F5 Advanced WAF Reviews

My main use case for F5 Advanced WAF is to protect external and internal applications from cyber attacks and to prevent malicious payloads and malicious data from reaching servers. Even if malicious content is compromised on the client side and could be executed on the server side before reaching the server, F5 Advanced WAF intercepts the communication and verifies the actual payload and data that the client wants to access or send to the server so that it gets executed securely at the server level.

I can provide a specific example of how I have used F5 Advanced WAF to protect an application. There was an application where some of the contents actually get loaded from a third-party domain. In that case, the client has to load scripts, images, or any other sort of resources from that third-party domain. When the request reached F5 Advanced WAF, the application sets response headers so that in those response headers, the browser sends the request with the information mentioned in those response headers. Those response headers include Content Security Policy and CORS headers. The domains mentioned there, along with the resources like scripts and images, determine which resources can be accessed. Only those resources are loaded from those domains. If an attacker tries to send the request to a different domain, the browser will not load that. If the application is unable to implement those headers, F5 Advanced WAF can implement or configure those headers so that the resources from the third party get executed or loaded in a secure way. Moreover, if a request comes from the client side, the actual payload is verified because it would be encrypted. This is because whenever we host an application, it should be HTTPS, which means secure communication with F5 Advanced WAF and the server. The client communicates securely. F5 Advanced WAF intercepts everything initiated from the client side, decrypts it with the help of SSL handshake, and there are private and public keys that help encrypt and decrypt the data. F5 Advanced WAF acts as a proxy for that particular application. When a client initiates the request, it seems to the client that they are communicating with the real server, but the request reaches F5 Advanced WAF first instead of the server. F5 Advanced WAF communicates with the client and forwards the data to F5 Advanced WAF. F5 Advanced WAF decrypts the data through SSL handshake. F5 Advanced WAF then verifies what exactly the actual payload contains, whether it is malicious data or legitimate data. F5 Advanced WAF verifies by having predefined attack patterns that contain some attack information. If those attack patterns or malicious data are executed on the server side, that data can compromise server confidentiality and sensitive data. In that case, the actual payload from the client is verified against those patterns. If the data matches those patterns, F5 Advanced WAF enforces the security. If security is in blocking mode, it will stop the request and the blocking reference ID will be forwarded to the client. The client will retain that reference ID. If it is a non-legitimate client, they will be blocked. If legitimate, the client receives the reference ID. Upon receiving the reference ID, the client has to forward it to the company that they are receiving the reference ID while accessing the application, seeking clarification about the issue. The reference ID is verified in F5 Advanced WAF logs, providing insights into what exactly the client sent and what observations were made based on attack patterns triggered by the data. If the client is legitimate, it is treated as a false positive. We then either request the applications team to refactor the way requests are sent or, if cumbersome, relax the policy for that user or URL. This is a granular way to protect against malicious and mitigate false positives for applications deployed on F5 Advanced WAF.

F5 Advanced WAF has an added advantage over Cloudflare, Barracuda WAF, Imperva WAF, and other WAFs currently in the market. The essential feature is called iRules. With iRules, we can apply two security policies for a single application while segregating user traffic from admin traffic. It is necessary to secure and segregate admin and user traffic because we can implement robust security for user traffic. For admin policy, we can relax the policy since it is an admin resource performing admin functionalities like upgrading the application, integrating resources, or implementing new features. We can simply relax the admin policy and enhance the user policy. One of the most important advantages of F5 Advanced WAF is that we can apply it on the same virtual server where we configure the applications. Other vendors in the market, especially Barracuda WAF, lack such functionality or advanced features. This is a significant advantage that F5 has, and their STM, which handles traffic, is secure and stable.

The best features F5 Advanced WAF offers include iRules, which are the most important, where out of the box requirements can be met, even if F5 Advanced WAF does not have them natively. If something is missing, iRules help achieve functionality that is lacking. This is the first standout feature against other vendors' products. The second most crucial feature is their secure traffic handling manager, which is stable and handles millions of requests within milliseconds. That is the most stable in the current market. Thirdly, the granularity of security policies, where we can segregate user and administrative policies on the same virtual server, is important. Additionally, the advanced bot protection is very good, with numerous categories of bots. Their DDoS protection also offers granularity, including behavioral DDoS features that verify server load. They incorporate client-side integrity by sending JavaScript to clients to determine whether they are real browsers or bots before verifying requests. There is also rate limiting in the DDoS features. Furthermore, they have session awareness features where if a single client generates a specified number of violations within a time frame, the IP can be automatically blocked for a specified period. These features stand out for F5 Advanced WAF compared to vendors in the market.

F5 Advanced WAF has positively impacted my organization. We can lower down the attacks; there are ways the non-legitimate malicious requests can pass. However, after implementing F5 Advanced WAF, nearly 99.9% of requests are legitimate due to the granularity and response verification by attack patterns and request blocking.

