Imperva Web Application Firewall Reviews

We use Imperva for our web applications that we have hosted to protect them.

With our deployment setup, the benefit is regarding the security and how threats have been blocked. It's not studied in terms of resources or speed. The threat prevention is the aspect we are monitoring.

Empower administration is user-friendly, and we do not need much for managing day-to-day operations. It is easy to use and has good security. Also, it is very customizable, especially for controlling web browsers and devices.

I would prefer AI integrations for user administration, visualization, log analytics, and risk analysis. If they can bring in generative AI features, that would be useful.

I am working with Imperva at the moment and have been using it for maybe six to seven years.

It's very stable. We haven't had any issues.

Scalability is not a problem since we have enough resources as it's an on-premises version.

We have escalated to tech support and it's quite good. I would rate them a seven point five out of ten.

We didn't use any WAF product before Imperva.

The initial deployment was seamless, and there weren't many complexities.

The deployment was done by a separate company within the company.

I do not have much understanding about F5 yet as I am currently evaluating their solution.

I suggest looking for a cloud-based solution rather than on-premises, which might improve availability, stability, and security.

I'd rate the solution nine out of ten.

I am the administrator of the Web Application Firewall. I manage all the web applications and security regarding it. Some of the main use cases are related to OWASP Top 10 and bot attacks.

We are a distributor of all types of cybersecurity products. We handle more than 170 OEMs, and Imperva Web Application Firewall is one of them.

We were facing issues related to web servers and OWASP Top 10. We had bots rather than human traffic. We went with Imperva for a single-stack solution. We have bot protection, DDoS protection, web application firewall, and database security from Imperva.

It is one of the best solutions that I have worked with. After deploying it, bot attacks have completely stopped. When it comes to OWASP Top 10, it responds very clearly when we do testing, so we are not facing any threats. Compliance is also very good. So, overall, it is very good for security and compliance.

Imperva is known in the market for customization and deployments according to the use cases of the customers. You can deploy it the way you want. You can deploy it in the inline mode, reverse proxy mode, or transfer and bridge mode. You can deploy it according to the environment or infra of the company. In terms of integration, with one click of a button, you can integrate it with your SIEM solution. You have preconfigured SIEM codes. You just need to run that code in the SIEM application, and that is it. You will start getting the logs. It is pretty easy.

For certain web servers, I have it on-prem, and for certain web servers, I have it on the cloud. A basic use case of the customers is that they want a single dashboard for the cloud WAF or on-prem WAF. There is a solution called attack analytics in Imperva. It integrates with on-prem and the cloud, so in a single dashboard, you can see what is happening in your on-prem as well as cloud setup. It is very easy. When it comes to reporting, you can take reports anywhere anytime and you can take logs anywhere anytime. Someone who does not know about cybersecurity can understand the logs. Logs are in English instead of the raw format. Anybody who knows English can understand them. Reporting is very easy. These reports can also be used for audit and compliance.

We use SIEM solutions. We use Splunk, and we use Elastic. We use Datadog and Securonix. I integrated Imperva with Elastic and Splunk. We have a pre-written code. We just have to download that code and run the code in the SIEM solution server. After that, the logs start showing. It is that easy. Integration is that easy. I have also done integration with multifactor authentication, security key, HSM, etc. I have worked with RSA and YubiKey. Both of them were very easy. The integration happened with the click of a button. The integration is seamless and is working perfectly. Our clients are happy. We are happy.

There are many features. There is ease of deployment. You can deploy the Imperva Web Application Firewall in two to three minutes. After that, you have to set the policies. For setting policies, you have toggle buttons. You can turn something on or off.

Writing rules is very easy. There is a toggle button. You do not have to write the parsers and rules. You do not have to be well-versed in it. Anybody who works with the Imperva console for a month can master the solution.

The only disadvantage of Imperva is that it is a pretty costly solution. 

It has been around one year.

It is completely stable. For stability, I would rate it an eight out of ten.

It scales very well. I would rate it a nine out of ten for scalability.

In terms of traffic volumes, being a distributor, we do not face the issue of many customers flooding our website. It is not like an e-commerce company. At peak hours, there is almost 500 Mbps of network traffic. That is it.

I would rate their support a ten out of ten. Even if I call at 2 AM, they pick up, and they answer. 

Positive

I have experience with Akamai and Cloudflare. Cloudflare is not made for enterprises or big companies. It is only for small and medium organizations. This is where Imperva comes into the picture. 

Akamai and Imperva are pretty much similar. The only thing that makes them different is the SLA. Imperva is the only vendor that gives three-second SLAs for DDoS attacks. Imperva can mitigate any DDoS attack in just three seconds. This is the main thing that differentiates Imperva from Akamai. Another thing is that the deployment of Akamai is very complex. You need around two to three days to deploy it. You require senior-level engineers. It is very hard to understand as compared to Imperva.

If you go with the Cloud Web Application Firewall, you can complete deployment in a maximum of half an hour. On-prem deployment is a bit complex. It takes three to four hours.

