F5 Advanced WAF Reviews

There is the Simple WAF and the Advanced WAF. We are currently working on the Advanced WAF, but previously, before the Advanced WAF came out, we were just using the Simple WAF.

We use the on-prem version because the cloud solution is not that popular here.

I have a customer here who has multiple applications dealing with the day to day operations. We have deployed the application firewall in the network and most of their web traffic from outside of their network comes into that WAF. This includes the email application Outlook and their own in-house application tools deployed that they use to sell their merchandise. They have a feature where you can transfer money to the other user based on their mobile phone number. So these web applications and in-house tools are the most used applications in their network.

In terms of F5 Advanced WAF's most valuable features, I would definitely say its stability. F5 is one of the most stable products. Either as the load balancer or the web application firewall, it is very stable.

Additionally, the method it uses to block attacks and the logging and support are very good. You can see anything you want in the logging and reporting section of the device, it is very detailed. These are two valuable features from F5.

If I had to summarize what needed improvement, I'd say they are currently in the process of updating their software. But more specifically, I would say their graphical interface, the GUI. I don't like the GUI as much as before, but now I think they're focusing on it. We are getting some new good features in the latest update. But there is still room for improvement on the user interface as well. It's easy to use. It's not difficult but it is not pleasing to the eye. Most of the time you want to see something dynamic, something like the reporting section or the system usage, the CPU, some detailed graphs, anything of that sort. So I guess they have some room for improvement there. Don't make it more complicated, just make it more pleasing to the eye.

We are using the most stable version. Because recently we got an email from F5 suggesting that if you have any user on the 14.1.2.0 that there was a vulnerability on that feature. And it was quite a severe one, so they asked us to immediately update that license to another version.

They currently have 15 versions, but they are not stable. They didn't recommend them to us. So most of the customers in Pakistan are using the 14.1.2.6 version. That is the most stable version and is recommended by F5.

My focus is normally on logging and reporting, because customers always ask for a clear reporting criteria. I would like it if they could simplify the reporting process. If I create something, I want to get a good report on it that I can read in seconds or in minutes. I don't want extra details in it. They should work on the exporting of the logging and reporting.

I have been using Advanced WAF since it came on the market last year. Advanced WAF is the advanced version of WAF which I have been using for three years.

F5 basically starts their hardware model from a 10GB distribution. So it is a good device to start with and in Pakistan we mostly have up to 40 or 60 gigabytes of devices.

As far as scalability is concerned, we already talked to the customer in detail about what kind of traffic they are expecting in the next five or seven years. Then we decide the box on that data basis and normally we don't have to worry about scaling later.

In terms of adding more features on the F5 hardware, that is a question based on the module. If it takes too much of the CPU, then it is difficult and scaling would be difficult with that hardware. If the hardware is not so many CPU's, then we have to dedicate to each module. Then the scalability becomes a bit difficult. But if you already have hardware that has CPU's in abundance, you can add as many modules as you want. There's no problem.

F5 lets you decide if you want to assign a specific module, a dedicated CPU or nominal resources. You can even decide if you want nominal resources or if you want full resources for that specific module. It all depends on the importance of that module in your business application.

If they are a small company, 250 to 500 employees, or less than 250, then we can go for the virtual Edition of the F5, because as I said, the hardware solution starts from a 10GB box. This can handle thousands of requests per second.

It would be a bit costly for a small scale business. If someone wants F5 and he has less applications and nominal users, he can go for the Virtual Edition. Most of the customers in Pakistan who are using F5 are in the banking sector. They have a good amount of users already, 1500, 3000. So mostly we have banks in Pakistan using F5. And I guess also a few in the education sector and businesses. Otherwise, not many small businesses have F5. The one I mentioned that is using AWAF is a big telecom in Pakistan and they have millions of users. It is not for the very small businesses, I guess.

I have had many experiences with customer support, both good and bad. Truthfully, they can improve a bit. There are two methods to engage the F5 support. You either call or email them. It's your choice. 

You decide which location you want to call, either the Singapore or UK office, because there is no support in Pakistan. We have to ask for support from either UAE, Singapore, the UK or the US. If I call, I normally prefer to call Singapore, because our region mostly deals with the Singapore head office. Sometimes there's a problem understanding Singaporean language and it's tough to talk to them. 

But if you reach out over email, then obviously it is easier. Talking to them on the phone is quite a difficult task. Secondly, if you open a customer request from a portal, we have a customer support portal for the client as well. Normally we get the engineer from UK or Singapore. It also depends on the engineer - sometimes he's very responsive. He will just respond to you in an hour or day. And sometimes you get an engineer who is absent for two, three days and you have to call them and change engineers because the first one is not responding.