Improvements could be made regarding the log information from the backend CLI. There are enhancements needed; if a request gets blocked on the TCP layer, there should be traces or data to verify which source generated these requests, including the source and port information for initiation. These data are missing from F5 Advanced WAF. Besides that, another improvement could be refining the bot detection to minimize false positives; it should be able to verify more granularly between legitimate and non-legitimate clients. Overall, I find everything else good.

A wish list feature I have is for the Technical Assistance Center (TAC) to respond more promptly. Their response time needs improvement; while they do not take excessive time, it can be enhanced, especially given it is a security product.

I have been using F5 Advanced WAF for almost three years.

F5 Advanced WAF is stable, and there is no doubt it is one of the best WAFs in the market. The pricing they offer is justified.

F5 Advanced WAF's scalability is satisfactory. If you need to scale up, such as moving from a lower model to a higher one, the configuration from the lower model can be migrated easily without issues. Additionally, it does this without requiring excessive manual work. Their features also provide buffer space to alleviate issues from changes in resource capability.

I find their customer support has experienced and knowledgeable personnel, but their response time could be improved. While they resolve issues well, the time taken for responses to non-critical issues should be shorter.

In my previous company, I used Barracuda WAF and migrated to F5 Advanced WAF.

I have seen a return on investment with F5 Advanced WAF. The time saved is significant because of its learning feature, allowing automatic configuration for legitimate requests. This automatically accommodates changes, ultimately saving time. Additionally, the overall operational costs decrease as F5 Advanced WAF ensures 24/7 application availability, preventing any traffic disruptions impacting business operations. Hence, F5 Advanced WAF delivers a solid return on investment.

F5 Advanced WAF is somewhat costly compared to other vendors, but it is worth the investment due to the stability it provides to the environment and infrastructure.

Before choosing F5 Advanced WAF, I evaluated options like Imperva and Cloudflare. However, F5's reputation and stature built over the years is commendable and influenced my decision.

My advice for others considering F5 Advanced WAF is straightforward: if you foresee your business growing and the potential need for new applications, prioritize security. Ensuring that security is not compromised and maintaining application availability is critical. If budget permits, do not hesitate to invest in F5 Advanced WAF, as it will deliver substantial benefits to your infrastructure over time, rather than opting for cheaper alternatives.

Companies with adequate budgets should not hesitate to invest in F5 Advanced WAF without considering other vendors. If they want on-prem security for critical, sensitive, and confidential data, F5 Advanced WAF should be the go-to option.

I measured the 99.9% reduction in malicious requests by utilizing the features of F5 Advanced WAF like DDoS protection, bot protection, enforcement mode of the policy, session awareness, enabled IP intelligence, and other defined features. Every URL is explicitly allowed, with parameters used by those URLs explicitly mentioned. Values for those parameters are tightly controlled. Only certain file types are permitted that are integrated with the application. Additionally, specific enforced parameters include the length of URLs and post data, ensuring that if any application changes occur, requests will be blocked unless they match specified criteria. This creates a positive security model, resulting in 99.9% of the requests being legitimate, with no attacks bypassing F5 Advanced WAF.

I would rate this product nine out of ten.

My main use case for F5 Advanced WAF is to protect applications and support application delivery, and sometimes we use LTM for load balancing.

A specific scenario where I used F5 Advanced WAF for application delivery was in our banking environment called IDFC First Bank, where we had a critical internet-facing web application used by internet teams and partners that handled sensitive data, and both security and performance were equally important. The application was exposed to the internet and started receiving SQL injections and cross-site attempts, along with automated bot traffic hitting login and search pages. Simultaneously, the traffic load increased, causing slow response times during peak hours, resulting in uneven traffic distribution to the backend servers. We configured the virtual server and pool on F5, enabled health monitors to ensure traffic was sent only to healthy backend servers, and used a load balancing algorithm to distribute traffic. The result was improved application availability, faster response times, and no single backend server overload.

This scenario stands out because it clearly shows how F5 LTM and WAF work together, with LTM focusing on availability and performance, while WAF focuses on security and threat protections, delivering a secure application delivery. The final outcome was that LTM ensures smooth and optimized traffic flow, and F5 Advanced WAF ensures strong application security, keeping the application stable, fast, and secure even during high traffic. It worked reliably in production with 2,000 or more users.

From my hands-on experience with F5 Advanced WAF in the banking production environment, some of the best features that really stand out are those that help reduce risk without breaking applications. One major strength is its Behavioral and Automatic Learning capabilities, which allow the WAF to understand normal application behavior and help create policies based on real traffic, minimizing manual effort and false positives. Another notable feature is the Advanced Attack Signature database that is very strong and regularly updated, effectively blocking SQL injections, cross-site scripting, command injections, and file inclusion attacks while allowing selective enabling or disabling of signatures to avoid blocking genuine traffic. Additionally, the Bot Protection feature is critical for the login page and API, helping stop automated login attempts, control scraping, and manage abnormal request rates, which ultimately reduces unnecessary loads on the backend server and improves overall stability. Finally, the strong visibility and logging properties provide detailed event logging and reporting, allowing the security team to see which attacks were blocked, which parameters or URLs triggered them, and source behavior patterns.

