F5 Advanced WAF Reviews

We use F5 Advanced WAF to protect web applications on HTTPS, APIs, and portals.

F5 Advanced WAF helps our engineers to learn the complete configuration, including fundamental and advanced policies.

Most customers encounter stability issues with the product's Big-IP logs. It works slowly while retrieving logs.

We have been using F5 Advanced WAF since this year.

The product is more stable than Fortinet.

The product has modular appliances. It works well, scalability-wise.

The technical support services are good. The team includes professional engineers to communicate with the customers regarding cases.

It is easy to set up F5 Advanced WAF. Although, it is difficult to deploy and maintain compared to Fortinet. The deployment process involves gathering customer information regarding virtual servers to be protected. Later, we select the best design suitable for their requirements and start with license provisioning. Further, we configure LTM with special servers and nodes and proceed with configuring the security policy and advanced directory. It takes a week to protect the infrastructure fully. Once we have license provisioning, it is good to run.

F5 Advanced WAF's pricing is high. Fortinet and some other vendors are more affordable.

F5 Advanced WAF has good capabilities, powerful tools, and professional services. I advise others to compare pricing with vendors in terms of their use cases before purchasing the product.

I rate it a ten out of ten.

It is used for application security and load balancing. As we have a few customers who are using banking applications, and stock market applications, they are more concerned about security and how to protect the product and their business applications. And that's why we offer security applications. Besides that, there are new features for load balancing in the F5.

Customers find the load balancer feature as the most valuable.

The tool needs to improve its pricing. 

I have been using it for two years.

It is a very stable product. It is the favourite product of banking customers in Egypt.

It is a very scalable product. You can write down any iRule you want as it is very convenient.

We used Citrix ADC, Fortinet FortiWeb, and Barracuda before F5 Advanced WAF. We switched to F5 Advanced WAF due to its efficiency and the port lockdown feature that the customers in Egypt like. Also since it's certified by Gartner, the customers feel confident using it.

The initial setup was simple.

If you are looking for a really good product, you should consider F5 Advanced WAF.

I would rate it a nine out of ten.

It protects our public entities. Its use case is very directed at a resolution of security.

It protects our environment. It protects our entities.

Identification, ease of use, and ease of modifying it to most of our needs are valuable.

There should be more ability to rate limit certain scenarios. The majority of the time, it is either on or off. For certain types of use cases, there should be the ability to rate limit, not just enable or disable.

It is a very CPU-intensive application. I understand why, but I'm hoping that they could optimize the CPU utilization a little bit better.

I have been using this solution for eight years.

It is stable.

It is very scalable for what we need. It is a public-facing service. So, everybody on the internet would be able to utilize this type of service.

We are exploring areas to increase its usage.

I would rate them an eight out of ten.

Positive

We used other public entities for similar use cases.

It is pretty straightforward. A typical setup for these types of projects takes three months.

It is all done in-house. We do everything in-house. 

In its maintenance, I and other people are involved. The daily operations, which include modifying policies, are up to the individual application owners because they understand their applications a lot better than I or our standard operating team would. So, their usage might go higher than mine.

We have very much seen an ROI. It protects our revenue stream.

The way we deployed it, I would rate it a four out of five in terms of pricing.

I would advise doing your homework. It could be very simplified, or it could be very complex, but definitely, do your homework with the owners of the application because they understand the application more than certain people.

I would rate this solution an eight out of ten.

The most valuable features of F5 Advanced WAF are SSL uploading, signature, and anomaly detection. It is overall a high-quality solution.

The solution could improve by having an independent capture module. It has a built feature that you can deploy the capture on your published website. However, it's not very user-friendly. When you compare this feature to Google Capture or other enterprise captures, they are very simple. It needs a good connection to the F5 Advanced WAF sandbox. When you implement this feature in the data center, you may suffer some complications with connecting to the F5 Advanced WAF sandbox. This should be improved in the future.

I have been using F5 Advanced WAF for approximately 10 years. This includes my experience when the solution was  formerly named Advanced Security Module(ASM).

F5 Advanced WAF is an extremely stable solution.

I have found F5 Advanced WAF scalable.

Technical support is handy and useful when you have your contract available. Once you lose it, you are all alone and there is a penalty to extend your subscription.

I have used FortiWeb previously.

These products are not meant to be compared, because they are serving in different areas of expertise. When you are low on budget, it's better to use the FortiWeb. When you have a budget and want quality, it's most recommended to use the F5 Advanced WAF. We are talking about different classes of quality.