In short they have to improve a bit on support.

We mostly deal with F5 and we always ask our customers who want the web application firewall to go for F5. We do have other web solutions as well, like Fortinet FortiWeb, another popular solution. For small businesses, we don't suggest that. 

We are gold partners with F5, so we always suggest F5.

In terms of the initial setup, for a person who is a bit experienced it is not that difficult. It is a straightforward device. You follow the same principle and the same steps and you are good to go. Just follow the steps. F5 guides you through the initial configuration, which is another of their features. If you don't want to go for the manual config you can just follow their step by step. Press - next, next, next, next then you have the initial configuration done. 

Then you can move to your own configuration according to your network and according to your need. It's an easy device to configure, it's not difficult. 

Only the graphical user interface needs some kind of improvement to make it more modern. But as far as the straightforward install is concerned, it's good and easy.

One person is enough for the deployment and for the check.

In terms of how long it takes to deploy Advanced WAF, it depends on the number of applications you have to put behind the F5 number one. 

The initial network configuration won't take so long if you have all the required data. 

You can set up the initial configuration in an hour or two. But the more applications you add will determine the length of the configuration. 

We mostly deploy Advanced WAF in automatic mode. We don't do the manual configuration of the security side. We just put application details there and we let F5 decide the learning process. It normally takes 15 to 20 days to get a good grip on the application, the language, and the do's and don'ts. We let F5 decide. 

It takes around 15 to 20 days to get it into the blocking mode. But for the configuration for one application it will hardly take 30 minutes to be configured. It all depends on the amount of applications you have.

My advice is that if you need a web application firewall you should go for F5. It is one of the best solutions in the past six or seven years.

F5 has been the leader in this field. It's a stable solution. One just has to decide their organization's goals in the beginning for the next five years or so. Because if they wrongly select the hardware module, they cannot do the scalability if they want to add  a number of modules in the future. So selecting the product should be done with great care. Otherwise, I guess it's okay. If you want a good web application firewall go for F5.

On a scale of one to ten, I would rate F5 Advanced WAF a nine.

We use the product for load-balancing purposes.

The product has valuable features for load balancing, monitoring tools, and HPXpress services.

They could provide better pricing.

We have been using F5 Advanced WAF for a year.

I rate the product's stability an eight out of ten. 

The product is highly scalable. It is suitable for enterprise businesses. I rate its scalability an eight out of ten.

I rate the initial setup process a seven out of ten.

I rate F5 Advanced WAF's pricing a three out of ten.

I rate F5 Advanced WAF an eight out of ten.

We primarily use the solution to protect web and API applications. You can choose either web classic or API to protect against different types of attacks.

With Advanced WAF protection, F5 was able to protect multiple kind of Web Application, supporting both HTTP & API protocols access

There are two main features that we love on F5.

The first is the hardware itself. It's extremely stable and reliable. We never face any issues with it and performance is never affected. 

The second is the features on offer. Feature-wise, they are always cutting edge and up-to-date. Many features aren't available via competitors. There's always a lot of enhanced critical features that just aren't available through anyone else, or, if they are, are too lightweight. They're the leaders in the space.

We usually use a third-party tool for logging and reporting. It would be nice if we could do that right on this solution. They have one, but it's not very stable. Logging and reporting effectively would be a big enhancement.

The solution still needs some development to handle more traffic, especially in huge environments. In small environments, it's not an issue. 

I've bee using the solution for more than ten years.

The solution is extremely stable and robust. There are no issues with bugs or glitches. It doesn't crash or freeze. It's great. The stability is a huge selling feature.

It's scalable. There's always options to upgrade the hardware. Any hardware you buy from a store, you have the basic model and the upgraded model. For example, if you buy the 4600 appliance, you can upgrade up to 4800. You get double specs for everything, so you can just upgrade the license of the hardware. However, hardware eventually has a limitation. If you buy too small of a size of hardware, eventually there's some development limitations for the hardware. You can, however, do a cluster. You can add multiple hardware devices. This makes it very scalable.

The solution is not user-based. It's more connection-based, so there's no limitation on the number of users. It's more of a limitation on total throughput or total connection. Limitations depend on the application and how much traffic it generates. We've seen it in Telco environment where there's more than millions of users. We've also seen it do well with online banking where there are thousands of users. Small companies can use it too. It can vary, however, we've seen it in millions of users at Telco.

Technical support is great. We always open tickets. They're always very fast and very professional, and they always solve the issues. We're extremely satisfied with the level of support we receive.