In my day-to-day activities, if I had to pick one feature I rely on the most within F5 Advanced WAF, it would be the Behavioral Learning with policy tuning, as the biggest challenge in application security, especially in the banking sector, is avoiding false positives. Applications frequently change, new parameters are added, and user behavior can evolve. This feature allows me to review newly learned parameter URLs and fine-tune enforcement so genuine users are not impacted, confidently moving policies from staging to blocking mode, saving significant time and preventing unnecessary production issues. In a large environment, security teams cannot manually write rules for everything, so this learning engine provides a baseline, allowing us to apply engineering judgment on top of it, which makes F5 Advanced WAF usable in real life. From a daily operation point of view, F5 Advanced WAF stands out because it is practical, stable, and predictable once properly tuned, which is exactly what you want in a critical enterprise environment.

F5 Advanced WAF has a clear and measurable positive impact in our organization, particularly regarding our security posture, application stability, and operational efficiency. After implementing F5 Advanced WAF, we saw a significant reduction in web-based attacks such as SQL injection, cross-site scripting, and automated malicious traffic, allowing us to block real threats before they reached the backend server. With proper use of behavioral learning and tuning, false positives are greatly reduced, leading to minimal impact on genuine users and fewer application outages caused by security controls. This created higher confidence when running the policy in blocking mode, which was a big win for both the application and security team. Strong visibility and faster incident response through detailed logging and reporting help our team quickly identify patterns, perform faster root cause analyses, and support audit and compliance requirements, ultimately reducing investigation time and improving overall response efficiency.

After implementing F5 Advanced WAF in the enterprise banking environment, we saw measurable improvements across security and operations, including reduced web attacks, decreased false positives over time, improved application stability, faster incident response investigations, and operational efficiencies.

F5 Advanced WAF performs well overall, but I have noticed some points that could enhance the solution. Initially, policy tuning could be simpler, as while the learning engine is powerful, initial tuning still requires experienced engineers, which can be challenging for new teams due to the complexity of options and parameters. A more guided and simple tuning workflow would help reduce the learning curve. Additionally, tighter native integration with SIEM or SOAR tools would simplify correlation and investigations for security teams, although log exports are available. Overall, these are not blockers, merely enhancement opportunities, and once tuned, F5 Advanced WAF is very stable and reliable; improving usability, reporting, and onboarding would make it even more effective for larger environments.

I have been using F5 Advanced WAF for more than four years; I can say I have 4.5 years of experience in WAF implementations such as F5.

F5 Advanced WAF has been very reliable and consistent for us; in our on-premise enterprise setup, it has been stable and predictable in day-to-day operations without any unexpected crashes or WAF-related downtime in production. It runs on F5 BIG-IP and is truly integrated with F5 LTM, providing strong stability once deployed in proper high availability. After initial tuning, it continues to run smoothly even during high traffic periods.

We did not previously use a different solution; this is the first project for our organization.

We have seen a clear return on investment after deploying F5 Advanced WAF, primarily in terms of time and risk reduction. Time savings in daily operations come from the automatic learning and signature update reducing the need for constant manual rule management, allowing the security and network teams to spend significantly less time handling false positive application-related escalations. Incident investigation time was reduced because logs clearly indicate what was blocked and why, leading to faster resolution and more efficient use of existing engineers. A large volume of malicious traffic was blocked at the WAF layer, preventing issues from reaching the backend servers, which reduced emergency troubleshooting and application team involvement, ultimately lowering operational stress and incident cost savings without requiring additional security tools. This saved costs on hardware, licensing, integrations, and support effects, with the realistic ROI summarized as time saved in tuning, troubleshooting, and investigation, reduced risk of security incidents in a regulated environment, and improved operational efficiency by consolidating security and load balancing.

F5 Advanced WAF is on the higher side in terms of pricing, which is justified for enterprise and banking environments, although it is premium compared to many others, especially when bundled with LTM and additional features. For organizations that already use the F5 ecosystem, the value makes sense since you get security and application delivery on the same platform. The initial setup cost is moderate to high, mainly due to the application or platform costs, licensing, and the skilled engineers required for deployment and tuning—it is not a plug-and-play solution. Licensing is capacity-driven, so you need careful planning based on traffic volume and use cases, and adding features such as Bot Protection impacts costs; once licensing is clear and sized correctly, there are no surprises. Overall, while not inexpensive, it is enterprise-grade and well-suited for large environments with critical applications, delivering solid ROI over time, particularly in banking and regulated enterprises.

Before choosing F5 Advanced WAF, we evaluated other options such as Akamai, which is a cloud-based solution and not recommended for critical data in a cloud environment since it does not provide an on-premise solution.

