F5 Advanced WAF Reviews

I am working with an integration and security company that collaborates with various vendors. I am currently dealing with F5 Advanced WAF.

The whole mechanism of F5 Advanced WAF is effective. It contains the logic of both negative and positive security combined, providing added value to the company I work with to protect their applications.

I do not have anything in mind right now that needs improvement. Generally, it works well. If we need any specific feature, we approach F5 directly.

I have probably used it for ten years or so.

I do not need them much because my team is professional. If there is a bug, the support is usually understanding and resolves issues.

The price is affordable and satisfactory.

One of the best features is the bot protection capabilities. I rate the product eight out of ten.

F5 Advanced Web Application Firewall (AWAF) is primarily used in financial sectors like banking to secure web applications against advanced threats, ensuring compliance with industry regulations. Our Key use cases include:

1. Protection Against OWASP Top 10: Safeguarding banking applications from SQL injection, XSS, and other common vulnerabilities.
2. Bot Mitigation: Detecting and blocking malicious bots to prevent account takeovers, credential stuffing, and fraud.
3. DDoS Protection: Defending against application-layer DDoS attacks to ensure service availability.
4. PCI DSS Compliance: Enforcing security policies to meet compliance standards for protecting sensitive customer data.
5. API Security: Securing APIs used in banking platforms from abuse and unauthorized access.
6. Threat Intelligence: Leveraging threat intelligence to identify and mitigate zero-day attacks.
7. Application Traffic Control: Managing and monitoring application traffic to ensure optimal performance and security.

These use cases help financial institutions maintain secure and resilient applications, critical for trust and compliance.

F5 Advanced WAF has significantly enhanced our organization's security posture by protecting critical banking applications against sophisticated threats. It ensures compliance with regulatory standards, improves customer trust through robust bot mitigation, and enhances application performance by mitigating DDoS attacks and securing APIs. Additionally, it provides real-time threat intelligence and streamlined security management, reducing downtime and operational risks.

1. Ease of Deployment: Simplify initial setup and policy configuration.
2. UI Enhancements: Improve user interface for better navigation and usability.
3. Integration: Enhance compatibility with third-party tools like SIEMs and DevOps pipelines.
4. Performance Optimization: Reduce latency during high traffic volumes.

Suggested Features for Next Release:

1. AI-Driven Threat Detection: Advanced machine learning for proactive defense.
2. Comprehensive API Protection: Extended support for GraphQL and WebSocket APIs.
3. Cloud-Native Integration: Better functionality in hybrid and multi-cloud environments.
4. Automated Policy Suggestions: AI-based recommendations for policy tuning.

It's been two years that I've been working with this solution.

I am not experiencing any significant instability.

F5 AWAF offers excellent scalability, enabling organizations to protect applications seamlessly across on-premises, cloud, and hybrid environments. It can handle increasing traffic volumes with minimal latency, ensuring consistent security for both small-scale deployments and enterprise-grade architectures. With its ability to integrate into CI/CD pipelines and auto-scale in cloud environments, F5 AWAF supports dynamic application growth without compromising performance or protection.

Customer service is very responsive. If the issue persists beyond my local support capabilities, I open a ticket with F5, and they respond quickly. I rate their technical support 9 out of 10.

Positive

Not now just I have checked the comparision and collect reviews from peerspoot and Quadrant 

The initial setup experience is straightforward, and I did not face any complexities. I recommend deploying the F5 AWAF solution on a single appliance with LTM.

F5 is relatively less expensive compared to other solutions as F5 is considered the best.

Not Now

I rate F5 eight to nine out of ten. I recommend F5 to customers who require a robust solution and have the budget for it. However, for customers looking for modest pricing, I would not recommend the F5 solution.

I'd rate the solution eight out of ten.

I was in charge of the F5 on-premises solution, where I published several applications for certificate verification and protected various applications. Additionally, I was working with botnets.

F5 Advanced WAF is a comprehensive community platform with a strong commitment, making it valuable for businesses. The capabilities on GitHub are highly appreciated, allowing me to count on F5 for reliability.

I would like to see improved features in the F5 Advanced WAF solution, especially with a focus on enabling Kubernetes fully. The database needs better service discussions and updates on communication. Additional improvements could also be made in asset management for the data.

I've been working with F5 for what seems like a lengthy period.

F5 is logistics-oriented, ensuring that the Webpack performs well in making every single case for the Stereo platform.

F5 is scalable, especially for Stellar and virtualization processes. Customers can scale efficiently.