There are only two people who work with Imperva. We handle many solutions, and we have two people handling Imperva. We manage everything in Imperva only with two engineers. The company does not need to hire many people.

It is very costly, but the return on investment is very high. Its cost was around $70,000, and we got it back in just six months. 

It is very expensive. A basic license costs around $10,000. This is the only disadvantage of the solution. Everything else is pretty good.

When a client comes to us saying that they want to implement Imperva, the first thing that we ask them is if they are willing to spend that much. If they say yes, then we do not even compare it to any other product. We just go for Imperva. Feature-wise, we are confident of it. Any customer would go for it in terms of features.

Overall, I would rate Imperva Web Application Firewall a nine out of ten.

We use the solution to protect applications.

Imperva has a complete picture of how the applications are utilizing it. It is handy. DDoS is good. It has an internally managed database. It is very easy to integrate. We have integrated it with SIEM services.

Apart from predefined templates, it would be helpful if the solution provided an option to customize any new rules or additions based on the requirement.

I have been using Imperva Web Application Firewall for three years.

I rate the solution’s stability an eight out of ten.

The tool is pretty scalable. Around 1,000 users are using this solution.

I rate the solution’s scalability an eight out of ten.

We have used Barracuda. We switched to Imperva because Barracuda was not user-friendly and didn't offer predefined data.

The initial setup is simple.

The product's pricing is flexible.

I rate the product's pricing a seven out of ten, where one is cheap and ten is expensive.

I recommend the solution.

Overall, I rate the solution an eight out of ten.

We primarily use the solution as a firewall.

One good thing about Imperva Web Application Firewall is it can be on the cloud and also it can be on-premise. Either way, you can use it, and it's quite easy. 

It's quite easy to deploy. It is also a self-managed service. It's quite straightforward.

They do provide updates on a quarterly or half-yearly basis.

I don't really use it and therefore can't speak to areas of improvement. 

We've been using it for probably three or four years.

The solution is stable. 

Scalability-wise, it is not so scalable as the solution is quite straightforward. There's not much you can scale with the solution.

Mainly, the IT department uses the solution and there are ten to 20 of them.

Technical support is quite helpful and responsive. They support us well and they are available worldwide so it's quite easy to get help.

The product is very easy to deploy. It's simple and straightforward. It's not an overly complex solution.

Within half a day you can have it up and running. You just need two people to deploy and maintain the solution. 

We are users and also we are resellers.

The version we are using is the latest version. 

It has many valuable options or features. You just need to know what you need for your organization. If not, Imperva will probably tend to sell you almost everything. You just need to know what are the options that you need for your organization. Apart from that, the whole process is quite fast and it's quite reliable.

I'd rate the solution an eight out of ten.

I use the service for protection due to the fact that it has profile functionality.

Protection is the best solution since it has profile functionality.

Interesting alternatives are Akamai and some cloud solutions do exist.

Our primary use case is to protect our cloud production environment.

We have a co-location that we do with our QA and Dev and our pre-production environment. We do everything there. We built it for the production environment so we deploy everything in the cloud. We have the web application firewall in the cloud, after the proxy.

It has threat intelligence and we are using Incapsula. With threat intelligence, we can separate HTTP and HTTPS traffic. We can use Incapsula to send all the threat intelligence to the WAF.

The interface is very user-friendly. You get used to it. It's very convenient.

There could be some limitations rom the converged infrastructure perspective: when you want to converge with everything and you want Imperva to get there easily, because it's not a cloud component. For example, when you want to build servers and you're using OneView to manage your software-defined networks, implementing Imperva right away is not that simple. But if you're doing just a simple cloud infrastructure with servers in there, you're good to go.

Also, we are not able, with Imperva, to block by signatures. Imperva by itself needs to be complemented with another service to do URL filtering. That's why you need Incapsula.

No issues with stability. It has never crashed.

Scalability is affordable. There are no issues with the process of scaling.

They have centralized management, in terms of scalability. They have centralized policy control, they have centralized application profile information. On the dashboard they have Signature Update, Monitoring, Reporting. They clearly thought about the large-scale when they made this product.

We use a partner here in Puerto Rico for Imperva. We have a guy in our shop every day, full-time.

We used Fortigate. We switched because it's not a WAF. When you have a WAF, you want that WAF to do all kinds of configurations, to promote the firewall, to work the way you want it. Imperva came with everything, the whole package.

The initial setup was a little bit complex. But a third-party took care of everything. It's not like putting milk on cereal when you are working with these kinds of configurations. The effectiveness of a web application is going to come from the analysis of what your organization needs. If you don't have that information before you go into Imperva, you're going to have a lot to do when you get there. You need to know what you're doing. It's not something you can take out of the box and put in your infrastructure. It's somewhat hardcore to deal with these kinds of solutions. 

Make sure you understand the way that Imperva charges. It's very affordable. However, I would like to see a package with the Virtual Patching included. You get to do patching separately.

