Wallarm NG WAF Reviews

Protection of modern web applications from attackers. Wallarm WAF is a very useful solution for this.

Improves nothing.

Helps us to monitor situations in regards to attacks to our sites and prevents a lot of them.

The most powerful feature is the ability to first learn what type of query to make to your web application when it is attacked and what type of query creates a false positive to your app. You can first learn Wallarm in monitoring mode, then turn it on blocking mode. It is a cool feature and helps a lot to not block real users and only block robots and attackers.

The biggest problem for us was the stability and speed using the first version of Wallarm. Now, it is fine.

Yes, but with newer versions, the number of issues with stability has been going down.

Not yet.

They have good technical support. It is still not perfect, but much better than in the first version of product.

Yes, it was ModSecurity, but their WAF is not flexible and gives a lot of false positives because you need to create regular expressions for a lot of queries. It is hard and not useful. 

The first setup was not so trivial as we suspect. There were problems with monitoring. There were problems with the setup, but the guys already solved these problems, and now it is fine. 

At first, we started use Wallarm instead of our web server, but later start using Wallarm as a reverse proxy for the whole web application in our network and it is better solution for us.

Pricing must be cheaper than the competition and the licensing must be good.

Before we switched to Wallarm's first version, we tested Imperva WAF but Wallarm's results were much better than Imperva and we choose Wallarm with a big discount for first year of usage. It was really good for our needs.

Set up Wallarm as a reverse proxy. Do not replace your web server. Use Wallarm first in monitoring mode, then learn from Wallarm which type of request is false positive and which type of request is not. This process takes a couple of weeks for very highly-loaded web applications (few millions of unique visitors in one month). Then you can turn Wallarm into blocking mode and everything will be fine. Do not forget to build a monitoring system, the wave, and API for it.

Before we started using Wallarm, I already knew Ivan (CEO) and Stepan (COO) from a couple of years before. Ivan had his own security company and Stepan was working on a Russian security magazine called Xakep. They told us that they wanted to create a new WAF and already had a working version of it. They asked me to test it. We did tests, and it was really good. After few month after testing, we signed an agreement. Our choice was made not because we knew these guys for a long time, but because the product was really cool and we were glad to start using it as one of the first on the market!

Deployment simplicity helps our maintenance guys to set up quickly.
Their machine learning techniques significantly lower the false-positive alerts rate.

The use of a WAF becomes especially relevant in the case of concrete vulnerabilities, such as those uncovered via penetration tests or source code reviews. Even if it were possible to fix the vulnerability in the application promptly and with a reasonable amount of effort, the modified version can generally only be deployed at the next maintenance interval; often 2-4 weeks later (a patch dilemma).

For a WAF with whitelisting, vulnerabilities can be fixed promptly (hotfix) so that they cannot be exploited before the next scheduled maintenance. WAFs are especially fast in this aspect, meaning they can collaborate with source code analysis tools, so that detected external vulnerabilities can automatically result in a recommended rule set for the WAF.

A WAF is particularly important in securing productive web applications which themselves in turn consist of multiple components and which cannot be quickly changed by the operator; e.g., in the case of poorly documented applications or regarding third-party products without sufficient maintenance cycles.

A WAF is the only option for promptly closing external vulnerabilities.

It is only about stability issues. But it is a usual problem for all new products. At this moment, we have no incidents with Wallarm that has been up for eight months.

I have used Willarm for one year.

There were several stability issues during the first pilot. At this moment, we have had no incidents with Wallarm that has been up for eight months.

The product is nicely scalable.

Technical support is great; guys respond in minutes.

Wallarm was our first WAF solution.

Deployment was very simple and non-abusive.

Wallarm is an expensive solution, but they are worth the money.

We have tested and evaluated several WAF solutions, and chose Wallarm. They are the only solution that fits our success criteria and business objectives:

• WAF must have a low (<5%) false negative rate and be ready to protect from all well-known web attacks.
• WAF must have a low (<0.05%) false positive rate.
• WAF must not have any performance issues that impact projects under its protection.
• Deployment takes < 1d for any web project.
• WAF must have an ability to scale well horizontally and not to be a bottleneck to our services.
• Keep monetization level at the same level, after all protection mechanisms enabled.

