F5 Advanced WAF OverviewUNIXBusinessApplication

F5 Advanced WAF is the #3 ranked solution in top Web Application Firewalls. PeerSpot users give F5 Advanced WAF an average rating of 8.4 out of 10. F5 Advanced WAF is most commonly compared to Fortinet FortiWeb: F5 Advanced WAF vs Fortinet FortiWeb. F5 Advanced WAF is popular among the large enterprise segment, accounting for 63% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 20% of all views.
F5 Advanced WAF Buyer's Guide

Download the F5 Advanced WAF Buyer's Guide including reviews and more. Updated: November 2022

What is F5 Advanced WAF?

F5's Advanced WAF is built on proven F5 technology and goes beyond reactive security such as static signatures and reputation to proactively detect and mitigate bots, secure credentials and sensitive data, and defend against application denial-of-service (DoS). Advanced WAF redefines application security to address the most prevalent threats organizations face today.

Advanced WAF is offered as an appliance, virtual edition, and as a managed service—providing automated WAF services that meet complex deployment and management requirements while protecting your apps with great precision. It is the most effective solution for guarding modern applications and data from existing and emerging threats while maintaining compliance with key regulatory mandates.

Advanced WAF redefines application security to address the most prevalent threats organizations face today:

•Web attacks that steal credentials and gain unauthorized access across user accounts.
•Application layer attacks that evade static security based on reputation and manual signatures.
•New attack surfaces and threats due to the rapid adoption of APIs.
•OWASP Top 10 vulnerabilities

F5 Advanced WAF Customers

MAXIMUS, Vivo, American Systems, Bangladesh Post Office, City Bank

F5 Advanced WAF Video

Archived F5 Advanced WAF Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Priyesh MP - PeerSpot reviewer
Solution Architect at Softcell Technologies Limited
Real User
Top 20
Good stability, valuable features, and fair price
Pros and Cons
  • "The valuable features vary from customers to customers. Some customers are okay with the basic features of the WAF, and some customers use advanced WAF with a few other features."
  • "It should be a little bit easy to deploy in terms of the overall deployment session. One of our customers is a bit unhappy about the reporting options. Currently, it automatically deletes event logs after some limit if a customer doesn't have any external Syslog server. It is a problem for those customers who want to review event logs after a week or so because they won't get proper reports or event logs. They should increase the duration to at least a month or two for storing the data on the device. F5 is not a leader in Gartner Quadrant, which affects us when we go and pitch this solution. Customers normally go and take a look at such annual reports, and because F5 is currently not there as a leader, the customers ask about it even though we are saying it is good in all things. F5 is not known for something totally different or unique. They were a major player in ADP, and they are just rebranding themselves into security. They should improve or increase their marketing as a security company now. They have already started to do that, but they should do it more so that when it comes to security, customers can easily remember F5. At the moment, if we say F5, load balancing comes to mind. With rebranding and marketing, all customers should get the idea that F5 is now mainly focusing on the security part of it, and it is a security company instead of load balancing. This is the first solution that should come to a customer's mind for a web application firewall."

What is our primary use case?

We are using it to secure a few applications for our customers. 

What is most valuable?

The valuable features vary from customers to customers. Some customers are okay with the basic features of the WAF, and some customers use advanced WAF with a few other features.

What needs improvement?

It should be a little bit easy to deploy in terms of the overall deployment session. 

One of our customers is a bit unhappy about the reporting options. Currently, it automatically deletes event logs after some limit if a customer doesn't have any external Syslog server. It is a problem for those customers who want to review event logs after a week or so because they won't get proper reports or event logs. They should increase the duration to at least a month or two for storing the data on the device.

F5 is not a leader in Gartner Quadrant, which affects us when we go and pitch this solution. Customers normally go and take a look at such annual reports, and because F5 is currently not there as a leader, the customers ask about it even though we are saying it is good in all things. 

F5 is not known for something totally different or unique. They were a major player in ADP, and they are just rebranding themselves into security. They should improve or increase their marketing as a security company now. They have already started to do that, but they should do it more so that when it comes to security, customers can easily remember F5. At the moment, if we say F5, load balancing comes to mind. With rebranding and marketing, all customers should get the idea that F5 is now mainly focusing on the security part of it, and it is a security company instead of load balancing. This is the first solution that should come to a customer's mind for a web application firewall.

For how long have I used the solution?

I have been using this solution almost for a year.

Buyer's Guide
F5 Advanced WAF
November 2022
Learn what your peers think about F5 Advanced WAF. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
653,757 professionals have used our research since 2012.

What do I think about the stability of the solution?

It has good stability. Our customers are happy with the implementation. So far, we haven't faced many issues.

How are customer service and support?

Overall, it has been good. We get proper support, and we haven't faced any challenges. However, F5 doesn't provide support during the demo or POC time. Other vendors provide technical support for demo or POC, but F5 does not. We have to reach out to the local AC every now and then, which is a difficult task because most of the time, he is in some other meeting or busy with something else. So, he isn't able to support us. They should give us some kind of technical support for demos and POCs. We should be able to reach out to them for completing a POC. It would be an added advantage.

How was the initial setup?

The implementation was quite smooth. We migrated from CloudFlare to F5 without any major issues. The deployment took almost ten months, and it included the implementation and fine-tuning. The customer had three applications.