F5's technical support team is commendable. They are professional and take high-priority prompts seriously.

Positive

My experience includes comparing F5 with FortiWeb. F5 provides more security capabilities for applications than FortiWeb.

The initial setup of the F5 Advanced WAF solution involves multiple stages and might require revisiting configurations based on customer needs. The setup can be complex compared to other options.

I am part of the deployment and implementation team, and we follow a strategy that involves providing quality assurance to ensure data integrity and server protection. Collaboration and dialogue with customers are part of the implementation.

Customers have shown consistent ROI with F5 solutions, especially when daily requests come in for assistance.

The user interface and sub-management prices can be a concern, however, they generally align with the industry's needs.

I recommend the F5 Advanced WAF solution for everyone with critical applications. Security needs to be embedded within the full visualization pipeline, allowing significant savings. I rate F5 Advanced WAF at a nine out of ten.

Our clients mostly have their own applications, such as banking apps, and use F5 Advanced WAF to avoid vulnerabilities and threats on both the application layer and transport layer. 

We create web policies for their apps and configure ASM signatures to prevent vulnerabilities. After configuring the policies, I monitor logs continuously to block vulnerability attacks and assist clients in addressing any issues.

One of the things that surprised me the most about F5 devices is their compatibility with the existing infrastructure of most customers. They can be easily integrated between the main firewall and back end servers, making it a seamless addition to enhance security.

The traffic learning feature stands out as the most valuable. When an app is accessed, the log generated in F5 Advanced WAF provides suggestions on what actions to take. This feature is particularly beneficial in new vulnerability scenarios, offering guidance based on learned data. 

Additionally, I appreciate the way F5 Advanced WAF builds policies by configuring a basic policy and queuing it in learning mode. The solution learns from logs, and based on that learning, I configure ASM signatures.

The GUI interface can be confusing due to similar-looking tabs for policy building, traffic learning, and event logs. A more explanatory GUI would be beneficial. However, F5 solutions are a bit expensive compared to others, although they provide the best service and options.

I have been working with F5 Advanced WAF for around six months.

The solution is very stable. I would rate it a nine out of ten for stability.

F5 Advanced WAF is very scalable, and I would rate its scalability as nine out of ten.

F5 support is excellent and deserves a ten out of ten. Their technical support is responsive and helpful, making the overall experience very satisfactory.

Positive

I have not worked with many other vendors as extensively as F5, but I have some knowledge of FortiWAF. FortiWAF has fewer options compared to F5, particularly in features like iRULES, which offers more flexibility for traffic management and coding.

The initial setup is not very lengthy. Once the device is on-premises, configuring and managing it is quite efficient, though the entire project from start to end may take about a month to a month and a half.

I work with a team of five to six network engineers across different cities, providing support and collaboration for client deployments.

The return on investment is quite high with F5 solutions. Customers prefer F5 for their superior service and features, despite the higher cost.

F5 is on the expensive side but offers superior solutions and options. Customers are willing to pay for the quality and features provided.

I have some knowledge of FortiWAF, but F5 provides more options, especially with features like iRULES for managing traffic.

I would recommend F5 Advanced WAF to other users. It provides excellent features, flexibility, and support.

I'd rate the solution ten out of ten.

F5 Advanced WAF is used for the protection of applications from current web threats, including DDoS attacks. It provides a comprehensive security solution that incorporates different protection levels.

The most valuable feature of F5 Advanced WAF is its extensive set of capabilities for application protection, including DDoS prevention, and its ability to work with Pentesters and external scanners to observe user activity and eliminate false positives. This comprehensive approach to application security enables an organization to protect its web applications from diverse web threats effectively.

All features of Advanced WAF offer numerous functions, which means tuning configuration is not simple. It's a powerful tool yet can be complex for new users. Future updates should ensure not to break the current state, as users are concerned the new version may not meet current standards.

I have been using F5 Advanced WAF for more than ten years.

F5 Advanced WAF is considered a stable product, and I would rate it as ten out of ten in terms of stability.

The solution's scalability is solid, with the option to increase capabilities through licensing and adding modules in the virtual edition. However, it requires additional expenses, so I would rate it as a seven or eight out of ten.

F5 provides one of the best technical supports, though there have been a few cases where customers were dissatisfied due to response speed. However, in general, their support is highly efficient and knowledgeable.

Positive

In the past, Imperva was the leading solution, however, now F5 is preferred as it offers a superior solution according to customer feedback.