When you are using the F5 Advanced WAF for any reason, you have to employ an expert. It's not the same as other solutions, such as FortiWeb, it is not easy to use. It's an advanced device, and you have to have an advanced person to operate it. This is the biggest problem that F5 Advanced WAF.

The price of the solution is reasonable when compared with other products, such as FortiWeb. I am very satisfied with the price.

My advice to those wanting to implement F5 Advanced WAF is they will need to have an expert on any stage of operation. Then once they decide to use the F5 Advanced WAF they have to have very good expert advisors for choosing the product because there are a variety of license options, and you may spend more than what you need. 

In the implementation stage, you have to have experts. At least three experts for the implementation phase. When it comes to the operation, you can't have a temporary expert that comes and goes, you have to have the F5 Advanced WAF expert in your company. It's an advanced device. It's completely different from the FortiWeb and the other devices. It gives you lots of options but it's complicated to implement. You have to have an expert to support you.

I rate F5 Advanced WAF an eight out of ten.

We use it for ASM and ATF. I am working at the PCI company, and I am a manager of F5. I work with F5 WAF and ASF.

Currently, I use version 50.1.4, and I'm going to update to the new version, 50.144.1.

I like the solution for ASM. There is an online update certification, but access is locked so we couldn't use it.

I would like to see a better interface and better documentation compatibility with other products. It's more complicated with OWASP.

F5 has a learning university, but it's very complex. I teach other people, and it can be confusing with the different versions of software. It's very hard to support that.

I've been working with this solution for four years.

The product is very stable. It is a PCI company, so there are 10,000-12,000 people using the solution. 

My TLS connection is unlimited, so I have a lot of clients because of internet payments. All of the internet payments are behind the ASM for the F5.

It's scalable and very easy to manage.

I worked with FortiWeb for a few years. It's a good product, but it's not very good for a big company. So we decided to migrate to F5.

The initial setup is from a configuration utility.

I would rate this solution 9 out of 10.

In APM or IT intelligence, it's the best. But in the ASM model, it's not as good as a 40G for Palo Alto.

What a WAF is happens to be exactly what we are using F5 WAF for: a firewall for our web applications. It is a totally customizable solution. You have our signature-based rule sets and then we can customize to our heart's content depending on what our application can and can not do or what we are trying to protect against.  

So we are using this for anything that is internet-facing. We are applying the WAF there and we are putting it in block mode wherever possible.  

The features I think are the most valuable starts with the IP intelligence component. That is separately licensed and it is definitely one component that we have made heavy use of. Geo-blocking is another — which can be done without a WAF because you do not necessarily need a WAF to do it — but the F5 WAF has those capabilities.  

The signature-based controls that F5 has are another one of the heavier-used components that Advanced WAF has. We do not have to worry about updating signatures, et cetera. WAF will automatically update the signatures for us. I think that is a nice feature.  

Those are the biggest things that we are making use of month-to-month.  

I think the contextual-based component needs a lot of help. It is all based on regular-expressions. That is something I think companies like Signal Sciences are doing a really good job with. We are transitioning off to Signal Sciences on some of our WAF components because of the capabilities Signal Science has. I think that contextual-base signatures would definitely help in F5 WAF.  

Within the enterprise, F5 Advanced WAF (Web Application Firewall) has been rolled out for about six or seven years. I have been working on it for about three to four years.  

It is a stable product.  

F5 WAF is a scalable solution. A lot of the employees and other end-users (virtually anybody on the internet who is coming to your site) benefit from the solution. As far as the people who are directly dealing with the administration, maintenance, and deploying the updates, there are maybe two people. But it can certainly scale-out to service passive use.  

The F5 tech supports is fairly decent. It is not the top of the line, but they do their job. They give you an account team. The account teams are normally really responsive. When you need to run something by them, they are unlike some other products. With other products you have to go through opening up a ticket — because that is the only way they will respond to you — and later they might come back and say it is not their problem and you need to figure it out on your own. The F5 is very different from that perspective in providing support. Your account team is your go-to group. They will walk you through solutions, help you design solutions, and it is part of the value add of using F5Advanced WAF. I really liked them for the extra effort they put in to provide good support. They do not upsell professional services or anything like that. Because of that, I would rate them a little on the higher side for support than just your average support experience.  