What's my experience with pricing, setup cost, and licensing?

Its price is fair. We have done a couple of deals where they were able to give some kind of discount to the customers. The price was initially high for the customers, but after a couple of negotiations, it came within their budget. They were happy with that.

What other advice do I have?

I would recommend this solution because it is overall a very good solution. As a company, they are very established and stable, and they have a long legacy in the industry. They have been there in the industry for a long time. On top of that, they have very good solutions. They can just improve their offerings and marketing in terms of the new rebranding.

I would rate F5 Advanced WAF an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Executive Director IT Security at a printing company with 501-1,000 employees
Real User
Time and patience in customizing this solution are rewarded in creating a solid line of defense
Pros and Cons
  • "There is no need to worry about updating signatures because WAF will automatically update the signatures for you."
  • "The support experience is better than average."
  • "The contextual-based component needs a lot of help to catch up with the next-gen products."
  • "There is a learning curve that extends the time of implementation."

What is our primary use case?

What a WAF is happens to be exactly what we are using F5 WAF for: a firewall for our web applications. It is a totally customizable solution. You have our signature-based rule sets and then we can customize to our heart's content depending on what our application can and can not do or what we are trying to protect against.  

So we are using this for anything that is internet-facing. We are applying the WAF there and we are putting it in block mode wherever possible.  

What is most valuable?

The features I think are the most valuable starts with the IP intelligence component. That is separately licensed and it is definitely one component that we have made heavy use of. Geo-blocking is another — which can be done without a WAF because you do not necessarily need a WAF to do it — but the F5 WAF has those capabilities.  

The signature-based controls that F5 has are another one of the heavier-used components that Advanced WAF has. We do not have to worry about updating signatures, et cetera. WAF will automatically update the signatures for us. I think that is a nice feature.  

Those are the biggest things that we are making use of month-to-month.  

What needs improvement?

I think the contextual-based component needs a lot of help. It is all based on regular-expressions. That is something I think companies like Signal Sciences are doing a really good job with. We are transitioning off to Signal Sciences on some of our WAF components because of the capabilities Signal Science has. I think that contextual-base signatures would definitely help in F5 WAF.  

For how long have I used the solution?

Within the enterprise, F5 Advanced WAF (Web Application Firewall) has been rolled out for about six or seven years. I have been working on it for about three to four years.  

What do I think about the stability of the solution?

It is a stable product.  

What do I think about the scalability of the solution?

F5 WAF is a scalable solution. A lot of the employees and other end-users (virtually anybody on the internet who is coming to your site) benefit from the solution. As far as the people who are directly dealing with the administration, maintenance, and deploying the updates, there are maybe two people. But it can certainly scale-out to service passive use.  

How are customer service and technical support?

The F5 tech supports is fairly decent. It is not the top of the line, but they do their job. They give you an account team. The account teams are normally really responsive. When you need to run something by them, they are unlike some other products. With other products you have to go through opening up a ticket — because that is the only way they will respond to you — and later they might come back and say it is not their problem and you need to figure it out on your own. The F5 is very different from that perspective in providing support. Your account team is your go-to group. They will walk you through solutions, help you design solutions, and it is part of the value add of using F5Advanced WAF. I really liked them for the extra effort they put in to provide good support. They do not upsell professional services or anything like that. Because of that, I would rate them a little on the higher side for support than just your average support experience.  

How was the initial setup?

The installation of F5 Advanced WAF is complex. Any WAF that you put in takes a lot of time to install correctly. You never really just drop it in and have it working right off the bat. The only exception I can say that I have come across to that right now is Signal Sciences. You can literally drop that solution in place and put it in blocking mode within the same day. With F5 there is a learning period where you allow it to learn and then you go back because it is based on regular expressions. So you have to go through and check to see that there is normal traffic going through your site, et cetera. In other words, there is training involved. It can take from seven to fourteen days before you get a good signature set up.  

If you just need to turn on the licensing key, that might take 10 seconds to do and that is available essentially immediately when you implement WAF. But when you are talking about implementation — and this is true with any WAF — it is time-consuming. You are integrating a piece of technology with applications that have already been written. It might be a legacy app, it might be a new app or whatever that you use for whatever your use case might be for that application. You are using WAF in order to protect that app. You have to invest time in creating the signatures. That period of time where you are creating the signature is what is complex and extends the period of the implementation.  

That is what I think the true difference is between F5 WAF and the new-gen stuff like Signal Sciences is. With Signal Sciences you literally can just drop in and turn it on.  

What's my experience with pricing, setup cost, and licensing?

F5's licensing varies. I do not know exactly what the individual WAF component costs because they bundle up services and the bundle is what I pay for. I do not pay for individual components.  

What other advice do I have?

Advice that I would give to people considering F5 WAF is to look at and consider other products as well. They have to make sure they know what they are getting into. That is key to finding the right solution. I think WAF requires a lot of time and patience as well as an understanding of your applications in order to make the best use of its capabilities.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate the F5 Advanced WAF as a solid eight-out-of-ten.  