Deploying the solution, including initial configuration, licensing, addressing, and enabling WAF, could take one to three hours. However, for a comprehensive setup, considering external factors and optimizations, the process could take up to a month.

I handle installations and other related aspects by myself, without any additional help.

There are numerous benefits for end customers, as a secure application helps prevent potential breaches and ensures the safety of customers' data, especially in sensitive sectors like banking.

F5 Advanced WAF is not cheap. That said, it offers numerous features and is known as one of the best solutions in its segment. It provides significant value by offering comprehensive protection for high-stakes environments.

I work with other vendors, such as Broadcom, Qualys, BeyondTrust, and Trend Micro, depending on the customer's needs and the vision of my company.

I would fully recommend F5 Advanced WAF for its feature-rich offerings and high detection rate of threats. I rate it a ten out of ten as it is one of the best solutions available.

My clients often seek a comprehensive security solution for their hybrid environments, with both cloud and on-premise web applications. To address this, I recommend combining F5 Advanced WAF for web application security with Fortinet solutions, including FortiGate, FortiSign, and FortiAnalyzer, for broader network security aspects like vulnerability ranking, patch management, and remediation. I focus on FortiGate and FortiAnalyzer, collaborating with a colleague who manages firewall setup, ensuring a robust and unified security approach for our clients.

F5's user-friendly interface and seamless integration stand out as the most valuable features for us. The intuitive interface streamlines tasks, providing a straightforward experience. F5's adaptability in diverse environments sets it apart, especially when compared to alternatives like FortiGate. Despite being pricier, the ease of integration and user-friendly design make F5 Advanced WAF our preferred choice for securing web applications. F5's commitment to customer engagement, exemplified by hosting a certification event in Nigeria, further shows its support and involvement in our region.

One area for improvement in the product is its SSO integration, which posed challenges and required significant effort to resolve. The complexity of SSO deployment, coupled with high associated costs, could be addressed to enhance usability. Streamlining the SSO process and revisiting cost considerations would contribute to an improved user experience.

I have been working with F5 Advanced WAF for three years.

I would rate the stability as a nine out of ten.

I would give the scalability of the solution an eight out of ten. It is quite scalable and performs well. I would recommend F5 Advanced WAF for medium-sized businesses and enterprises, primarily due to considerations around cost and sustainability. The solution is well-suited for companies of this size, ensuring that not only is it deployed effectively, but it can also be sustained over time to meet ongoing security needs.

The technical support is good. I would rate it as a seven out of ten.

Neutral

For an end-to-end solution, Fortinet stands out over F5 Advanced WAF. Fortinet's comprehensive product suite, including FortiGate, FortiAnalyzer, and integrated features like CMDD, provides a more seamless and holistic approach to security. While F5 is strong in certain areas, the integrated capabilities of Fortinet make it my preferred choice for a comprehensive security solution.

The initial setup for F5 Advanced WAF is user-friendly and relatively straightforward.

The main drawback of F5 is the cost, which can be a challenge. 

Overall, I would rate F5 Advanced WAF as a nine out of ten.

Recent progress in F5 Advanced WAF's cloud technology has broadened the use cases for web application firewalls (WAFs) to include multi-cloud environments.

The most valuable feature of F5 Advanced WAF is its grand unity of the implementation, where you have the freedom to configure based on how it affects your use case or your organization. With the default setting of implicit deny, you can gradually start defining and deploying the tool to align with your environment, whether it is outdated, recent, or futuristic. This allows you to customize the solution to protect you from threat actors. You have the ability to define what the advanced threat act should do - whether it should alert, deny, or both - and it will deliver based on your configuration. Unlike other online solutions, F5 Advanced WAF provides flexibility to deliver to your unique environment the way you want.

While F5 Advanced WAF does limit the number of partners in certain regions to ensure successful business transactions, they could also benefit from expanding their partnerships and making it easier for more people to learn about and become experts in F5 Advanced WAF. By doing so, they could increase the reach and exposure of their solution, similar to how Cisco has become widely recognized in the security industry.

I have been using F5 Advanced WAF for approximately seven years.

The solution is highly stable. I have deployed several F5 Advanced WAF sites since 2016, and they are running without any issues, such as crashes or corrupt systems. To ensure stability, all that is required is to keep the solution updated and manage the patches in a timely manner.

Over the past 10 years, they have grown and increased its strength, adapting to the ever-changing market. They have incorporated Terraform and NGINX, showing their commitment to growth and stability. 