If you want to do the basic installation and get the system up and running, then it's pretty straightforward. However, you have the flexibility to go very advanced and you can get into very complicated scenarios. That's what we like about the solution. There's a lot of use cases where you're required to have the ability to create some advanced features or some complicated scenarios. It gives you the capabilities to handle them.

You have the flexibility to go beyond that and have advanced scripting rules and advanced features in order to have more capability to do new things that are not as common. You need to have the space to improvise things if you need to.

While a straightforward deployment may only take a few hours, as it has a pre-defined rough template, there's always tuning to be done. It's a security product. It's not like it's plug-and-play. There's always a learning phase and tuning is necessary. This is common with any security product. That said, to get it up and operational, it's a matter of hours.

For a proper work deployment, to be frank, you need an ether professional because there's an ether configuration change. You also need a security professional to do the rules and policies and everything. Then, you need the involvement of the web application developer, so you can understand the content of the web application. Security people don't know which link is good and which link is bad inside the application. Usually, you need three people from the team - one each from network, security, and application - to have a proper deployment.

We're an integrator.

We have a big customer base, therefore we always have to be up to date with the latest versions. We feed to constantly look at things so that we know the new features.

I highly recommend the solution to other companies. F5 has a huge portfolio of plug-ins. You can add it to the top of the web. On the same appliance, you can have your balancer, you can have your application authentication, and those things that turn on. You can have multiple other features on the same hardware. It is definitely a technology that adapts. I can use the application in different ways beyond just security.

On a scale from one to ten, I'd rate it at a perfect ten.

We use F5 Advanced WAF to protect our web applications.

What I found most valuable in F5 Advanced WAF is its automatic policy feature.

What needs to be improved in this solution is the accuracy of its automatic learning feature, because we frequently have to help it manually, particularly to stop blocking things it isn't supposed to block.

The technical support for F5 Advanced WAF, though fast and accurate, is costly. The cost could be improved.

I find F5 Advanced WAF a very stable solution.

The scalability of F5 Advanced WAF is very good.

The technical support for this tool is fast and accurate, but it's expensive.

The initial setup for F5 Advanced WAF was straightforward.

We are the integrator and reseller, so we deployed the solution in-house.

F5 Advanced WAF technical support comes at a cost, and it's expensive.

I'm using the latest version of F5 Advanced WAF: version 16.0.

We don't only use this solution for ourselves, as we also have some customers we implemented it for, because we are a reseller.

Deployment of F5 Advanced WAF took two to three days.

The advice I'd like to give to people who are looking into implementing this product is for them to read the documentation. It's all there.

I'm rating F5 Advanced WAF eight out of ten.

We have several websites that are exposed to external users. We have a website for interaction with supply chain customers. We also have a website that gives access to CRM functionality to allow our customers to open tickets and disputes. F5 WAF is at the front for security and attack mitigation. It ensures that users are able to access only allowed pages.

The web application firewall itself is most valuable. It provides positive security and negative security. In negative security, it blocks a task such as cross-site scripting, code injection, etc. In positive security, it lets you specify and enforce things, such as the parameters allowed in username and password fields and the number of characters allowed in a field.

It also has antivirus and DDoS mitigation capabilities. We have enabled these features. 

It is also quite intuitive and user-friendly. They have several webinars that are actually like labs. You can use these webinars to learn about how to use all features of the product.

Its price should be better. It is expensive.

In general, it is stable and reliable. Over the past few months, several vulnerabilities were found in the product, but which product doesn't have vulnerabilities? The main question is how fast do you get the fix for it, and they provided the fix quite quickly. We had to upgrade it as soon as possible to mitigate the risks.

I didn't try to expand it. We have two staff members who are using F5 Advanced WAF.

In terms of its usage, we are deploying it on all points through which we are exposing services, but we are currently not exposing too many services.

I had only one case for which I had to call tech support. It wasn't a straightforward ticket. It was quite a challenging ticket. Eventually, they found a solution, but it took some time. It was challenging to find the bug in one of the previous versions. They also didn't know about it. We did the troubleshooting together until we found the problem.

We were using another solution before switching to F5 Advanced WAF. We didn't have success with that solution because the integrator failed to deploy it properly. It was more complex and not user-friendly.

It was a little bit complex. If you want to add an additional layer or model like APM with two-factor authentication, then it requires a little bit more integration.

It is expensive. Its price should be better.

Its licensing is on a yearly basis. Its licensing is also based on the model. There are no additional costs.

I would recommend this solution to other users. I will advise others to learn a little bit about how the HTTP protocol works. They should be familiar with the functionality of the product. They should not use it without understanding what they are actually doing.

I would rate F5 Advanced WAF a nine out of ten.