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
F5 Advanced WAF
November 2022
Learn what your peers think about F5 Advanced WAF. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
653,757 professionals have used our research since 2012.
Senior Technical Specialist | Cloud Platforms at a financial services firm with 5,001-10,000 employees
Real User
Good technical support and protection using attack signatures, but the auto scaling and BIG-IQ need improvement
Pros and Cons
  • "I like all of the features, but the main one is the attack signatures."
  • "The BIG-IQ is supposed to centralize the management for all of the boxes but it's not very effective."

What is our primary use case?

F5 is a web application firewall and load balancer. 

The primary use case of this solution is for data protection and security.

What is most valuable?

I like all of the features, but the main one is the attack signatures.

What needs improvement?

If they could separate the control plane from the data plane, it would give us more flexibility, especially with the Hyper Cloud. This could be the reason they purchased NGINX.

They have released the first production release but they are not there yet. It would be good to have this separation in the near future.

Also, automation on the cloud is not easy. It's a bit of a job, and it doesn't auto-scale very well.

They need to work on the BIG-IQ, which is centralized management. There are too many devices. Managing them individually is inconvenient. Essentially, BIG-IQ is supposed to centralize the management for all of the boxes but it's not very effective.

For how long have I used the solution?

I have been using this solution for more than five years.

What do I think about the stability of the solution?

The stability is very good.

There is no solution that is bug-free, but when comparing it with other vendors, I would say that F5 is less buggy than the others.

What do I think about the scalability of the solution?

The scalability is an issue at the moment, which is the reason they need to separate the control plane from the data plane.

We are using this solution daily. It runs 24/7.

How are customer service and technical support?

The technical support is very good. They are knowledgeable and helpful.

How was the initial setup?

The initial setup was simple and it took an hour to deploy.

This solution does not require a lot of maintenance but we need to do the patching regularly.

What about the implementation team?

We do the implementation but at times we get consultations from F5.

What's my experience with pricing, setup cost, and licensing?

It's more expensive than other solutions and depending on the modules, there can be additional fees.

What other advice do I have?

If I would compare F5 with other solutions, the main differences are the support and the stability of the code, it has fewer bugs.

For on-premises deployments I would recommend F5, but for the cloud, it would be questionable.

I would rate this solution a seven of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Jamshaid Dayar - PeerSpot reviewer
Network Engineer at a tech services company with 11-50 employees
Real User
It is very stable as as a load balancer or a web application firewall
Pros and Cons
  • "In terms of F5 Advanced WAF's most valuable features, I would definitely say its stability. F5 is one the most stable products. Either as the load balancer or the web application firewall, it is very stable."
  • "I would say their graphical interface, the GUI. I don't like the GUI as much as before."

What is our primary use case?

There is the Simple WAF and the Advanced WAF. We are currently working on the Advanced WAF, but previously, before the Advanced WAF came out, we were just using the Simple WAF.

We use the on-prem version because the cloud solution is not that popular here.

I have a customer here who has multiple applications dealing with the day to day operations. We have deployed the application firewall in the network and most of their web traffic from outside of their network comes into that WAF. This includes the email application Outlook and their own in-house application tools deployed that they use to sell their merchandise. They have a feature where you can transfer money to the other user based on their mobile phone number. So these web applications and in-house tools are the most used applications in their network.

What is most valuable?

In terms of F5 Advanced WAF's most valuable features, I would definitely say its stability. F5 is one of the most stable products. Either as the load balancer or the web application firewall, it is very stable.

Additionally, the method it uses to block attacks and the logging and support are very good. You can see anything you want in the logging and reporting section of the device, it is very detailed. These are two valuable features from F5.

What needs improvement?

If I had to summarize what needed improvement, I'd say they are currently in the process of updating their software. But more specifically, I would say their graphical interface, the GUI. I don't like the GUI as much as before, but now I think they're focusing on it. We are getting some new good features in the latest update. But there is still room for improvement on the user interface as well. It's easy to use. It's not difficult but it is not pleasing to the eye. Most of the time you want to see something dynamic, something like the reporting section or the system usage, the CPU, some detailed graphs, anything of that sort. So I guess they have some room for improvement there. Don't make it more complicated, just make it more pleasing to the eye.

We are using the most stable version. Because recently we got an email from F5 suggesting that if you have any user on the 14.1.2.0 that there was a vulnerability on that feature. And it was quite a severe one, so they asked us to immediately update that license to another version.

They currently have 15 versions, but they are not stable. They didn't recommend them to us. So most of the customers in Pakistan are using the 14.1.2.6 version. That is the most stable version and is recommended by F5.

My focus is normally on logging and reporting, because customers always ask for a clear reporting criteria. I would like it if they could simplify the reporting process. If I create something, I want to get a good report on it that I can read in seconds or in minutes. I don't want extra details in it. They should work on the exporting of the logging and reporting.

For how long have I used the solution?

I have been using Advanced WAF since it came on the market last year. Advanced WAF is the advanced version of WAF which I have been using for three years.

What do I think about the scalability of the solution?

F5 basically starts their hardware model from a 10GB distribution. So it is a good device to start with and in Pakistan we mostly have up to 40 or 60 gigabytes of devices.

As far as scalability is concerned, we already talked to the customer in detail about what kind of traffic they are expecting in the next five or seven years. Then we decide the box on that data basis and normally we don't have to worry about scaling later.

