NGINX App Protect Reviews

I'm following on a project in an initial phase and was looking for products for networking and security. I used NGINX App Protect, as a proxy, for the website. I have also implemented a simple web application firewall using NGINX and naxsi years ago. I have never used other solutions with NGINX App Protect apart from the proxy and the web application firewall features.
From my hands-on experience, NGINX App Protect is mainly useful when you want solid app and API security without changing how you already use NGINX. I’ve used it to protect web applications and APIs from the usual OWASP Top 10 issues, and what stands out is that it runs close to the app, so performance stays predictable and there’s no extra hop in the traffic flow. It works really well in Kubernetes and microservices environments, where you can apply security at the ingress or even per service and manage policies as code in the same CI/CD pipelines used by the dev teams. I’ve also seen it being effective against Layer-7 DDoS and abusive traffic, especially for APIs, because it learns normal behavior and reduces false positives. 

Overall, it feels less like a traditional external WAF and more like a native extension of NGINX that fits naturally into day-to-day operations

NGINX App Protect is a good product. I have used both versions from F5 -also the free version- (I mean the NGINX/NGINX One/App Protect free trial period), and I think it is a good product. It's stable, affordable, and easy to manage. NGINX App Protect is a comprehensive security solution that combines advanced WAF, DoS protection, API security, and DevSecOps automation in a lightweight, scalable package ideal for modern cloud-native architectures. 

The adaptive machine learning capabilities are truly commendable, as the solution can establish traffic baselines and detect anomalies in real time. It automatically adjusts security policies, minimizing the need for manual intervention and reducing false positives. Additionally, it supports scalable deployment across diverse environments, including on-premises, cloud, Kubernetes, and containers, offering both flexibility and scalability

I have experience with the web server, F5 load balancer, and similar products provided by Ergon, for eg. the web application firewall and the Microgateway for K8S. I'm also familiar with F5 BIG-IP products.

The GUI and web GUI configuration could be improved to be easier to manage and use.

I have been using this for more or less 20 years.

NGINX App Protect is a good product and performs very well even when it is under stress.

It was not so hard. NGINX App Protect is pretty easy to manage and configure overall.

Only a consultant was involved. I'm working for Adesso Schweiz, a German company that has a business unit in Ticino, Switzerland.

It's not among the cheapest solutions but the expense is justified given the robustness it offers. My priority isn't cost optimization, but the preservation of future capabilities.

I've never used any other solutions and I'm not aware of any alternatives that are as intensive as this one.

I have created a web application firewall. I created it a couple of years ago. The timeframe for implementation would be difficult to provide because it depends on the project, many variables, and the validation process. Overall, I think NGINX App Protect is good. My review rating for this product is 7 out of 10.

I have been dealing with NGINX App Protect and the WAF policy. I usually recommend NGINX App Protect for banking and telecom, and for anyone that has their own database or servers that they host websites from. Usually, this is the presales part, and they do this work. I go to show them the presentation of what we can offer or show them the POC that we are already hosting on our servers.

I really love NGINX App Protect. It has been two months, and I love the functionality. I love the ease of implementation and the NIM, the Instance Manager. It is very easy to use and very user-friendly.

Its integration with DevOps is pretty good. Currently, I am using it as an NGINX Ingress controller, using the Plus certificate, and it is working perfectly. It is making it a lot easier than the regular one.

I assess the impact of real-time threat detection on the cybersecurity measures by testing it on the local environment and showing it to the customer. They appreciate it, and I appreciate it, so I think it is pretty good. Some threats like injection and running scripts, SQL injections, these all get stopped and rejected by the server, so I think it is doing its job.

I did not face any issues with NGINX App Protect. The only issue that we had is that someone was trying to install the POC for the customer, and he by mistake installed the Instance Manager on the same machine with NGINX Plus and the NGINX Agent, so this caused a conflict with the packages. We had to reinstall everything. I think this would not happen if it was on Kubernetes or something, but this was the issue, and we did not know that this was the issue.

For now, I think NGINX App Protect is good, but maybe I would like to see the logging feature added. If they can provide a real logging system, we would not have to integrate with Prometheus or any other logging tool. I think this would be a lot better, maybe a plugin that we can install. Maybe a logging portal that we can use from NGINX itself would be beneficial.

I have been dealing with NGINX App Protect for nothing more than two months.

Before working with WAF, I did not work with anything related to NGINX at all. I was just working with regular NGINX. If we have a front-end server, we implement the normal community edition just to redirect and reverse proxy, nothing related to any security.