If someone is looking into using F5 Advanced WAF, my advice is to spend time on learning and tuning, and do not rely on blocking mode on day one; it is essential to run the application in learning mode, understand traffic patterns, and tune policies properly to avoid false positives in production. Also, it depends on size and platform; while F5 Advanced WAF scales well, correct sizing of hardware and licensing based on traffic volume is crucial. Proper capacity planning upfront saves performance issues later, and having skilled resources is important; this is an enterprise-grade solution, not plug-and-play, so ensure you have experienced F5 engineers or proper training during initial deployment and tuning. F5 Advanced WAF is an excellent choice for large enterprises and regulated environments, but success depends on proper design, tuning, and ongoing review; when implemented correctly, it delivers strong security with stable performance.

Overall, F5 Advanced WAF is a strong, dependable enterprise solution that works best when seen as a long-term security platform rather than a quick add-on; once properly designed, sized, and tuned, it runs quietly in the background and effectively does its job without constant attention. It has met our expectations and proven to be a reliable choice for protecting business-critical applications. I have provided an overall review rating of eight out of ten for F5 Advanced WAF.

My main use case for F5 Advanced WAF is providing deployment solutions for financial institutions and onboarding their applications on the solution itself. I perform fine-tunings on their solution based on the type of application services that they are hosting on the WAF and also based on traffic behaviors. I provide them with appropriate solutions and tuning requirements for the solution itself.

I deployed F5 Advanced WAF in one of the top-tier commercial banks of Nepal, and I have deployed it in more than two or three banks here. The deployment went from a proof-of-concept state to the deployment stage. Initially, I deployed the proof-of-concept product and tested it on some of their proof-of-concept applications. After that, I deployed it for the production applications. I gradually kept it under tuning and overall monitoring, and after learning the traffic behavior, I moved it to enforcement mode while turning on the blocking part. Initially it started with a monitoring phase and eventually turned into the blocking phase where it starts to protect applications against real attacks.

F5 Advanced WAF offers excellent configurability, and you have all the things in your hand that you want to configure for it. It starts from overall network level things to how a web application should be developed, for example, how an HTTP request should be created from the backend itself and how it is made an RFC compliant HTTP request. I can tune the configuration and security configurations based on each very minute content or minute context details. I can fine-tune my policy to act upon very specific parameters on very specific URLs and very specific headers.

Even if I get false positives, I can disable it for very specific contexts in an HTTP request and not on the whole application level because disabling a signature on a whole application level might not be that secure or recommended as it might cause false positives on specific input endpoints or on a specific area. The same kind of attack signature or the same kind of attack may be executed in another part of the same application which is covered by a single policy in itself. The level of configurability that I get with F5 Advanced WAF solution is immense, and I have to be a bit aware of how it works and all of its features, but at the end of the day, it is all about the administration expertise that I will require to have and use it to my liking based on the kind of services that I have onboarded on my solution itself.

F5 Advanced WAF has positively impacted my organization by providing immense visibility of the application traffic itself and how it protects against attacks that are prevailing in the application. The threat intelligence and threat campaigning feature that F5 provides allows their in-house threat intelligence team to research regularly and provide updates based on real-time or near zero-day attacks. The IP intelligence databases that it provides and the many other things F5 provides are something that I believe every organization should have in their security budget or security architecture. I think it is something that is a must-have solution. It does not matter if it is F5 or any other solution, but it should be enough to protect an organization from the threats that are prevalent in these generations, which require a really complicated solution itself, and F5 is one of them.

On the features I wish existed, Big-IP Advanced WAF is primarily an on-premises solution and in that solution, there are not enough features that need to be there to protect API-based applications. F5 somehow tends to force clients to go for a cloud WAF solution where it provides a solution for API security at least at some granular level, but Big-IP Advanced WAF in itself does not provide a complete API security solution. There could be a bit more of an easier way that I could configure things, and the resources that F5 provides should be freely available. Maybe some training and many other things regarding application-specific configurations and all those things would help. It is fine in itself, but the main thing that I wish should be there or it would be great if it was there is the API security solution that was supposed to be there in Big-IP Advanced WAF itself but which is not completely there. Only the basic features are there.

F5 Advanced WAF can be improved by including some features that need to be included regarding API security solutions and all, but as of now, it is improving and it will keep on improving. It is fine for now, but it is improving itself. If some of the features that I mentioned above are integrated into the application or the solution itself, then it will be good to go.

Regarding the needed improvements, it would be better if F5 Advanced WAF could have some professional-level training and some curated training and not just paywall-backed training, but some free-of-cost training that administrators can access and complete. F5 itself provides a good amount of knowledge base articles and documentation and a help menu in the solution itself in the user interface. It is not that tough, but it could have been a bit more easier.

I have been using F5 Advanced WAF for around two years.

F5 Advanced WAF is pretty stable. It faced a persistent attack on the F5 company itself and some part of the F5 source code was hacked as per the news, but besides that, F5 is stable. The newer updates are coming up and they offer even more good options.