In terms of adding more features on the F5 hardware, that is a question based on the module. If it takes too much of the CPU, then it is difficult and scaling would be difficult with that hardware. If the hardware is not so many CPU's, then we have to dedicate to each module. Then the scalability becomes a bit difficult. But if you already have hardware that has CPU's in abundance, you can add as many modules as you want. There's no problem.

F5 lets you decide if you want to assign a specific module, a dedicated CPU or nominal resources. You can even decide if you want nominal resources or if you want full resources for that specific module. It all depends on the importance of that module in your business application.

If they are a small company, 250 to 500 employees, or less than 250, then we can go for the virtual Edition of the F5, because as I said, the hardware solution starts from a 10GB box. This can handle thousands of requests per second.

It would be a bit costly for a small scale business. If someone wants F5 and he has less applications and nominal users, he can go for the Virtual Edition. Most of the customers in Pakistan who are using F5 are in the banking sector. They have a good amount of users already, 1500, 3000. So mostly we have banks in Pakistan using F5. And I guess also a few in the education sector and businesses. Otherwise, not many small businesses have F5. The one I mentioned that is using AWAF is a big telecom in Pakistan and they have millions of users. It is not for the very small businesses, I guess.

How are customer service and technical support?

I have had many experiences with customer support, both good and bad. Truthfully, they can improve a bit. There are two methods to engage the F5 support. You either call or email them. It's your choice. 

You decide which location you want to call, either the Singapore or UK office, because there is no support in Pakistan. We have to ask for support from either UAE, Singapore, the UK or the US. If I call, I normally prefer to call Singapore, because our region mostly deals with the Singapore head office. Sometimes there's a problem understanding Singaporean language and it's tough to talk to them. 

But if you reach out over email, then obviously it is easier. Talking to them on the phone is quite a difficult task. Secondly, if you open a customer request from a portal, we have a customer support portal for the client as well. Normally we get the engineer from UK or Singapore. It also depends on the engineer - sometimes he's very responsive. He will just respond to you in an hour or day. And sometimes you get an engineer who is absent for two, three days and you have to call them and change engineers because the first one is not responding.

In short they have to improve a bit on support.

Which solution did I use previously and why did I switch?

We mostly deal with F5 and we always ask our customers who want the web application firewall to go for F5. We do have other web solutions as well, like Fortinet FortiWeb, another popular solution. For small businesses, we don't suggest that. 

We are gold partners with F5, so we always suggest F5.

How was the initial setup?

In terms of the initial setup, for a person who is a bit experienced it is not that difficult. It is a straightforward device. You follow the same principle and the same steps and you are good to go. Just follow the steps. F5 guides you through the initial configuration, which is another of their features. If you don't want to go for the manual config you can just follow their step by step. Press - next, next, next, next then you have the initial configuration done. 

Then you can move to your own configuration according to your network and according to your need. It's an easy device to configure, it's not difficult. 

Only the graphical user interface needs some kind of improvement to make it more modern. But as far as the straightforward install is concerned, it's good and easy.

One person is enough for the deployment and for the check.

In terms of how long it takes to deploy Advanced WAF, it depends on the number of applications you have to put behind the F5 number one. 

The initial network configuration won't take so long if you have all the required data. 

You can set up the initial configuration in an hour or two. But the more applications you add will determine the length of the configuration. 

We mostly deploy Advanced WAF in automatic mode. We don't do the manual configuration of the security side. We just put application details there and we let F5 decide the learning process. It normally takes 15 to 20 days to get a good grip on the application, the language, and the do's and don'ts. We let F5 decide. 

It takes around 15 to 20 days to get it into the blocking mode. But for the configuration for one application it will hardly take 30 minutes to be configured. It all depends on the amount of applications you have.

What other advice do I have?

My advice is that if you need a web application firewall you should go for F5. It is one of the best solutions in the past six or seven years.

F5 has been the leader in this field. It's a stable solution. One just has to decide their organization's goals in the beginning for the next five years or so. Because if they wrongly select the hardware module, they cannot do the scalability if they want to add  a number of modules in the future. So selecting the product should be done with great care. Otherwise, I guess it's okay. If you want a good web application firewall go for F5.

On a scale of one to ten, I would rate F5 Advanced WAF a nine.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Head of IT Security at a financial services firm with 201-500 employees
Real User
The dashboard and reporting are great features of this solution, load balancing and iRules are great as well.

What is our primary use case?

I worked with the solution before starting at this new company and I'm now implementing it in my new job. I'm head of security at our company and we are a customer of NGINX Web Application Firewall. 

What is most valuable?

The product is very easy to use and they provide great support. I like the dashboard and reporting. 

What needs improvement?

The scalability could be improved. There is a version with 25 and 200 Mbps, no options in between

For how long have I used the solution?

I've been using this solution for one year.

What do I think about the stability of the solution?

It's a stable solution. I haven't had any problems with it. 

What do I think about the scalability of the solution?


How are customer service and technical support?

The technical support is good, I'm happy with it.  

How was the initial setup?

The initial setup is straightforward. 

What other advice do I have?

