Managed security rules have protected our public e‑commerce sites and simplified ongoing defense
What is our primary use case?
We are providing support to our end customers who have e-commerce websites that need to be exposed to the public, and for a secure way around, we thought of getting them exposed via the Application Load Balancer to make sure it is exposed at Layer 7 only. While making sure it will be protected, we started using AWS WAF services, where we found that we can utilize a WAF rule set from Marketplace. We started using it, and I got the chance to be part of one of the summits where I heard of F5 Rules for AWS WAF. Since then, I have been using their rule sets for bot protection, web exploit OWASP rules, common vulnerabilities and exposures, and API security, which is a use case we are using to configure these rule sets.
We are using AWS WAF, which has been integrated with the Application Load Balancer to ensure that our Application Load Balancer is secure while it gets publicly exposed.
We thought of starting to use F5 Rules for AWS WAF primarily for DDoS protection nowadays, as AWS native rule sets also provide some protection for DDoS. I found that it demands continuous improvement in these rule sets. Previously, we used native rule sets, but these continuous demands were not listed in it, which led us to an unsecure environment. Now, using F5 Rules for AWS WAF for bot protection, I found that they continuously perform vulnerability scans while these rules come into action. This continuous improvisation ensures that I can build trust against these rules instead of other third-party rule sets.
What is most valuable?
I really appreciate the way F5 Rules for AWS WAF generate reports proactively to show the number of exploits that come in and what remediation has been followed to block such exploits, mainly in the OWASP rule sets.
It has generated value toward us because since these e-commerce websites could become exposed to the public in an unsecure manner, which really no one wants. Now, looking at these rule sets, they ensure that our origin or our application content and code, as well as the application itself or its API, are secure enough, always.
What needs improvement?
An area for improvement I see is that while everything is in good shape, I demand continuous improvisation of these rule sets. However, I am accepting of this. To stay safer from a security perspective, continuous improvisation in these security rules is required to ensure we are always up to date with new attacks.
For how long have I used the solution?
I have been using F5 Rules for AWS WAF in the last two years and I found it to be a good choice compared to other products.
What do I think about the stability of the solution?
F5 Rules for AWS WAF is stable.
What do I think about the scalability of the solution?
Scalability is not a challenge with F5 Rules for AWS WAF, as they are configured within the AWS WAF service, which is reliable and redundant. We have not faced any challenges with the rule set scalability, and that is a positive aspect.
How are customer service and support?
I have reached out to customer support multiple times, especially while configuring rule sets for the first time. The support provided was excellent. I appreciate the assistance; they clearly explained everything, how to configure these rule sets, and what the best options are based on my use case, which helped us shortlist what is required.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We previously used AWS native rule sets and Fortinet rule sets. We switched to F5 Rules for AWS WAF because we found it more competitive. They continuously improve their security rules and keep adding vulnerability protection to their existing rule sets, ensuring we are protected and our applications are safe.
We mainly evaluated AWS native rule sets prior to F5 Rules for AWS WAF.
What was our ROI?
It has absolutely saved money for our security team and time. There are two ways: either we write our own rule sets, which demands significant time, or we can use a more mature tool like F5 Rules for AWS WAF, which has already created these rule sets for perfect use cases like we are using for our end customers. Using F5 Rules for AWS WAF saves us time spent on developing security rules ourselves.
What's my experience with pricing, setup cost, and licensing?
From the pricing perspective, I found it to be comparable to other marketplace rules available in AWS Marketplace. It has competitive pricing.
What other advice do I have?
I advise anyone looking for a great tool to secure their public-facing applications to start using F5 Rules for AWS WAF. These are managed rule sets, so you do not need to worry about continuous improvements or ensuring your application is secure; F5 Rules for AWS WAF will take care of that and is always making the necessary improvements in these rule sets to ensure security.
I am very impressed with the rule sets and the continuous engineering from their security team to ensure the required rule set availability. I really appreciate the fantastic job they are doing.