F5 Advanced WAF is pretty scalable. I can have multiple solutions or multiple instances running or I can run it in HA mode or even divide the traffic volume to the number of instances that I have based on their resource sizing. I can prioritize traffic also. So it is pretty scalable.

The customer support for F5 Advanced WAF is fine in itself, though a bit late, but on priority they come in time, so it is not that bad. It is good enough.

Positive

I do not use a WAF solution in my end itself, but I do provide that solution to others. I have used FortiWeb and Imperva and Traceable to provide solutions to clients, but as of now, the on-premises solution is primarily F5, which is a bit better in this case. Imperva and Akamai are there if they provide on-premises solutions, but it is good enough in itself for now, at least.

In terms of return on investment with F5 Advanced WAF, if an administrator is good enough in operating a WAF solution, then a single administrator would work. The amount of attacks it protects against is immense, more than F5 Advanced WAF itself costs. So it is worth it to have.

The pricing for F5 Advanced WAF is a bit higher, but not that high. I would say for a good amount of revenue-generating organization, it is a worthwhile investment, but it is not that easily accessible for small and medium-sized enterprises. The licensing and setup cost require some setup manpower that is technical, so there might be some pricing involved, but I cannot name the pricing itself. It is pretty steep.

Our primary use cases for F5 Advanced WAF in our system include F5 LTM, F5 WAF, and F5 DNS GTM for one of our applications.

The features of F5 Advanced WAF that I find most valuable include advanced WAF capabilities, bot detection, DDoS features, and all the top ten attacks we have configured with the WAF.

Machine learning and automated threat detection features have helped our security strategy because we initially used them during our application learning mode. It provides us with one hundred percent accurate application learning to reduce false positives, and it has been very helpful.

In terms of additional features I would like to see from them in the future, I think the GTM is a bit complicated to configure, which I observed. Otherwise, LTM and WAF are straightforward. I faced problems during the GTM configuration. The LTM and ASM are very simple to configure and manage. There is excellent clarity in the LTM and the WAF. Whenever something goes wrong or we have to whitelist anything, it clearly indicates where to go and where I have to make modifications. It is very simple and we get comprehensive information.

I have been working with this solution for three to four years.

My experience with the technical support from F5 is that on the technical side, we sometimes face issues with reachability and availability. Regarding technical support overall, I am not completely satisfied with F5. We are facing problems. I would rate the technical support at five out of ten.

Both response time and availability need to be improved. Technical skill on the support side also needs improvement.

Positive

I switched from Radware to F5 Advanced WAF after COVID, which was two to three years ago.

Overall, I believe it has been a good decision to switch because I do not think any other product available on the market can compete with F5 at this time.

The initial setup of F5 Advanced WAF is very straightforward.

Regarding the price, I think the cost is a bit higher compared to others. Earlier we were using Radware, and compared to Radware, it is very high. However, it is providing more features than Radware. The WAF side is very familiar and we can easily understand it. It is not complicated, and the features are at a very granular level compared to Radware and other WAF solutions.

To assess the effectiveness of DDoS mitigation in F5 Advanced WAF, we checked internally using JMeter, on which we wrote a script and tried multiple users at the same time. The DDoS feature blocked all that traffic according to our threshold. We tested this internally.

The ability to enforce granular policy adjustments has helped my organization with compliance adherence because in the last three to four months, we put our application in blocking mode. We have not configured granular level settings; we have configured at a high level currently. Going forward, we will be planning to add additional security in the WAF.

I have not used advanced analytics and traffic insights features. I also have not used vulnerability management features, as we have different solutions for that.

From my perspective, whatever we have used of F5 Advanced WAF, I do not think it needs improvement because I am currently satisfied with the features provided. We just need to work more on the WAF. If there is anything that needs attention, we will definitely let you know.

Currently, ten to twelve people are using it in my company. I would rate this solution an eight out of ten.

We use F5 Advanced WAF to restrict attacks on our remote access VPN. We've implemented geolocations. Our APIs are exposed over the Internet, so we've utilized F5 Advanced WAF to protect those APIs, and it's integrated with our other applications.

The WAF solution works perfectly fine. If we face any issues, we get hotfixes from the solution experts. It is a little bit difficult to engage with a solution expert firsthand, but once they're engaged, they do whatever is best to resolve the issue.

We faced a lot of outside attacks on our VPNs and APIs, so the geolocation feature works perfectly fine for us. We use iRules as well. Our internal access VPN is advertised from a Cisco firewall, and above that, we have an F5 LTM. We have written some iRules on it to minimize the effects of attacks.

We are a PCI DSS-compliant organization, and we have a lot of security balance to improve our infrastructure. So we use this software to meet those requirements. It works well. So, F5 helped to meet compliance and regulatory requirements.

It's pretty smooth. Whichever load we put on it, we've observed minimal chances of the WAF exploiting the memory or sessions hanging. 