My main use case for NGINX App Protect is primarily in our infrastructure layer with Kubernetes, as I am using it to protect my application from attacks like DDoS and provide additional firewall protection to my application.

A specific example of how NGINX App Protect helped defend my application was during an attempted DDoS attack, when it flagged those requests and protected one of my applications.

The best features NGINX App Protect offers include a firewall, seven layers of DDoS protection, additional API securities, and threat intelligence services.

Of the features I mentioned, I find myself relying the most on Layer 7 DDoS protection because it protected one of my applications during a DDoS attack, and that has been quite helpful.

NGINX App Protect has positively impacted my organization by adding an additional layer of security on top of my infrastructure layer, which I consider quite helpful.

I think NGINX App Protect could be improved by having it come out of the box with NGINX.

I have been using NGINX App Protect for deployments in servers for more than two to three years.

NGINX App Protect is stable in my experience.

The scalability of NGINX App Protect is good and open source at its best, and I would rate it an 8 or 9 out of 10.

The customer support for NGINX App Protect is good.

I would rate the customer support a 9 on a scale of 1 to 10.

Positive

I cannot answer regarding whether I previously used a different solution before NGINX App Protect.

I cannot give a quantifiable metric at the moment regarding return on investment from using NGINX App Protect, but it did help with our compliance.

I will not be able to answer about my experience with pricing, setup cost, and licensing for NGINX App Protect, as something different handles that in my team.

I could not recall the name of the other options, but I did an evaluation between others before choosing NGINX App Protect.

I would rate this product an 8 overall.

Positive

Positive

NGINX App Protect is easier to automate and configure, or manage from an API. This is good for securing applications. However, it's not suitable for more complex tasks.

NGINX App Protect positively impacted performance changes. There's a cache or it works like a proxy, so it can speed up applications. It can also offload some functions from servers, which NGINX can handle faster.

It has simple functions, especially for CICD pipelines and automation capabilities. The functions are not as broad as the Advanced WAF.

NGINX has signature-based detection, DOS protection, and bot protection.

It doesn't have more advanced features like no false-positive security, which you can configure in Advanced WAF.

It should be simple and easy to manage. The functions cannot be too complex because that would decrease the value of its management. So, I think it's good for now.

It's good support. In some cases, it's fast and helpful, but in others, it's slow and requires escalation. Overall, it's good compared to some other vendors.

Neutral

I have experience with F5 Advanced WAF (F5), it is a popular F5 product. 

I have also used FortiWeb. 

The complexity and time for the setup depend on the type of app. With experience, it can take a few minutes to a few hours to install and protect applications on a basic level. 

For more granular security, it takes more time to configure, but it's not very difficult with experience.

There are benefits. Implementing it improves network security posture. If you have a CICD pipeline, it's easy to integrate and manage automatically.

I don't know the prices. It's a case-by-case thing.

Compared to Advanced WAF, it is cheaper.

There are scenarios where it's very good to use and implement. I would recommend it for securing specific applications with specific requirements. It's not for everyone, but many customers find it improves security.

Overall, I would rate it an eight out of ten.

I use the solution in my company since it has the ability to offer protection from external threats, including the ones under OWASP Top 10. The tool gives you a log report, audit report, and access log report. You can also create your own profile and have the option to block or create transparent, block, and learning modes.

Right now, the tool doesn't provide an option revolving around update feeds, specifically the signature update option in the UI. My company uses NGINX Management Suite, which doesn't have the option for UI. NGINX Management Suite doesn't have the proper UI to change a configuration file, which is an ability that the tool should offer.

It would be good if NGINX could provide documentation explaining how to deploy gRPC over NGINX App Protect.

I have experience with NGINX App Protect.

The stability of the product is very impressive since it handles 60,000 to 70,000 requests or transactions per second.

It is a highly scalable solution.

In my company, 1,600 users use the tool. My company uses NGINX App Protect as a WAF product that we use for our applications and put in front of the applications' users, which would be around 10,00,00,00,000 users.

The solution's technical support is fine.

I have experience with NGINX Plus.

The product's initial setup phase is very easy.

My company has taken NGINX App Protect's license from F5, so we received the necessary support for installation. The installation of the tool was very easy for our company.

My company could take care of the deployment of NGINX App Protect with some .deb files. The Debian file was available on the website of F5 that we installed on one or two machines in our environment, after which some configurations were required to be done so that we could use NGINX App Protect.