I rate the stability of F5 Advanced WAF a ten out of ten.

F5 Advanced WAF has an outstanding technical support team that is available worldwide. They have a Service Level Agreement (SLA) in place for critical issues, which guarantees a response within an hour. The team is highly professional and will stay with you until your issue is resolved.

I rate the support of F5 Advanced WAF a ten out of ten.

Positive

For a novice, deploying on F5 Advanced WAF is difficult. Everyone who works on the solution is expected to get trained and certified before they can be considered an administrator. Therefore, for someone who is certified, it is relatively easy to deploy.

If your environment is prepared, it should take no more than four to five hours to do the implementation. The most common issue people have is that their environment is not ready or the deployment engineer does not understand it. However, this can be quickly resolved, and then the configuration can be made, allowing you to be up and running.

Depending on the environment you are deploying in, you must first obtain the appropriate license. For example, if you are deploying in a virtual environment (VE) on-premise, you must first download the ISO file, deploy it, configure your interfaces, and then license the F5 Advanced WAF before configuring it.

I rate the initial setup of F5 Advanced WAF a ten out of ten.

We used five people for the deployment of the solution.

In terms of return on investment, F5 Advanced WAF offers a high ROI.

The F5 Advanced WAF allows for easy onboarding of web applications without the need for additional investments. For example, if a company has one web application that needs to be protected, and then tomorrow they have 15 more, they can easily onboard them onto the same F5 Advanced WAF device without any extra cost. This saves both time and money. Additionally, F5 Advanced WAF provides protection for a company's assets and reputation, ensuring compliance with regulations such as PCI DSS, and improving overall business efficiency by reducing the need for troubleshooting and manpower. Overall, F5 Advanced WAF offers a high return on investment.

I rate the ROI of F5 Advanced WAF a ten out of ten.

F5 Advanced WAF is not a cost-effective solution. Although they are attempting to reduce prices with their VE and cloud options, they are more expensive than other solutions. The solution is more expensive on average.

If you are interested in F5 Advanced WAF, it is billed on a yearly basis and based on the number of requests for the service. For example, if you purchase 200 megabytes, there is specific pricing for that capacity. Every year, we will renew the service and provide support for the solution.

F5 Advanced WAF does not offer local support services unless the customer is discussing it with a vendor or partner. These services are typically provided by other partners.

F5 Advanced WAF could improve in two main areas: pricing and partnerships. The current pricing of F5 Advanced WAF can be quite high, and while they do offer options like the VE or infrastructure service, they could make further efforts to make their solutions more affordable for everyone.

I rate the price of F5 Advanced WAF an eight out of ten.

We use one person for the maintenance of the solution.

I would advise new users to familiarize themselves with the overall functionality of the solutions. Understanding F5 Advanced WAF is crucial to accessing the full range of its capabilities. Without this understanding, you may be limited to only using it for your initial intended purpose. I recommend taking the time to learn more about F5 Advanced WAF and its capabilities, as it can provide solutions for many other needs in addition to your initial use case. It's also suggested to get certified and familiarize yourself with the product portfolio.

I rate F5 Advanced WAF a nine out of ten.

We use this solution for load balancing and web application firewall (WAF) services. We use the solution standalone and not integrated with other solutions.

It provides web application security and reduces bot attacks.

The web attack signatures are very important for detecting attacks, and the bot detection capability is an important feature that works well with F5 Advanced WAF.

The product could be more user-friendly for administrators. The user interface could be easier.

I have been using it for almost three years.

The solution is very stable. I would rate its stability as nine out of ten.

Very scalable. We use this solution for multiple customers and across data centers.

The solution offers good support. That said, sometimes it takes too much time to reach the right person.

Positive

I have also worked with Citrix NetScaler and F5 products, depending on customer needs.

The initial configuration is not too difficult, but subsequent configurations can be complex because they depend on customer needs.

I don't have direct knowledge of the pricing. From what I know, it is not too expensive compared to other solutions.

I am familiar with F5 and Citrix NetScaler solutions.

I recommend this product to others because of its effectiveness in mitigating threats.

I'd rate the solution eight out of ten.

Primarily, the Advanced WAF sits behind our network perimeter. It centralizes traffic flow to our network, filters requests, and identifies any potential threats.

It helps us detect threats or malicious requests coming into the network, protecting it from being hacked. It helps guard against issues like cross-site scripting (XSS) and other similar threats.