I would rate this product an eight out of 10. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Technical Team Leader at a tech services company with 201-500 employees
Real User
Provides load-balancing and security for our enterprise-level clients
Pros and Cons
  • "This solution is an enterprise-class firewall that provides both load-balancing and security."
  • "This solution can be made more user-friendly."

What is our primary use case?

We are a system integrator and we design solutions for our customers. We provide all kinds of networking solutions, as well as security, and we are sometimes responsible for the integration as well.

We are partners with F5 and this is one of the solutions that we provide to our clients.

Our customers are organizations, including government departments, who use their firewall for load-balancing purposes. However, for some time now, they have wanted to add an additional layer of security, which is why they implement this solution.

We normally propose the on-premises deployment model to our customers.

What is most valuable?

This solution is an enterprise-class firewall that provides both load-balancing and security.  Once it's deployed, it works smoothly and without issue.

What needs improvement?

I would like to see the pricing of this solution improved. There are a lot of other products that are trying to compete with this solution, and there are a few now that are very good. I know that F5 doesn't always worry about the pricing because of the branding, but if they want to capture more of the market then they need to consider that not everybody thinks about the brand. Some are concerned with the price, and some of the competitors offer solutions at a lower cost. While it is true that price is only one of the things that people consider, it is one of the major factors that can cause them to lose the battle to a competitor.

This solution can be made more user-friendly.

For how long have I used the solution?

We have been proposing this solution to customers for ten years.

What do I think about the stability of the solution?

This is an enterprise-class product, and as long it is deployed properly it is quite stable. We have not had any issues post-deployment. This is one of the reasons that customers are paying for F5.

What do I think about the scalability of the solution?

This is a very scalable solution.

How are customer service and technical support?

Technical support for this solution is good. We have had a couple of tickets, and it was pretty good.

How was the initial setup?

The complexity of the initial setup is on a case-by-case basis.

If the customer is primarily interested in load-balancing then it is straightforward and it takes a few days. Once the customer is ready with all of their information, it doesn't take much time. In more advanced scenarios, it can take months to fully set up and configure.

Keep in mind that this is an enterprise-level product, so many of the competitors will take less time in setup. Not every engineer can configure F5 WAF.

What about the implementation team?

We perform the integration for our clients. We have our own deployment team that keeps up to date with the latest features in the market. They have the latest training materials and are aware of technical changes that are happening when it comes to these solutions.

When we have this kind of project, one person will be dedicated to the deployment and they will ensure that the solution has been deployed properly. After this, things will be taken care of by the general engineering team. We have a pool of resources who can handle maintenance such as upgrades.

What's my experience with pricing, setup cost, and licensing?

Licensing fees for this solution are paid on a yearly basis.

What other advice do I have?

My advice to anybody who is considering this solution is to have clarity with respect to their own scenario, or application. They have to know what they are expecting out of this deployment. As the system integrator, I may not be sure about the client's applications or how they work internally, so I have to rely on them.

I would rate this solution a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Shiran Cohen - PeerSpot reviewer
Cyber & Security Application Delivery Expert at Hewlett Packard Enterprise
Real User
A stable solution with an easy setup and good technical support
Pros and Cons
  • "The anti-bot protection is the solution's most valuable feature. Safe-guard or credential staffing are also useful features."
  • "The solution's dashboard could be improved. When you're moving from policy to policy, the logs and the integration of the logs in other systems aren't straightforward."

What is most valuable?

The anti-bot protection is the solution's most valuable feature. Safe-guard or credential staffing are also useful features.

What needs improvement?

The templates of the iApps could be better.

The solution's dashboard could be improved. When you're moving from policy to policy, the logs and the integration of the logs in other systems aren't straightforward.

The solution has a lot of training material, but not about integration in a virtual improvement. They should create more documentation around this for users. 

For how long have I used the solution?

I've been using the solution for four years.

What do I think about the stability of the solution?

The solution is stable.

How are customer service and technical support?

Technical support is very good. I only use it four ot five times a year. If I find any bugs I post it to their file. It's very good support. They offer excellent service.

How was the initial setup?

The initial setup was very simple. It was just for the machine: the ASM port and the WAF itself, not the deployment of the appliance, which is why it was easy.

What about the implementation team?

I'm an integrator, so I help implement the solution for clients.

What's my experience with pricing, setup cost, and licensing?

The pricing of the solution is very high.

Which other solutions did I evaluate?

Before selecting this solution, we looked at Kemp. We were concerned with the WAF, which is why we decided not to go with Kemp.

What other advice do I have?

We're using several versions of the solution; anything between versions 12 to 14.

I would recommend the solution. It's the best option for WAF, at least in the last year or so.

I would rate the solution ten out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
User at a financial services firm with 10,001+ employees
Real User
Inspects traffic and automatically creates distinct qualities but it's not so advanced
Pros and Cons
  • "This solution inspects your traffic and based on that, automatically create distinct qualities for you, so you can add this to the policy already created. That's what I like most."
  • "I would not expect traffic details to pass through the web application firewall across the length of the whole application. I think that there is a web application where it can let the application function without traffic going in into the WAF."

What is most valuable?

This solution inspects your traffic and based on that, automatically create distinct qualities for you, so you can add this to the policy already created. That's what I like most.

What needs improvement?

I would not expect traffic details to pass through the web application firewall across the length of the whole application. I think that there is a web application where it can let the application function without traffic going in into the WAF.