The installation of F5 Advanced WAF is complex. Any WAF that you put in takes a lot of time to install correctly. You never really just drop it in and have it working right off the bat. The only exception I can say that I have come across to that right now is Signal Sciences. You can literally drop that solution in place and put it in blocking mode within the same day. With F5 there is a learning period where you allow it to learn and then you go back because it is based on regular expressions. So you have to go through and check to see that there is normal traffic going through your site, et cetera. In other words, there is training involved. It can take from seven to fourteen days before you get a good signature set up.  

If you just need to turn on the licensing key, that might take 10 seconds to do and that is available essentially immediately when you implement WAF. But when you are talking about implementation — and this is true with any WAF — it is time-consuming. You are integrating a piece of technology with applications that have already been written. It might be a legacy app, it might be a new app or whatever that you use for whatever your use case might be for that application. You are using WAF in order to protect that app. You have to invest time in creating the signatures. That period of time where you are creating the signature is what is complex and extends the period of the implementation.  

That is what I think the true difference is between F5 WAF and the new-gen stuff like Signal Sciences is. With Signal Sciences you literally can just drop in and turn it on.  

F5's licensing varies. I do not know exactly what the individual WAF component costs because they bundle up services and the bundle is what I pay for. I do not pay for individual components.  

Advice that I would give to people considering F5 WAF is to look at and consider other products as well. They have to make sure they know what they are getting into. That is key to finding the right solution. I think WAF requires a lot of time and patience as well as an understanding of your applications in order to make the best use of its capabilities.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate the F5 Advanced WAF as a solid eight-out-of-ten.  

For me, the primary use case is to secure web applications from external threats, including cross-site scripting, SQL injection attacks, file inclusion vulnerabilities, and many more. The tool has simplified protection against web applications and recent threats that might be visible. If your applications are vulnerable, it gets protected by F5.

It is a very flexible solution. iRules is quite appealing when it comes to F5, and they apply it throughout their solution. BIG-IP is a known platform, and it is a part of F5 now. Application delivery or web application firewalls, F5 understands these terms and then suggests better data policies. But you have to do the work on your application's performance first. You have to look in the logs and understand the total attack you should prevent when we put it in the circuit protection mode, which works perfectly well.

iRules truly excites me because it has the ability to prevent the end-user and infrastructure from external threats.

Even if the F5’s default signatures and the default behavior are unable to help you, you can customize iRules to reach the objectives.

I don't like the management control of F5.

Moreover, if you are not an expert, it would be really difficult to set it up.

I have been using the product for fifteen years or more.

It is a stable solution.

It is definitely a scalable solution.

The initial setup is quite straightforward. I didn't experience any complexity. It could be difficult for somebody who is not familiar with application load balancers or web applications. It takes a month to understand the entire architecture. It primarily depends upon how great deployment could be.

It usually takes about five to seven days to configure and deploy the F5 Advanced WAF in production mode. It is essential to ensure that your configuration works properly before putting it into production mode.

When you have already designed it, it takes around five to seven days to set up. But it takes more than a month to understand the entire architecture of the F5.

I would rate it an eight out of ten.

F5 Advanced WAF can be deployed on-premise or in the cloud. When it comes to local governmental organizations, it's mostly on-premises solutions they use. However, we recommend using virtual ones.

F5 Advanced WAF is used for protecting applications.

The most valuable features of F5 Advanced WAF are the balancer and you can change policies very easily.

The overall price of F5 Advanced WAF could improve.

I have been familiar with F5 Advanced WAF for approximately one year.

I have not had any customers complaining about the stability.

F5 Advanced WAF is scalable.

The initial setup of F5 Advanced WAF is easy.

I rate the setup of F5 Advanced WAF a four out of five.

The ease of maintenance of F5 Advanced WAF depends from customer to customer. If the company had someone trained or they have an inside person who is reliable for this maintenance, they typically do not have any problems.

The price of F5 Advanced WAF could improve it is expensive.

There can be extra features added at an additional cost.

I rate the price of F5 Advanced WAF a three out of five.

Our clients pick this solution over others because it is one of the leading companies in the category.

I can recommend F5 Advanced WAF to any customer because we have experience, and referrals from customers using it within different models. If it comes to WAF, LTM, or whatever. I'm very happy to sell it because it is one of the leading vendors within its line. Our customers within the financial market, such as banking organizations, are very happy with it.

I rate F5 Advanced WAF a nine out of ten.