We are using it to secure a few applications for our customers. 

The valuable features vary from customers to customers. Some customers are okay with the basic features of the WAF, and some customers use advanced WAF with a few other features.

It should be a little bit easy to deploy in terms of the overall deployment session. 

One of our customers is a bit unhappy about the reporting options. Currently, it automatically deletes event logs after some limit if a customer doesn't have any external Syslog server. It is a problem for those customers who want to review event logs after a week or so because they won't get proper reports or event logs. They should increase the duration to at least a month or two for storing the data on the device.

F5 is not a leader in Gartner Quadrant, which affects us when we go and pitch this solution. Customers normally go and take a look at such annual reports, and because F5 is currently not there as a leader, the customers ask about it even though we are saying it is good in all things. 

F5 is not known for something totally different or unique. They were a major player in ADP, and they are just rebranding themselves into security. They should improve or increase their marketing as a security company now. They have already started to do that, but they should do it more so that when it comes to security, customers can easily remember F5. At the moment, if we say F5, load balancing comes to mind. With rebranding and marketing, all customers should get the idea that F5 is now mainly focusing on the security part of it, and it is a security company instead of load balancing. This is the first solution that should come to a customer's mind for a web application firewall.

I have been using this solution almost for a year.

It has good stability. Our customers are happy with the implementation. So far, we haven't faced many issues.

Overall, it has been good. We get proper support, and we haven't faced any challenges. However, F5 doesn't provide support during the demo or POC time. Other vendors provide technical support for demo or POC, but F5 does not. We have to reach out to the local AC every now and then, which is a difficult task because most of the time, he is in some other meeting or busy with something else. So, he isn't able to support us. They should give us some kind of technical support for demos and POCs. We should be able to reach out to them for completing a POC. It would be an added advantage.

The implementation was quite smooth. We migrated from CloudFlare to F5 without any major issues. The deployment took almost ten months, and it included the implementation and fine-tuning. The customer had three applications.

Its price is fair. We have done a couple of deals where they were able to give some kind of discount to the customers. The price was initially high for the customers, but after a couple of negotiations, it came within their budget. They were happy with that.

I would recommend this solution because it is overall a very good solution. As a company, they are very established and stable, and they have a long legacy in the industry. They have been there in the industry for a long time. On top of that, they have very good solutions. They can just improve their offerings and marketing in terms of the new rebranding.

I would rate F5 Advanced WAF an eight out of ten.

F5 is a web application firewall and load balancer. 

The primary use case of this solution is for data protection and security.

I like all of the features, but the main one is the attack signatures.

If they could separate the control plane from the data plane, it would give us more flexibility, especially with the Hyper Cloud. This could be the reason they purchased NGINX.

They have released the first production release but they are not there yet. It would be good to have this separation in the near future.

Also, automation on the cloud is not easy. It's a bit of a job, and it doesn't auto-scale very well.

They need to work on the BIG-IQ, which is centralized management. There are too many devices. Managing them individually is inconvenient. Essentially, BIG-IQ is supposed to centralize the management for all of the boxes but it's not very effective.

I have been using this solution for more than five years.

The stability is very good.

There is no solution that is bug-free, but when comparing it with other vendors, I would say that F5 is less buggy than the others.

The scalability is an issue at the moment, which is the reason they need to separate the control plane from the data plane.

We are using this solution daily. It runs 24/7.

The technical support is very good. They are knowledgeable and helpful.

The initial setup was simple and it took an hour to deploy.

This solution does not require a lot of maintenance but we need to do the patching regularly.

We do the implementation but at times we get consultations from F5.

It's more expensive than other solutions and depending on the modules, there can be additional fees.

If I would compare F5 with other solutions, the main differences are the support and the stability of the code, it has fewer bugs.

For on-premises deployments I would recommend F5, but for the cloud, it would be questionable.

I would rate this solution a seven of ten.

We use the solution to secure web applications running in the organization.

F5 is one of the best products. We use it for multiple segments within our organization and applications. It is a central point of all the applications being scrubbed and checked.

The customer service could be improved.

I have been using F5 Advanced WAF for more than ten years.

The product is stable.

I rate the solution’s stability a seven out of ten.

The solution is scalable.

Our entire organization and clients use the solution.

The initial setup is easy since I have used the technology for almost 20 years. Some applications require more attention depending on what you are doing and trying to achieve with the particular module. You need some assistance from the team in configuring the different components within the application through the web.

The solution is worth the money that you spend.

The solution is expensive.

Whatever you are looking for can be done on the platform. Some features may not be available with IO components. A few features give you the flexibility that no other product can.

Overall, I rate the solution an eight out of ten.