I think the solution is already being phased out. They are now going for a more advanced option but I'm referring to the web crawler. The web crawler should be able to allow a web application on its own to create policies, rather than wait for traffic to go to the WAF.

For how long have I used the solution?

I've been using this solution for about three months.

How was the initial setup?

There are templates for creating policies, so the initial setup is very straightforward.

What other advice do I have?

I would want to use ASM, or Area Security Manager, which I would rate as seven of ten. That offers lending passability, where the device should be able to lend or call the application and know the component of an application.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Hillary Ugwuanyi - PeerSpot reviewer
Head IT Infrasrtucture at ActivEdge
Real User
A robust solution that is efficient, scalable, and highly secure
Pros and Cons
  • "The solution isn't too expensive. The license allows you to license what you need and leave out what you don't need."
  • "The solution is tedious. It takes a lot of discrete settings so one needs to get detailed and granular when they use the solution. It takes you a whole lot of energy and concentration to configure. It needs to be much more straight-forward, like other web solutions."

What is most valuable?

The DCI feature is very valuable. The solution is very robust, and I like the setup.

With this solution, you can set distinct perimeters that you can monitor. You can go very granular, which makes it possible to set up very specific perimeters that you are then able to secure.

What needs improvement?

The solution is tedious. It takes a lot of discrete settings so one needs to get detailed and granular when they use the solution. It takes you a whole lot of energy and concentration to configure. It needs to be much more straightforward, like other web solutions.

They need to have a way to define attack signatures. It might help improve the user experience.

For how long have I used the solution?

I've been using the solution for close to four years.

What do I think about the stability of the solution?

The solution is quite stable. Since 2016, there hasn't been any concern in regards to security.

What do I think about the scalability of the solution?

The solution is highly scalable.

How are customer service and technical support?

Technical support is excellent. It's top-notch.

How was the initial setup?

The initial setup was very straightforward. The solution is very compact. It takes more than one month for effective deployment.

What's my experience with pricing, setup cost, and licensing?

The solution isn't too expensive. The license allows you to license what you need and leave out what you don't need.

What other advice do I have?

We currently deal with the on-premises deployment model.

I would recommend the solution for use as an efficient firewall. Security is a complex thing, however, and I would advise others to use multiple vendors for different layers.

I would rate the solution ten out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
IT Engineer at a tech vendor with 51-200 employees
Reseller
Enables our website to work faster and better and it has a lower impact on our server
Pros and Cons
  • "I definitely recommend this solution because of the time you save on analysis."
  • "One thing that can be improved, is to increase the quantity over predefine policy."

What is our primary use case?

We use this program 24/7 as a firewall to block malicious requests. We update regularly.

How has it helped my organization?

The solution speeds up our web application speed. This increases the availability of our services, because of the web base load balancer. It also improves our application security because of the additional features of the web application firewall. So our website works faster and better and it has a lower impact on our servers.

What is most valuable?

The features I find most valuable is the behavior analysis and the additional subscription for global threats. It's an additional feature, which I haven't seen in another solution. I also like the DDos protection behavior too, because some DDos are quite a problem and we have problems with it.

I am very happy with the interface, the dashboard, and the reports. Whenever I see a malicious request, I can see if I blocked it and then I can decide if I want to accept or decline. I am therefore completely happy with the ability to report and so on. 

What needs improvement?

This solution is the best out there on the market. One thing that can be improved, is to increase the quantity over predefine policy. I know it's impossible to do it all, but what I would have liked to increase the ready-to-deploy templates with only a few clicks.

For how long have I used the solution?

I've been using the solution for four months on our premises now.

What do I think about the stability of the solution?

I have had no issues with the stability. Even my friends with bigger installation systems are satisfied with the stability. I believe it depends on how many features you use. I have also had no issues with clusters or software update signature updates. I believe this program is even more stable than the Windows server.

What do I think about the scalability of the solution?

Whenever I need more performance, I just buy upgrade licenses and additional license keys. So scalability is a question of paying more. It is simple. Everybody who uses the site employs external clients. 

How are customer service and technical support?

When I asked support for help they answered the same day with the answer. But it was small issues. I haven't had any serious bugs or any troubleshooting.

Which solution did I use previously and why did I switch?

I have used different products with lower segments in other solutions. Some were magic when it comes to security and availability but they don't provide visibility on how it works, how it secures and so on. And there is no additional protection from both ends to have a behavior analysis. That is why we chose Advanced WAF. We chose it because of its additional features. We need a solution that is stable and that can offer deep analysis.  

How was the initial setup?

The installment was straightforward and it took us about two hours. Deployment took a week or maybe two to complete. Complete installation for such a complex system is quite fast. 

What's my experience with pricing, setup cost, and licensing?

After buying the program, you just pay for the support every year.

What other advice do I have?

I definitely recommend this solution because of the time you save on analysis. It is a stable program and you get additional features. The more you work on it, the more features you discover. I rate this solution ten out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
PeerSpot user
Shiran Cohen - PeerSpot reviewer
Cyber & Security Application Delivery Expert at Hewlett Packard Enterprise
Real User
Top solution for WAF, with a simple initial set up
Pros and Cons
  • "The best solution for WAF."
  • "I think the deployment templates can be better."

