F5 Advanced WAF Reviews

We use it for ASM and ATF. I am working at the PCI company, and I am a manager of F5. I work with F5 WAF and ASF.

Currently, I use version 50.1.4, and I'm going to update to the new version, 50.144.1.

I like the solution for ASM. There is an online update certification, but access is locked so we couldn't use it.

I would like to see a better interface and better documentation compatibility with other products. It's more complicated with OWASP.

F5 has a learning university, but it's very complex. I teach other people, and it can be confusing with the different versions of software. It's very hard to support that.

I've been working with this solution for four years.

The product is very stable. It is a PCI company, so there are 10,000-12,000 people using the solution. 

My TLS connection is unlimited, so I have a lot of clients because of internet payments. All of the internet payments are behind the ASM for the F5.

It's scalable and very easy to manage.

I worked with FortiWeb for a few years. It's a good product, but it's not very good for a big company. So we decided to migrate to F5.

The initial setup is from a configuration utility.

I would rate this solution 9 out of 10.

In APM or IT intelligence, it's the best. But in the ASM model, it's not as good as a 40G for Palo Alto.

We use F5 Advanced WAF to protect web applications on HTTPS, APIs, and portals.

F5 Advanced WAF helps our engineers to learn the complete configuration, including fundamental and advanced policies.

Most customers encounter stability issues with the product's Big-IP logs. It works slowly while retrieving logs.

We have been using F5 Advanced WAF since this year.

The product is more stable than Fortinet.

The product has modular appliances. It works well, scalability-wise.

The technical support services are good. The team includes professional engineers to communicate with the customers regarding cases.

It is easy to set up F5 Advanced WAF. Although, it is difficult to deploy and maintain compared to Fortinet. The deployment process involves gathering customer information regarding virtual servers to be protected. Later, we select the best design suitable for their requirements and start with license provisioning. Further, we configure LTM with special servers and nodes and proceed with configuring the security policy and advanced directory. It takes a week to protect the infrastructure fully. Once we have license provisioning, it is good to run.

F5 Advanced WAF's pricing is high. Fortinet and some other vendors are more affordable.

F5 Advanced WAF has good capabilities, powerful tools, and professional services. I advise others to compare pricing with vendors in terms of their use cases before purchasing the product.

I rate it a ten out of ten.

It's considered one of the modules for the LTM box. It's all modules for the LTM box.

It is actually to protect the customer web application which is published on the internet. It's actually to protect that, and nowadays, we also have this threat intelligence. You will link to the F5 centra, the depository of the threat intelligence database. We always have the latest update on the common threat that is happening currently. You will notify the customer if there's an issue.

The threat intelligence function is great. Nowadays, there is more awareness on the security side. They'd have a real-time update from F5. It provides peace of mind on the security side for the customer.

It is an add-on module to protect the web application.

The solution can scale with planning.

The solution is stable.

Support is helpful.

The deployment side is quite complex. We'd like them to simplify the implementation process. I'm not sure whether they can do that, however, they have to be very detailed on configurations, and sharing of the policy. Anybody that configures this box, the WAF, they have to have knowledge of the application and some of the security portions there as well.

We've had the solution since last year. We have deployed it to a customer.

It is stable. Actually, it evolved from ASM, what they call the Application Security Manager, and now they name it Advanced WAF. It's been around for a while. There are no bugs or glitches. It doesn't crash or freeze. 

We'll size up based on the customer requirement with some buffer, maybe 20% to 30% for the future extension. There is also some consideration on the capacity planning and the size of the box. You can scale. You just need to plan ahead. 

In terms of users, with Advanced WAF, normally their role is more related to the security side.

We just implemented the solution recently and we'll have to wait another three or four years before we change or upgrade the solution. 

I've dealt with technical support. We're quite satisfied with them. They're good. 

Positive

F5 WAF is a web application, in the firewall domain, they have been in the market for a very long time. They know the requirements and the market trends very well. This is the reason why we normally chose F5.

The solution is pretty difficult to set up. You really have to have a grasp o the product to configure it correctly.

The setup takes approximately two months. It's quite a long time. If the application is not ready, then the dependency will be on the application side. Therefore, the cycle is quite long. It depends on the application readiness.

We just need one to two people to handle deployment and maintenance. 