The solution is deployed on an on-premises model.

NGINX App Protect secures our company's application, and it has helped me a lot, considering that we have critical infrastructure in India where we see how lots of attacks come onto our organization's servers. The tool offers protection against multiple threats present in India's IT ecosystem. The tool helps our company to make our payments secure, meaning it has the ability to provide a secure payment environment in India.

Speaking about the improvements in our company's application performance since implementing NGINX App Protect, the gRPC support for the solution is very low. My company is not getting any proper documentation on how to deploy gRPC over NGINX App Protect.

I recommend the product to those who plan to use it. People can use the product as their company's base server, WAF, or for its proxy manager, depending on the business requirements.

My company follows PCI DSS compliance because we operate in a payment-related industry. Right now, my company follows all the standards, so we comply with all the requirements and policies.

I rate the tool an eight out of ten.

Mail Proxy Server and SMTP are quite effective features in the product. The tool's API connectivity across the hybrid network is pretty impressive, which is almost the same as the threat intelligence capabilities of NGINX.

The product's price is high, making it an area of concern where improvements are required. The tool's licensing model is also not good.

The product should have more documentation, especially like the ones provided by other OEMs.

I have been using NGINX App Protect for five years. I use NGINX App Protect WAF Release 5.0. My company has a partnership with F5.

My company is currently dealing with one enterprise-sized company and one financial organization.

The product's initial setup phase was a bit difficult since the articles and other documentation were not that good.

When it comes to the implementation part, at least seven days are needed for the testing phase since there may be some struggles in several places, and one may have to go directly to the OEM just to make sure that we can study the tool properly.

The product's price is high.

If NGINX App Protect does not fit the budget of our customers, then my company recommends Radware to such clients. Radware's OEM engagement is better than that of NGINX App Protect.

I don't have any problem with NGINX App Protect's OEM engagement. When I directly engage with the tool's OEM, I see that they are really helpful. When it comes to OEM, F5 has an amazing feature set and is pretty technical. Technicians from F5 can help any time with any request of a client associated with the tool, and they also help to help clients so our company's deals with them can mature further.

The product is good since NGINX is involved in a lot of research and development work. Two years ago, my company used the firewall from NGINX. In the previous year, my company entered into a deal with Radware.

Whether I would recommend the product to others depends on their requirements and the type of business they are doing, among other factors.

Speaking about how the tool has been able to handle new and emerging security threats, I would say that my company is testing the product to see if it fits our requirements. My company is testing some threats.

My company has not tested the product with any of the tool's AI-driven security initiatives, but we may do so later since we are only working on one deal associated with Radware.

The tool is not complex and is very user-friendly.

I rate the tool a ten out of ten.

The solution is useful to protect applications. Another use case is integrating NGINX into your deployment pipelines, allowing you to protect your workflows directly from your deployment pipelines.

The product is very robust. It's very easy to deploy. You need to take into consideration that it's a security solution that requires knowledge of backend programming. The security team needs to communicate effectively with the developer team for successful integration. If you align communication between the security and developer teams, you'll have the best deployment possible. The way it works is that developers have their way of doing things, and there's a security-centric approach.

NGINX App Protect could provide a better user interface.

The product is stable.

The solution is scalable. We have more than ten customers using NGINX.

Customer support is very responsive.

The solution is easy to deploy. Its scalability and integration capabilities depend on its performance and the extent to which you want to integrate it into your development process. It doesn't necessarily cost more money beyond the initial setup.

You need to identify the placement. You must understand your application. Lastly, you should assess which NGINX features are suitable for the functionality you wish to implement. This initial phase involves analysis.

Following the analysis, you proceed to the test deployment stage. Subsequently, you enter alert mode and finally enable NGINX App Protect. It's a simple deployment. A single engineer can do the job.

The product is cheap and performs its job perfectly. If there is no protection in India, you have to compromise. You cannot ignore the importance of having reliable security measures.

The solution has yearly, three-year, and five-year subscriptions.

You need to have a good analysis before implementing the product. The analysis phase is the most important.

Overall, I rate the solution an eight out of ten.

I tested specific features and evaluated the solution against the Web Application Firewall. I conducted research to test different detection percentages. I did not use it directly for protection but for evaluation purposes.

I encountered issues with NGINX App Protect while trying to upgrade custom rules. 

I have been using the product for six months. 

I haven't contacted the technical support team. 

I rate NGINX App Protect an eight out of ten.