What is most valuable?

The anti-bot protection has been the most valuable.

What needs improvement?

I think the deployment template can be better, like the iApps they have in the F5 MPM. I think the deployment templates can be better.

For how long have I used the solution?

I've been using the solution for four years.

What do I think about the stability of the solution?

The solution is pretty stable.

How are customer service and technical support?

The technical support is very good. I'm using the F5 technical support, maybe once a quarter. Something like three to five times a year. When I find a bug then I post them to their forum because I'm using it a lot. I can find the bugs. But its very good support.

How was the initial setup?

The initial setup was very simple. The initial setup is done by the machine. The ASM HS, the WAF itself, not the deployment of the application. So it was very simple, I am working with VIP for almost a full year. Something like ninety percent of my activities are F5 related. I specialize in F5 now and everything in F5 is very, very simple.

What about the implementation team?

I'm an integrator.

What's my experience with pricing, setup cost, and licensing?

I think the price is very high. This is what I hear from the customers. Sometimes we cannot sell the product because it is a higher price.

Which other solutions did I evaluate?

I evaluated a few other options. Kemp, for example, but Kemp is not a WAF it's a load balancer, it's for another model of the F5 so its not related to do WAF. And we're speaking about the WAF. 

What other advice do I have?

I would recommend this solution. It would be the best solution for WAF.

I think the dashboard can be improved. When you move from the policy to policy, the logs and the integration of the logs are without a system. Maybe make it like other SIEM systems and system servers like Splunk. They do have a lot of training videos and manuals. This helps. But not really about integration or feature improvement.

I would rate this solution a ten out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
Senior Engineer at a tech services company with 51-200 employees
Real User
Improves the protection for web applications in production from MySQL injection attacks
Pros and Cons
  • "With F5 Advanced WAF, it was protection for online publications and for our customers that caused us to choose the platform."
  • "F5 Advanced WAF needs better integration within the application, like remote dashboards."

What is our primary use case?

We use F5 Advanced WAF to protect some of our web applications and web services. We use F5 Advanced WAF as a web application firewall in production. 

Our clients are liable for the security of applications on the internet because they are in the banking services sector.

How has it helped my organization?

In this case, we used a few long-term models because F5 Advanced WAF is a complete solution. Our customers do not only use this model. 

F5 Advanced WAF is similar to other solutions used for a lot of projects. 

It's feasible for our customers to improve on their protection ability within the applications from secondary attacks, i.e. MySQL injection.

Each company is liable for the security of the customers using the service.

What is most valuable?

With F5 Advanced WAF, it was protection for online publications and for our customers that caused us to choose the platform. It was integrated by our company and not the dealer. 

What needs improvement?

For F5 Advanced WAF, it's only 70% different over time with upgrades. F5 can still build AWS support after many long years of absence. It's difficult to use.

F5 Advanced WAF needs better integration within the application, like remote dashboards. The pricing is too high. It needs better security features with the interface or dashboard.

We go through some problems with the Disc Doctor services and F5 was recommended to fix or avoid the same situation in the future.

F5 now is the product we use for the web products to have a web application firewall.

We need better integration in the application and more security features in the future.

For how long have I used the solution?

We have been using this solution almost one year. It's new.

What do I think about the stability of the solution?

F5 Advanced WAF is very stable.

How are customer service and technical support?

The technical support of F5 I didn't use, but I heard people like the feature. I haven't needed it personally.

Which solution did I use previously and why did I switch?

We have used some other products but they didn't have enough functionality. You can launch media adaptation for variety with F5. That is one of the biggest advantages of this solution.

How was the initial setup?

In the market now there is a lot of information on the setup of F5 Advanced WAF. You can look for it on the company website. I didn't use F5 support directly, just the materials.

What's my experience with pricing, setup cost, and licensing?

F5 Advanced WAF is not a cheap product.

What other advice do I have?

My advice is to recommend F5 Advanced WAF for use. On a scale of 1 to 10, I would rate F5 Advanced WAF a nine.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Security Specialist at a energy/utilities company with 51-200 employees
Real User
Scans a lot of traffic to protect the corporate web server
Pros and Cons
  • "The most valuable feature is artificial intelligence and to get extra internal access."
  • "The administrator's user interface and some of the settings can sometimes be very complicated to understand."

What is our primary use case?

We use the F5  Web Application firewall to protect our corporate web server. The security of our web is our absolute highest priority.

How has it helped my organization?

We've only been using this solution for six months now, so we can't really see any improvement yet.

What is most valuable?

The most valuable feature is network detection intelligence and the ability to get extra internal access. I don't have knowledge about all the functions but, because it is a fully automatic process, the devices scan a lot of traffic. It is automatically set up to protect our web.

What needs improvement?

The administrator's user interface and some of the settings can sometimes be very complicated to understand. It would really help if they could be easier and more user-friendly. Perhaps the developers can add a training video that shows users what to do. I am sure it is a good product and you only need some experience to become familiar with it.

Another thing that may need improvement, is upgrading from one version to another. It is good, but it can be faster. 

For how long have I used the solution?

We've been testing the F5 -BIG-AWF-VE Web Application for six months now and we plan to implement the solution in July.

