done without a WAF because you do not necessarily need a WAF to do it — but the F5 WAF has those capabilities.  

The signature-based controls that F5 has are another one of the heavier-used components that Advanced WAF has. We do not have to worry about updating signatures, et cetera. WAF will automatically update the signatures for us. I think that is a nice feature.  

Those are the biggest things that we are making use of month-to-month.  

I think the contextual-based component needs a lot of help. It is all based on regular-expressions. That is something I think companies like Signal Sciences are doing a really good job with. We are transitioning off to Signal Sciences on some of our WAF components because of the capabilities Signal Science has. I think that contextual-base signatures would definitely help in F5 WAF.  

Within the enterprise, F5 Advanced WAF (Web Application Firewall) has been rolled out for about six or seven years. I have been working on it for about three to four years.  

It is a stable product.  

F5 WAF is a scalable solution. A lot of the employees and other end-users (virtually anybody on the internet who is coming to your site) benefit from the solution. As far as the people who are directly dealing with the administration, maintenance, and deploying the updates, there are maybe two people. But it can certainly scale-out to service passive use.  

The F5 tech supports is fairly decent. It is not the top of the line, but they do their job. They give you an account team. The account teams are normally really responsive. When you need to run something by them, they are unlike some other products. With other products you have to go through opening up a ticket — because that is the only way they will respond to you — and later they might come back and say it is not their problem and you need to figure it out on your own. The F5 is very different from that perspective in providing support. Your account team is your go-to group. They will walk you through solutions, help you design solutions, and it is part of the value add of using F5Advanced WAF. I really liked them for the extra effort they put in to provide good support. They do not upsell professional services or anything like that. Because of that, I would rate them a little on the higher side for support than just your average support experience.  

The installation of F5 Advanced WAF is complex. Any WAF that you put in takes a lot of time to install correctly. You never really just drop it in and have it working right off the bat. The only exception I can say that I have come across to that right now is Signal Sciences. You can literally drop that solution in place and put it in blocking mode within the same day. With F5 there is a learning period where you allow it to learn and then you go back because it is based on regular expressions. So you have to go through and check to see that there is normal traffic going through your site, et cetera. In other words, there is training involved. It can take from seven to fourteen days before you get a good signature set up.  

If you just need to turn on the licensing key, that might take 10 seconds to do and that is available essentially immediately when you implement WAF. But when you are talking about implementation — and this is true with any WAF — it is time-consuming. You are integrating a piece of technology with applications that have already been written. It might be a legacy app, it might be a new app or whatever that you use for whatever your use case might be for that application. You are using WAF in order to protect that app. You have to invest time in creating the signatures. That period of time where you are creating the signature is what is complex and extends the period of the implementation.  

That is what I think the true difference is between F5 WAF and the new-gen stuff like Signal Sciences is. With Signal Sciences you literally can just drop in and turn it on.  

F5's licensing varies. I do not know exactly what the individual WAF component costs because they bundle up services and the bundle is what I pay for. I do not pay for individual components.  

Advice that I would give to people considering F5 WAF is to look at and consider other products as well. They have to make sure they know what they are getting into. That is key to finding the right solution. I think WAF requires a lot of time and patience as well as an understanding of your applications in order to make the best use of its capabilities.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate the F5 Advanced WAF as a solid eight-out-of-ten.  

F5 is a web application firewall and load balancer. 

The primary use case of this solution is for data protection and security.

I like all of the features, but the main one is the attack signatures.

If they could separate the control plane from the data plane, it would give us more flexibility, especially with the Hyper Cloud. This could be the reason they purchased NGINX.

They have released the first production release but they are not there yet. It would be good to have this separation in the near future.

Also, automation on the cloud is not easy. It's a bit of a job, and it doesn't auto-scale very well.

They need to work on the BIG-IQ, which is centralized management. There are too many devices. Managing them individually is inconvenient. Essentially, BIG-IQ is supposed to centralize the management for all of the boxes but it's not very effective.

I have been using this solution for more than five years.

The stability is very good.

There is no solution that is bug-free, but when comparing it with other vendors, I would say that F5 is less buggy than the others.

The scalability is an issue at the moment, which is the reason they need to separate the control plane from the data plane.

We are using this solution daily. It runs 24/7.

The technical support is very good. They are knowledgeable and helpful.

The initial setup was simple and it took an hour to deploy.

This solution does not require a lot of maintenance but we need to do the patching regularly.

We do the implementation but at times we get consultations from F5.

It's more expensive than other solutions and depending on the modules, there can be additional fees.

If I would compare F5 with other solutions, the main differences are the support and the stability of the code, it has fewer bugs.

For on-premises deployments I would recommend F5, but for the cloud, it would be questionable.

I would rate this solution a seven of ten.

We use the solution to secure web applications running in the organization.

F5 is one of the best products. We use it for multiple segments within our organization and applications. It is a central point of all the applications being scrubbed and checked.

The customer service could be improved.

I have been using F5 Advanced WAF for more than ten years.

The product is stable.

I rate the solution’s stability a seven out of ten.

The solution is scalable.

Our entire organization and clients use the solution.

The initial setup is easy since I have used the technology for almost 20 years. Some applications require more attention depending on what you are doing and trying to achieve with the particular module. You need some assistance from the team in configuring the different components within the application through the web.

The solution is worth the money that you spend.

The solution is expensive.

Whatever you are looking for can be done on the platform. Some features may not be available with IO components. A few features give you the flexibility that no other product can.

Overall, I rate the solution an eight out of ten.

I work for a bank and our use case of WAF is to protect our applications, including mobile ones. We are users of this solution and I am an IT specialist engineer. 

Protection from attacks is the best feature of this product. 

We sometimes get pages with false positives. The F5 team does its best to deal with this problem. I'd like to see this product compatible with more mobile applications, like protecting something devices from a malicious server or from the mobile application itself.

We've been using this solution for one year. 

The stability is good. 

The version we are using is not very scalable. 

The technical support is generally good although in some cases they take a long time to respond and we then need to escalate the case to get an answer from a higher level. The team is mature and they are able to solve our problems.

Positive

F5 has good documentation available on their website so deployment is relatively straightforward. 

This is a mature solution and a very powerful device for protecting web applications. I rate this solution eight out of 10.