We had F5, Akamai, Fortinet, Barracuda. We may have looked at Juniper as well, I don't remember. Not too many companies have a WAF. Not all the firewall companies are WAF makers.

I think it's perfect. It's a very good application. When you do large-scale deployment you want to protect your physical web application with Imperva, trust me. It gives me peace of mind.

These are guys are from Israel and you should see that place. These guys are the best I have ever seen. They do all kinds of stuff and there is nothing that they cannot do. These people are incredible. They can configure and develop anything, customized, if you want it. Everything has a price, but they can do it right now. They don't have a "no."

We use Imperva with Incapsula so we have web security, we have DDoS protection, we have content delivery networking, we have load-balancing. We do everything with Incapsula cloud. For example, if you have an internet threat, that threat is trying to access your web application. Depending on the threat that you are receiving, the activity monitor is going to be triggered. Once that activity monitor gets triggered, the vulnerability management is going to defend you. It doesn't work for everything the same way. It's very intelligent.

Without tuning, it blocked 88 percent of the vulnerabilities, and when we tuned it, it blocked 98 percent. Whatever was not blocked didn't harm us. We use a third-party for tuning. We tell them what to do it and they do it. They get it done fast, sometimes in two to three days. It depends on what you're asking for. If you're asking for more accuracy, they go the distance to solve your problem. For example, the other day I had some keywords, some attack signatures that they were looking at for false-positives and false negatives, which are two different things. One of the main reasons we got Imperva is that we wanted to block attacks while limiting the number of false positives. I wanted the application scanner not to generate false positives by creating violations. I gave them the information, and the next day it was solved.

To put it in a high-level perspective, you are paying to see the things that are important, but you get a lot of noise. I wanted to reduce that noise. They allowed me to do that. 

Make sure you have the right testing methodology for Virtual Patching. If you want to take your patching to under 30 days, this is the product for you. We reduced it to five days. I think we are the only company where the patching is under five days. We are only doing it at the database-level right now. But we took it down to five days. 

There are proper ways to test a WAF, but the main advice I can give you is that you should not just generate attack traffic. The most effective method, for me, would be to generate both attack and legitimate traffic. That kind of approach will give you a way to rate the ability of the WAF to detect malicious traffic and to distinguish malicious traffic from good traffic. Provide real-world testing scenarios, in which the WAF must block attacks and avoid blocking good traffic at the same time. You will be able to measure how many false positives you're getting. That is the best way to test a WAF: Don't only to generate attack traffic.

Another piece of advice, and here I will jump  to the main fears of this environment - SQL injections, cross-site scripting, which I hate, DT's (Directory Traversals) - is that you need to provide another layer here which is IPS. IPS products will all rely on signatures. They are going to be created by the scanner to stop anything, that's just the basics of threat prevention. If these signatures are easy to circumvent, by using comments and encoding at the same time, they will be available for the WAF to stop any kind of session or cookie tampering. What I'm saying is that there should be technical attack protection. You should be thinking not only about WAF but combining WAF and IPS.

You need to find an IPS that works with it. Imperva has something similar to an IPS, it's not an IPS per se. For example, an IPS cannot detect or stop fraud malware. For that, you need to add certain other levels of security and combine it with employee training. If you get the web application, which is called SecureSphere, the WAF, it will protect you against web page fraud because they go by black IPs. So you can help the IPS on that side and the IPS can help you letting you know what to block from the internal network. You should be considering a combination of WAF and IPS.

Another thing to take into consideration for people who are starting, with respect to deploying a WAF, is that they should validate the accuracy of the solution and the ability it has to protect any application and help you with monitoring and management. It's not just technical stuff.

The tool helps us to meet security requirements. 

I am impressed with the product's scalability, availability, easy management, and security. We were able to integrate the product with Azure and Sentinel. 

I would like the solution to improve its support response time. 

I am working on the solution for two to three years. 

I would rate the product's stability a nine out of ten. 

I would rate the solution's scalability a nine out of ten. We have more than eight to nine sites that are covered by the tool. 

The solution's deployment gets completed in less than 15 minutes. 

I would rate the product a nine out of ten. I discussed with the security teams and they consider the tool a state-of-the-art product. 

We use the latest version with all the functionality, not only WAF. Additionally, we use all the security capability that is possible to enable on Imperva including device security tools like API security.

We use this solution to protect the website for the company.

I find the configurability of the tools and the ease of operation to be the most valuable feature of Imperva.

I have three years of experience with Imperva Web Application Firewall.

This solution is very stable.

Scalability is very good.

Imperva's technical support is very good.

I used to work with Fortinet Web Application Firewall but it was not good.

The initial setup of Imperva is easy to do and only takes a few minutes to deploy.

Imperva Web Application Firewall is very expensive.

I have worked with Azure and find both solutions good. However, Imperva does have more advanced features than Azure.

I am very happy with this solution. I would rate the technical aspect a 10 out of 10, however because of the financial cost, I rate it an 8 out of 10.