What do I think about the stability of the solution?

It is a very stable solution. We currently have three administrators and about 300 users working on it.

What do I think about the scalability of the solution?

The scalability is great because we can change or set this device up for almost everything. We can even extend to other functions and buy new licenses - this product will automatically adapt to these new functions. For example, we can buy a license and F5 will automatically extend to these functions. It is a very simple process to extend functionality to this device. You only need to install the license and configure it.

How are customer service and technical support?

The technical support is perfect. Our company is a corporate partner, and we can also use services directly from other international support centers.

Which solution did I use previously and why did I switch?

It was a very difficult decision to find the right solution. We used open source software before to protect our system's open source architecture.
We switched to F5 WAF because, for us, professional services are absolutely necessary. There are other cheaper options on the market, but when you need support, it can sometimes be a problem. 

How was the initial setup?

We've incorporated our partner and he initiated the setup of this device. He used both the manual and the automatic setup options, and then he compared the two options. And now, as we are in production, we choose either automatic setup or manual setup. The automatic setup is quite easy, but the manual setup is complicated. It all depends on what you want from the product.

What about the implementation team?

Our partner was responsible for the initial setup. 

What other advice do I have?

I will rate the product a nine out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Georges Samaha - PeerSpot reviewer
Security Consultant at a tech services company with 501-1,000 employees
Reseller
Top 5
Offers a plethora of features and has perfect stability
Pros and Cons
  • "I like them because I like the security solution. They get extra marks compared to other solutions or competitors. There are more features than any other product I can think of. They're always monitoring, and the security features offer more than other, lesser products."
  • "You have to buy another module with an extra license, to have the authentication feature."

What needs improvement?

In general, the web interface is not really catchy. It's very powerful, very customizable, but it doesn't have a very nice GUI interface for a new adopter. For them, they'd have to do a lot of configuring. At least the reporting and monitoring parts, let's say, to be honest, should have a better interface. A few other products have very nice dashboards, out of the box, and F5 is not that friendly to use.

Also, when you buy WAF, you have to buy another module called APM to do authentication. You have to buy another module with an extra license, to have the authentication feature. Other vendors have it interwoven. For example, I don't know if Barracuda has it, but Citrix has it under the same license. So maybe add authentication functionality in the AOS license, and not separate.

For how long have I used the solution?

I've been using the solutions for 10 years.

What do I think about the stability of the solution?

The stability is perfect. 10 out of 10. We've not had any trouble with any deployment ever. And they are very big deployments: service providers, TelCos, banking, everywhere. Even on distant parts of the network, we have not had any kind of performance issues. Of course, as long as the sizing is within the appliance performance range. But it never has had a failure in performance or degradation of service or anything like this, as long as the full-time traffic is within the box capability, we've never had an issue.

What do I think about the scalability of the solution?

It's scalable. 

What other advice do I have?

We are a partner for F5, or a system integrator, not the client. So we do the implementation for other companies. I've been working with F5 for more than 10 years, so I know them very well. 

I like them because I like the security solution. They get extra marks compared to other solutions or competitors. There are more features than any other product I can think of. They're always monitoring, and the security features offer more than other, lesser products.

I would rate this solution 10 out of 10.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
Senior Network Engineer at PECCO
Real User
Helps with blocking attacks on web applications
Pros and Cons
  • "The initial setup was was easy to install."
  • "People who want to work with the device have to be pro in Linux"

What is our primary use case?

We are a PPS payment providing services company in banking, so, we are using it for that. We are banking company and we are using it as a web application firewall.

How has it helped my organization?

We have an SOC, and for collecting logs we are also using the F5 logs to analyze the securities and events. So having a central log management and F5 really helped us to analyze the security logs. It also helps with blocking the attacks on web applications.

What needs improvement?

Everything is good about the F5 WAF, except the reporting. It's really difficult to set records from that device, the UI is kind of hard to work with, and the reporting must be improved.

As a suggestion to the F5 company, they have to put in shells to have the next generation WAF. So, instead of buying different modules and different hardware and appliances, they can offer an all-in-one solution for WAF.

How was the initial setup?

The initial setup was was easy to install. Our department wasn't installing it, the infrastructure department installed it, so we gave them the policy that we wanted to use.

What about the implementation team?

Because of the sanctions, we couldn't buy it straight from the US, so we bought it from an Iranian company. They provided us that solution. The company that sold us the device also had some people to consult with us to give us best practices from the previous companies that installed it.

What's my experience with pricing, setup cost, and licensing?

I think it's a good product but the F5 uses shells, so the people who want to work with the device have to be pro in Linux. If they can put everything in the UI so every regular security engineer can work with it, it's fabulous.

What other advice do I have?

I would rate the solution 8 out of 10. We are concerned about the other factors but it's actually not F5 company's fault. The pricing is really high here right now because of the dollar rate but it has nothing to do with the F5, it's because of the sanctions I imagine. At the moment it's a really expensive solution for us, not only F5 but the other appliances. 
If I went to another company, and the other company hired me, I would suggest they use this device. Although we don't have a lot of options to choose from around here.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free F5 Advanced WAF Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2022
Buyer's Guide
Download our free F5 Advanced WAF Report and get advice and tips from experienced pros sharing their opinions.