The bot protection aspect works perfectly fine. All the solutions and features are renewed and they're working well. I don't see anything that can be improved.

We also leveraged AI initiatives. 

Support is a little slow, but the solution itself is great. If I compare F5 and Fortinet, the main issue is the support. With Fortinet, it takes less time to engage a support engineer and get things sorted compared to F5.

I have been using F5 Advanced WAF since last January.

I work for a US-based firm, and the project I deal with relies heavily on F5 and F5 LTMs.

I work on both F5 BIG-IP cloud and on-premises and F5 LTM.

It is a stable product. 

The physical hardware is not as scalable. We have to decide which version is best for us to procure because it is a costly device. So we try our best to get all the juice out of one box.

There's around 2500 users getting services from the F5. In my team, we are twelve engineers who are managing the infrastructure.

Support is a little slow, but the solution itself is great. If I compare F5 and Fortinet, the main issue is the support. With Fortinet, it takes less time to engage a support engineer and get things sorted compared to F5.

I'll give F5 a five because it is difficult to engage an engineer and get the issue sorted. For Fortinet, I'd give them a nine.

Neutral

The initial setup process of the F5 WAF product is straightforward. There isn't an issue in setting up from scratch. We use F5 with the cloud as well, especially in Azure and AWS.

The deployment took around half an hour for an engineer to get the basic infrastructure done.

It is not difficult to manage bug fixes, upgrades, and everything. It doesn't take much time. The dashboards are good. All the basic information is given to us on the first page, and it's easy to manage.

It brings a return on investment.

It is a little bit costly, but it has all the features that are required.

I would recommend F5 Advanced WAF to other users looking to implement it.

My advice:

A lot of organizations are financially constrained when buying devices. So if the organization is capable of maintaining and managing a device like F5, we suggest F5. Otherwise, we suggest other solutions, like Fortinet or Citrix.

Overall, I would rate it an eight out of ten because of the support.

I use F5 Advanced WAF to manage enterprise clients, focusing on licensing and support flexibility to accommodate various customer segments, including enterprises and mid-market customers.

F5 Advanced WAF provides two different licensing models. The subscription-based model offers competitive pricing, making it easier for me to see ROI. However, the perpetual license, despite an initial higher cost, lacks transparency regarding support expiration. Due to the subscription, I can compare it with other tools, but as a perpetual buyer, I am unaware of support expiration until after the purchase, allowing indicative ROI calculations but not actual ones. 

Furthermore, F5 Advanced WAF offers features not available in other products, though I suggest consulting a technical expert for specific features.

F5 Advanced WAF sells perpetual licenses as perpetual assets during sales without informing me that support ends after a few years. I find out later and am required to pay for support without receiving updated versions. Deployment training for F5 Advanced WAF is lacking and restricts growth by being inaccessible and costly for partners.

I provide the feedback based on my recent experience and judgment.

I have interacted with F5's support, and while I have no major complaints, they could improve. I rate them eight out of ten.

Positive

Deployment is easy for me, but enablement training is not easily available, accessible, or sufficiently supported.

I find it difficult to compute ROI for perpetual licenses due to the lack of upfront information about support expiry. Subscription models offer clearer ROI due to a more competitive pricing scheme.

Subscription models have competitive pricing, while perpetual licenses involve an upfront higher cost, leading to ambiguity regarding support cessation. 

Additional costs for deployment and training further impact my cost considerations.

I am interested in how F5 Advanced WAF features and pricing compare to alternatives like Fortinet and Check Point.

I rate F5 Advanced WAF eight out of ten. 

Despite a few issues, F5 Advanced WAF is performing well for me. Improving engagement and enablement for partners would enhance its value to GSI partners and service providers. 

Overall, I see potential positive development for the product.

Our company uses two versions of F5 Advanced WAF. The solution is used to protect against web hacking bots. 

F5 Advanced WAF has improved our organization's security posture by fending off all types of attacks. The solution has been successful in mitigating not just one kind of attack but also rare attacks that disturb the OS and try to achieve a denial of service. The solution has saved our company from performance deterioration and also enhanced security.   

The solution's most valuable features include application DDoS protection, bot blocking, and HTTP header verifications. The solution protects against seven types of DDoS attacks. 

More legacy protocols should be added to the solution. The aforementioned protocols are generally less used and might have been phased out from multiple solutions. But some of the large corporations that are clients of our company are unwilling to let go of applications that have been developed.

The aforementioned clients believe that as some of the new websites do not use these technologies, it wouldn't be ideal to replace the existing applications; for example, a bank with millions of dollars connected to a software wouldn't be willing to replace it instantly.

It often takes years for enterprise-level businesses to replace applications. The vendor of F5 Advanced WAF needs to consider that even if legacy protocols are not necessarily used for new projects, existing or prior applications projects rely heavily on them, and such protocols need to be protected until they are completely phased out of the market.