The licensing is charged yearly. It's considered expensive, however, there are more expensive WAFs on the market - like Imperva. F5 is second after Imperva in terms of cost. L1 to L3 support is included in the cost.

I'd rate the price of the solution at a four out of five in terms of how expensive it is.

We tend to stay with F5, however, we will look at pricing and try to negotiate based on that. We'd like to get a discount and look at the market to see the costs. 

I'd advise that new users need to know the requirement expectations, and then the criticality of the application that they're going to let the user use. Sometimes the application is public to the internet for a public user to log into and query the database. In that case, we're exposed to all kinds of external parties. So if you put something that is cheap in place, something that is not able to do the protection properly, then it will be a very big risk to the company. 

I'd rate the solution ten out of ten. Our clients have been very happy with it.

In Pakistan, the banking and financial sector requires F5 WAF solutions. I worked with other companies that had more clients, but my current company is a start-up. We have Palo Alto business, but we're trying to get F5 business.

F5 products are highly stable, top-notch solutions, and we have also the expertise to deploy and design the F5 and Palo Alto product lines. I have more than 10 years of experience with F5 and Palo Alto. I have deployed around F5 products for around seven or eight customers of F5.

F5 should consider adding network detection and response.

We have been using F5 solutions for two years, including load balancers and Advanced WAF.

Advanced WAF is highly stable.

F5 products are scalable, and they have an excellent R&D department. Their product is constantly maturing.

F5 technical support is excellent. They are experts who always provide the right solution, and they understand the problem. Their response and resolution times are good.

Advanced WAF is a difficult product for new users, but it's not too challenging if you have experience. Nevertheless, F5 products are generally considered to be hard to deploy. 

F5's hardware product line is called BIG-IP, and they have many software licenses for IP DNS, Advanced WAF, APM, anti-spam, etc. We have around 10 licenses.

I rate F5 Advanced WAF 10 out of 10. I would highly recommend the entire F5 product line.

What a WAF is happens to be exactly what we are using F5 WAF for: a firewall for our web applications. It is a totally customizable solution. You have our signature-based rule sets and then we can customize to our heart's content depending on what our application can and can not do or what we are trying to protect against.  

So we are using this for anything that is internet-facing. We are applying the WAF there and we are putting it in block mode wherever possible.  

The features I think are the most valuable starts with the IP intelligence component. That is separately licensed and it is definitely one component that we have made heavy use of. Geo-blocking is another — which can be done without a WAF because you do not necessarily need a WAF to do it — but the F5 WAF has those capabilities.  

The signature-based controls that F5 has are another one of the heavier-used components that Advanced WAF has. We do not have to worry about updating signatures, et cetera. WAF will automatically update the signatures for us. I think that is a nice feature.  

Those are the biggest things that we are making use of month-to-month.  

I think the contextual-based component needs a lot of help. It is all based on regular-expressions. That is something I think companies like Signal Sciences are doing a really good job with. We are transitioning off to Signal Sciences on some of our WAF components because of the capabilities Signal Science has. I think that contextual-base signatures would definitely help in F5 WAF.  

Within the enterprise, F5 Advanced WAF (Web Application Firewall) has been rolled out for about six or seven years. I have been working on it for about three to four years.  

It is a stable product.  

F5 WAF is a scalable solution. A lot of the employees and other end-users (virtually anybody on the internet who is coming to your site) benefit from the solution. As far as the people who are directly dealing with the administration, maintenance, and deploying the updates, there are maybe two people. But it can certainly scale-out to service passive use.  

The F5 tech supports is fairly decent. It is not the top of the line, but they do their job. They give you an account team. The account teams are normally really responsive. When you need to run something by them, they are unlike some other products. With other products you have to go through opening up a ticket — because that is the only way they will respond to you — and later they might come back and say it is not their problem and you need to figure it out on your own. The F5 is very different from that perspective in providing support. Your account team is your go-to group. They will walk you through solutions, help you design solutions, and it is part of the value add of using F5Advanced WAF. I really liked them for the extra effort they put in to provide good support. They do not upsell professional services or anything like that. Because of that, I would rate them a little on the higher side for support than just your average support experience.  