Vulnerability scanner and WAF are valuable features. It blocks most attacks on our web application.

It provides one more layer in our security, i.e., firewall, IDS/IPS, WAF.

Wallarm uses a learning mechanism to detect attacks and to avoid false positives. If Wallarm blocks some illegitimate request, then you can go to the management console and mark this request as false positive. After that this and similar requests, it should not be blocked again but sometimes this does not work properly. It happens pretty rarely though.

I have been using Wallarm since 2014.

There was an issue with the memory leak, but it was fixed.

There were no scalability issues.

I would give the support a very high rating. We have a chat with the support representative and the response is very fast (within 10 minutes).

Previously, we have used open-source ModSecurity, but it was not effective. Then, we tried Wallarm and it was good for us.

Setup is very easy; it just requires a few steps to launch the system.

The documentation is pretty good and the support responded fast.

Pricing is transparent and clear. I don’t know what to advise.

We didn’t try any other product.

I recommend Wallarm to my other colleagues.

Perimeter control and active vulnerability scanner are the most valuable features. These features helped us to find some issues which would be very hard to find manually.

It’s hard to say how it has improved the way my organization functions.

The flexibility of active scanner settings: Most settings can only be changed through technical support at this moment.

Test period: autumn 2015 - summer 2016
Production: summer 2016 - till now

We have not had scalability issues.

Technical support is 6 or 7 out of 10. Sometimes we have had trouble with communication and understanding.

This is our first solution.

Setup was normal. We had issues when we migrated to the Wallarm NGINX module.

It is worth it.

We didn’t look at other solutions, but we had a long trial period.

I would say that the active threat detection feature and adaptive rules are the most valuable for us.

With active threat detection, we are no longer over-swamped with tons of useless events. As all the payloads from malicious requests are analysed with a cloud scanner, we don’t need to do this manually. We also built up an incident management process when Wallarm confirmed that some of the attacks are exposing actual vulnerabilities.

Adaptive security rules allowed us to use WAF in blocking mode which was almost impossible previously.

We added a real-time protection layer for all the web-facing applications and APIs in our CI/CD pipelines. As every one of the applications are updated almost every day, it was impossible to use any tools based on signatures or static rules.

It needs more customization in PDF reports.

Our company has had a contract since February 9, 2016. Previously, our engineers also used the product in other organizations (banks, etc.).

We had some issues with a post-analytics engine last year. But they were quickly fixed. That didn't affect traffic analysis.

We have not yet had any scalability issues, and as Wallarm node instances scale horizontally (we have orchestration tools to make it in a fraction of a second), it hardly can be an issue.

Technical support is 9/10. They provide customer-focused support. What’s interesting is that they have a live chat with us, so we get answers in real-time.

We tried to use open-source mod_security for some of the projects, but there was a lot of pain with the complicated rules/signatures and non-stop false positives. As far as I know, we ended up turning it off because of endless complaints from the Ops and Support teams.

Technically, setup was more than straightforward. We already used NGINX load balancers, so it was a smooth shift to NGINX with a Wallarm module.

Our DevOps guys worried a bit about a post-analytics engine which is required to be installed and has significant requirements for the RAM. It was a new component which they needed to cover with monitoring tools.

As Wallarm charges on a per-instance basis, you need to keep in mind your future scale. In our case, the customer traffic is increasing year-to-year.

My piece of advice is to ask for a bundle of 10-50-100 instances (they have a special offer) and not to be limited in scalability because of the agreement issues.

They also made a discount for a 2+ prepaid contract.

We tried mod_security. Imperva was not a good fit as we can’t use hardware boxes or VM images in a cloud environment. Incapsula and other cloud-provided solutions did not work for us as we can’t share our traffic and SSL keys with any third-party vendors; we have a lot of customers’ data and obligations.

Wallarm’s hybrid approach of deployment with NGINX-based nodes is a good fit for us as it creates almost no tension between the Security and Ops teams.

It's better to evaluate Wallarm nodes (WAF functions) on production traffic to understand false positive rates under real conditions. Otherwise, it's hard to evaluate the adaptiveness of the rules.

You can also start a pilot with only the scanner to get some insights about issues on your network perimeter. In our case, they shared some results even before the agreement was signed.