The vendor needs to provide complete support for the legacy protocols, just like the latest protocols in the market, until they are assured that none of the customers are using them. 

I would like to witness the expansion of the supported protocols set by the solution. The tool should be promoted as an advanced protection solution that supports all types of protocols. In future versions, some protocols offered by the solution need to be more specialized. All public-facing protocols should be added to F5 Advanced WAF. 

I have been using F5 Advanced WAF since 2018. 

If the solution is setup by professional services, then it will exhibit outstanding stability, otherwise there might be issues. I would rate the stability an eight out of ten. 

I would rate the scalability a nine out of ten. The solution is highly scalable and accommodating. The solution also allows troubleshooting due to its scaling capacity. The backend system of the solution allows the accommodation of solutions that one can pickup. 

In our company, there are about ten users of F5 Advanced WAF, and it's being used daily. Our organization also plans to increase the usage and the number of users for the solution. The tool's performance has benefitted application delivery in our organization. 

I would rate the tech support a seven out of ten. The tech support quality is slightly above average. The support team's first responders to raise tickets are not skilled engineers.

Large enterprises usually expect their issues to be resolved within a few minutes, so in a support process where first responders collect information and if they are unable to tackle it, the issue gets escalated, which overall becomes a huge, time-consuming process. The vendor should provide highly skilled first responders to large clients of F5 Advanced WAF, as for each second the solution is down, the clients might be losing money. 

Neutral

Before F5 Advanced WAF, our organization used IPS and Fortinet. Fortinet could only handle simple tasks, and F5 Advanced WAF is better for specialized application protection and scalability. Fortinet has a quick and easy setup process that doesn't require highly skilled engineers, making it suitable for resource management. 

I would rate the initial setup a seven out of ten. F5 Advanced WAF offers an easy setup process. Our company works with both the cloud and on-premise versions of the product. The solution's deployment, including the configuration, can takefour to five days. One engineer is enough to deploy F5 Advanced WAF for a single system.

The frequency of maintenance depends upon the setup of the solution; in case of faulty setup, the administration overhead will be greater due to repeated maintenance needs to fix issues. Often, customers invest in professional services to setup F5 Advanced WAF, following which an engineer can implement the maintenance. If professional services are not availed to setup the solution, it can take up to a month. 

The solution provides an ROI. When professional services install it, it has low administrative overhead and increases performance due to its scaling capacity. The solution can be used with any specific client or application as it allows user programming to be open-source. With F5 Advanced WAF, our company is able to adapt to the versatile requirements of clients. I would rate the ROI of the solution a nine out of ten. 

I would rate the pricing as seven out of ten. Sometimes, for specific models, additional licenses over the standard one need to be purchased. F5 Advanced WAF doesn't offer a single license that fits all use cases; the user needs to choose the license format. A structured license is usually preferred for F5 Advanced WAF. 

Our company also evaluated Palo Alto products, but F5 Advanced WAF offered superior scalability. 

The solution mainly provides automated responses; once the solution is set up and trained properly, it requires minimal intervention. As the solution is completely automated our company team has to only check the reports. 

But there is an elaborate setup process where, as part of our company, we deploy applications in an environment, implement work policies, and use automated software to simulate multi-vendor attacks and web hacking to test the solution's ability to detect attacks and, accordingly, we make adjustments to the flexible solution. 

After the simulation testing, the policy implemented for the solution is put in a station period where it won't be flexible initially, and then reporting is implemented, which will escalate to the anticipated restriction level soon. 

After the policies' staging period, when the solution has completed learning through simulations and our company feels confident with the test product in the active environment, the solution becomes automated from that point, and manual intervention is not necessary. A highly skilled team is needed for the abovementioned solution training process. 

Our company develops multiple applications internally as our work sites are not ready, and varying results are expected from different work sites, webpages, or newly added features. When a new feature is added to the solution, we revert back to the deployment process to test it. Our company needs to ensure that the in-house developed features that are integrated into the solution are not prone to attacks through simulation testing every time.

Our company feels confident when the solution's policies are developed through the staging, simulation and rule enforcement process. The aforementioned process helps with reports and also with performance. In our company, we have also encountered websites that didn't function well with the solution; even though the websites were functioning properly, the performance deteriorated slowly. Many attackers nowadays venture beyond the threshold, which might be difficult to capture.

If we consider any service or web applications over the internet that is attacked beyond the threshold, it wouldn't be a blind attack for the application owners as it would get blocked immediately, but instead, they progress slowly with the attack and ramp up once they can change the IP addresses and identify a suitable angle of attack, until these attacks get blocked they can affect your service.

Sometimes, a few of our organization's clients complain about the solution working slowly, even without apparent attacks. For example, if you're a trader, the website might function well enough most of the time, but sometimes you have to buy or sell within minutes, whereas if it doesn't work, you need to visit a different website, which can also be the goal of attackers. 