The installation of F5 Advanced WAF is complex. Any WAF that you put in takes a lot of time to install correctly. You never really just drop it in and have it working right off the bat. The only exception I can say that I have come across to that right now is Signal Sciences. You can literally drop that solution in place and put it in blocking mode within the same day. With F5 there is a learning period where you allow it to learn and then you go back because it is based on regular expressions. So you have to go through and check to see that there is normal traffic going through your site, et cetera. In other words, there is training involved. It can take from seven to fourteen days before you get a good signature set up.  

If you just need to turn on the licensing key, that might take 10 seconds to do and that is available essentially immediately when you implement WAF. But when you are talking about implementation — and this is true with any WAF — it is time-consuming. You are integrating a piece of technology with applications that have already been written. It might be a legacy app, it might be a new app or whatever that you use for whatever your use case might be for that application. You are using WAF in order to protect that app. You have to invest time in creating the signatures. That period of time where you are creating the signature is what is complex and extends the period of the implementation.  

That is what I think the true difference is between F5 WAF and the new-gen stuff like Signal Sciences is. With Signal Sciences you literally can just drop in and turn it on.  

F5's licensing varies. I do not know exactly what the individual WAF component costs because they bundle up services and the bundle is what I pay for. I do not pay for individual components.  

Advice that I would give to people considering F5 WAF is to look at and consider other products as well. They have to make sure they know what they are getting into. That is key to finding the right solution. I think WAF requires a lot of time and patience as well as an understanding of your applications in order to make the best use of its capabilities.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate the F5 Advanced WAF as a solid eight-out-of-ten.  

We are distributors in Vietnam. We consult for our customers and I am a Product Manager. We use F5 Advanced WAF as a firewall for our website applications and the websites of our customers.

The most valuable features of F5 Advanced WAF are the security features and the protection.

In the future, I would like to see F5 include AI in the hardware of F5 Advanced WAF.

F5 Advanced needs to improve its bot protection. The solution needs to have machine learning to learn the behavior of the customer to recognize the human versus the bot. This is a difficult feature to explain to our customers. I would like documentation about the bot feature to make it easier for the customer to understand.

I have been using F5 Advanced WAF for two years.

The solution is stable.

F5 Advanced WAF is scalable.

We tend to handle our own technical support for our customers. My experience with F5 support is a three out of five overall. They need to improve the information and training of the receiver.

Positive

The initial setup was neither easy nor difficult. I would rate setup as a four out of five.

The pricing of F5 Advanced WAF is more expensive than other solutions like Radware and CD18, it is quite high. I rate the product a one out of five for price, with one being expensive.

Overall, I would rate F5 Advanced WAF an eight out of ten overall.

I use it for load balancing.

It's flexible and powerful, and the users can input their own rules to the system.

The pricing could be more flexible.

I've been using it for three to four years.

It is a stable solution.

F5 Advanced WAF is a scalable solution. We have 20 people using it in our company, mainly from our operations team.

F5 has a partner in Singapore, and he's very supportive.

It is reasonably easy to set up and took about a month.

I used a third party for the deployment.

The cost is slightly above average.

I would rate this solution at eight on a scale from one to ten.

F5 Advanced WAF can be deployed on-premise or in the cloud. When it comes to local governmental organizations, it's mostly on-premises solutions they use. However, we recommend using virtual ones.

F5 Advanced WAF is used for protecting applications.

The most valuable features of F5 Advanced WAF are the balancer and you can change policies very easily.

The overall price of F5 Advanced WAF could improve.

I have been familiar with F5 Advanced WAF for approximately one year.

I have not had any customers complaining about the stability.

F5 Advanced WAF is scalable.

The initial setup of F5 Advanced WAF is easy.

I rate the setup of F5 Advanced WAF a four out of five.

The ease of maintenance of F5 Advanced WAF depends from customer to customer. If the company had someone trained or they have an inside person who is reliable for this maintenance, they typically do not have any problems.

The price of F5 Advanced WAF could improve it is expensive.

There can be extra features added at an additional cost.

I rate the price of F5 Advanced WAF a three out of five.

Our clients pick this solution over others because it is one of the leading companies in the category.

I can recommend F5 Advanced WAF to any customer because we have experience, and referrals from customers using it within different models. If it comes to WAF, LTM, or whatever. I'm very happy to sell it because it is one of the leading vendors within its line. Our customers within the financial market, such as banking organizations, are very happy with it.

I rate F5 Advanced WAF a nine out of ten.