So, F5 Advanced WAF helped mitigate bot traffic for our web applications.

Moreover, my experience is that it's pretty straightforward to use. Our firewall team handles requests through a change management tool within scheduled change windows. However, F5 is our only firewall solution.

It's a valuable tool to protect web servers exposed to the external network. With numerous web applications running on Apache or IIS servers, the F5 Advanced WAF's threat detection capabilities protect the network before traffic reaches those servers.

It's a fairly easy-to-use and user-friendly tool. My administrators and team also like its ability to customize the rules per the requirements. 

The self-service aspect could be improved. 

The user interface (UI) also seems a bit outdated. Making it more user-friendly would be beneficial.

We've been using it for approximately five to six years.

I would rate the stability a ten out of ten. It is a stable product. 

It is pretty good. I would rate the scalability a seven out of ten.

Ssometimes, the way our enterprise handles change requests might slow things down because of the internal rules and processes. But these changes, once approved, do take effect immediately on the firewall itself. 

We have a change window twice a week for these requests. I don't think the limitation is with the firewall itself; it's more about our internal procedures.

Overall, I would rate the solution an eight out of ten because I have seen that not too much customization is required during setup. The change requests we submit are usually clear and easily applied. 

Overall, the policies work well, and the threat detection is good. It catches deviations and anomalies effectively.

From a recommendation standpoint, it's a fairly easy tool to use. However, you definitely need some knowledge about scripting, OWASP fundamentals, threat detection, and general cybersecurity principles to get the most out of it.

Our client has an internally hosted website, and they wanted us to help them in reducing the attack surface in their web application, so we use F5 Advanced WAF for that purpose.

The most valuable feature of F5 Advanced WAF is its ability to have a pool of resources that can distribute your traffic, and that is a plus for me. My company tried to look into a competitor, Imperva, but it was lacking that capability, so F5 Advanced WAF outperforms Imperva.

For me, an area for improvement in F5 Advanced WAF is the reporting as it isn't so clear. The vendor needs to work on the reporting capability of the solution.

What I'd like to see in the next release of F5 Advanced WAF is threat intelligence to protect your web application, particularly having that capability out-of-the-box, and not needing to pay extra for it, similar to what's offered in FortiWeb, for example, any request that originates from a malicious IP will be blocked automatically by FortiWeb. F5 Advanced WAF should have the intelligence for blocking malicious IPs, or automatically blocking threats included in the license, instead of making it an add-on feature that users have to pay for apart from the standard licensing fees.

I've been using F5 Advanced WAF for about two years.

F5 Advanced WAF is a super stable solution. I've not been aware of any issues with the solution whenever my company uses it.

How scalable F5 Advanced WAF is would depend on what resources your client or the virtual server has. It all boils down to the allocated resources. For me, F5 Advanced WAF is pretty much scalable in terms of the resources I've assigned.

I contact the technical support team of F5 Advanced WAF from time to time, and I would rate support eight out of ten. What the support team needs to improve is the SLA, particularly the speed of response.

Positive

In terms of setting up F5 Advanced WAF, what was challenging was the network part, but the rest wasn't that difficult. It took almost two weeks to complete the setup for F5 Advanced WAF.

We implemented F5 Advanced WAF ourselves.

It's hard to tell if the customer got ROI from F5 Advanced WAF because it's based on the initial deployment and approach. It would've been just a matter of time before the customer enjoyed ROI from the solution. My company never experienced a serious incident with the use of F5 Advanced WAF for the customer, so my assumption is at some point, the customer is realizing the ROI.

The pricing for F5 Advanced WAF is comparable to a Rolls-Royce. Its price is a bit high when you compare it with other vendors. F5 Advanced WAF is a bit expensive. The customer was on a three-year plan and it was around $560,000.

We evaluated Imperva, but F5 Advanced WAF was able to outperform Imperva.

I'm an administrator of F5 Advanced WAF for my customer, so I'm more of a user. I'm not a partner or reseller of F5. I'm just a consultant and administrator.

From what I recall, during the time of deployment, my company was using version 15 of F5 Advanced WAF, but I'm not so sure if there's been a new version or an upgrade after that version.

My company has less than ten users/administrators of F5 Advanced WAF.

My advice for people who want to implement the solution, though I might be biased because I've not used other solutions, but as far as I am concerned, F5 Advanced WAF is one of the most stable solutions I've ever used, so it's good to implement.

My rating for F5 Advanced WAF is nine out of ten.