F5 Advanced WAF also allows you to write your own code for the interface.  F5 Advanced WAF specializes in behavior identification, which helps in superior attack mitigation. I would advise others to get the solution setup only by specialized or professional services. I would rate F5 Advanced WAF a nine out of ten. 

The primary use case for F5 Advanced WAF is to protect applications that are exposed to the internet. It is used to protect applications from known attacks, such as cross-site scripting and DDoS attacks.

F5 offers a versatile solution that can be integrated with APM in cases where integration with an external IDB is needed. It is useful for authentication backup if the on-prem directory service is unavailable. 

Additionally, its WAF functionality is valuable for protecting applications from attacks. It is a versatile and strong solution that's easy to understand and deploy.

The DDoS capabilities should be enhanced. More advanced features related to DDoS would be beneficial.

I have been working with F5 Advanced WAF since 2017, which is almost eight years.

The stability is high. It's a robust product with high availability, ensuring no disruptions for end-users if a node failure is detected. Our deployments are based on high availability clustering.

F5 Advanced WAF is highly scalable, both in its physical and virtual forms. Its scalability is based on the search, making it adaptable for various needs.

The support from F5 is excellent, with resources readily available online. The quality of support depends on the service SLA purchased, with various levels of service provided.

Positive

The initial setup of F5 Advanced WAF is straightforward and easy to understand. Without prior training, I could build and publish applications using just the documentation.

For standard and straightforward deployments, the implementation can be handled by a single person or a team based on the customer's size. Professional service can simplify the process significantly.

The pricing is not cheap; I rate it a six out of ten.

While it reflects the advanced capabilities of the product, reconsideration of the pricing is suggested.

For reverse proxy solutions, F5 Advanced WAF is the best choice. 

Overall, I rate the solution an eight out of ten.

The AOF solution is used for any customer with applications to protect them. It provides security features to protect the application from threats such as SQL injections and challenges of the browser using AI.

The AOF solution provides numerous security features. It protects applications from various threats, including SQL injection, and ensures that the application behavior is from a human, not a bot. It includes DDoS protection which has been enhanced after migrating from SDM. 

The solution is very effective as it includes security features important for financial applications where protection is necessary to avoid potential financial loss or penalties. It helps protect the core and backend of applications.

One improvement for AOF could be focusing on enhancing its AI engine to make it more mature.

I have used the solution for almost two years.

F5 is very good in terms of stability with no issues reported during maintenance.

F5 scalability is excellent. I have not experienced any issues with scalability.

F5 customer support is good but not as excellent as Infoblox support due to complexity issues. I would rate F5 customer support as seven out of ten.

Neutral

I recommend Infoblox because it's a leader in DNS security with more than 15 customers using it. It is very flexible in configuration, support, and scalability compared to F5.

The initial setup involves sending a request, understanding requirements such as policy and application number, and ensuring prerequisites are ready. It uses policy virtual servers and the network WAF, taking about five or six days to implement.

The ROI is very impressive as it is crucial for financial applications to be protected efficiently. Ensuring application security is a significant milestone, crucial to prevent financial losses or penalties.

The setup cost is normal, yet not the best in terms of the commercial aspect. Other competitors like Fortinet are cheaper than F5.

Fortinet and its FortiWeb product are competitors to F5. Fortinet has many products yet lacks concentration on a single part, unlike F5.

For enterprises in the financial sector, having F5 is essential. I would rate the solution a ten out of ten.

I use and recommend F5 Advanced WAF as a web application firewall to protect various applications. It is particularly effective in load balancing and enforcing security policies.

F5 Advanced WAF efficiently handles traffic and secures web applications, protecting sensitive data best for  governmental organization. It ensures compliance with security standards by providing features like PCI DSS checks.

F5 Advanced WAF provides valuable features like signature-based protection, which includes up-to-date threat signatures for common attacks such as SQL injections and DoS protection. It also supports a load balancer for enhanced security and traffic management.

There are opportunities for improvement in updating the user interface to a more modern look. Additionally, the speed of technical support and community responses could be enhanced.

I have been working with F5 Advanced WAF for two years.

F5 Advanced WAF is very stable when configured properly.

F5 Advanced WAF is highly scalable and can handle large amounts of traffic due to its advanced load balancing capabilities.

The technical support team provides responses within a day for critical issues, however, the community support can be slow, sometimes taking up to two weeks for a response.

Negative

I have also used open-source WAF solutions such as OpenAppSec.

The initial setup of F5 Advanced WAF is complex and requires detailed planning, especially for configuration files and management interfaces.

Our internal team implemented F5 Advanced WAF with support from F5's sales engineers.

While F5 Advanced WAF is expensive, the investment is justified by its comprehensive security features.

F5 Advanced WAF is notably costly, especially for small companies, however, it provides strong protection for its price.

l evaluated open-appsec as an alternative WAF solution.

I would rate F5 Advanced WAF a seven out of ten. 

It is important to learn the network and security landscape before deploying. Understanding cybersecurity concepts and signature-based attacks is crucial.