F5 Rules for AWS WAF can be integrated with AWS CloudFront, Application Load Balancer, Lambda, and API Gateway. I am satisfied with all these services as they are our intermediary points for services exposed to the public or globally.
I gave this product a rating of ten out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Best way to protect exposed applications
What do you like best about the product?
WAF configurations are very high level. I really feel safe in this sense. The microservice and DOS protection features are also great. The signature-based protection module is also very advanced.
What do you dislike about the product?
The interface could be better. f5 should now make the interface look better.
What problems is the product solving and how is that benefiting you?
We use it behind this WAF in all applications we open. We do this with a good configuration with the BLocking mode turned on. There may be occasional false positive situations in the first week, but then it works incredibly regularly.
Industry leading solution for WAF
What do you like best about the product?
F5 Application Security Firewall is a robust solution. You can enable WAF on the F5 Load Balancer with one click with a license. F5 presents to the customers load balancer and WAF one same appliance. So while you can load balancing the application you don't need to send user requests to other products, F5 inspects the user request while load balancing. It offers comprehensive configuration for application security. It is learning the application then blocks the unwanted traffic.
What do you dislike about the product?
You have a piece of deep knowledge for configuring the F5 WAF. Configuration GUI is very complex, sometimes you can be lost while configuring. And the price is ver high.
What problems is the product solving and how is that benefiting you?
IPS on the firewalls is not enough to control user requests. We can check all clients request on F5 WAF. Clients unwanted requests stopped on WAF before they reached the application
Recommendations to others considering the product:
There are a few vendors at the market which offer detailed application security. F5 ASM is one of them. If you want to configure with detail and fight OWASP top 10 threats F5 ASM (or WAF) best fit your requests.
F5 - LTM , GTM , ASM , APM | Citrix ADC , Gateway, GSLB | AWS ELB
What do you like best about the product?
F5 ASM has been a great tool to manage and fine-tune the security aspect, thus completing the complete application delivery chain.
Application security has never been so efficient and easy to deploy/tune/operate/ with ASM module.
However, the real winner is the F5 team that consistently develops & ensures the module is up-to-date with recent ''fire"(s) of the world.
What do you dislike about the product?
More documentation should be available on the best practices and what industries focus on, especially policies, signatures, and capabilties.
What problems is the product solving and how is that benefiting you?
Complete end to end security needs , monitoring & protection against vast array of web-based attacks.
Backtracking the application level changes triggering ASM alarms and mitigating them.
Mitigating security vulnerabilties is the big one.
Best of breed WAF
What do you like best about the product?
Very effective Dos protection and for 10 OWASP vulnerabilities, very easy to configure, great intuitive interface and best performance.
What do you dislike about the product?
I have no complaints about F5 WAF, I had a great experience working with F5
What problems is the product solving and how is that benefiting you?
I have protected web banking application with F5 WAF and got a very good level of confidence for our customers and shareholders
Recommendations to others considering the product:
Yes, I recommend F5 WAF as the best I know
It's a good product and user friendly GUI make its easier.
What do you like best about the product?
SSL offloading and and deep content filter.
What do you dislike about the product?
Vendor support some time annoying and also local support issue.
What problems is the product solving and how is that benefiting you?
Almost all features for a WAF solutions are available with F5 AWAF solution.easy deployment and configuration through cli and gui.
Recommendations to others considering the product:
I fully recommend this product for application security as continue get update with latest signature. Also stabilty of product.
Excellent
What do you like best about the product?
Advanced rules, policies and many more.
What do you dislike about the product?
Nothing to dislike. All are advance and hence very more policies is there.
What problems is the product solving and how is that benefiting you?
For infra security purpose, to make all web application securely.
Recommendations to others considering the product:
One must can use for best security purpose.
Good product good features
What do you like best about the product?
Easy Management and good protection a lot of features
What do you dislike about the product?
All is good, I like the product work well
What problems is the product solving and how is that benefiting you?
Secure my web applications
F5 waf asm
What do you like best about the product?
Granularity in configuration for asm policies making this product unique
What do you dislike about the product?
Required skilled one to maintain the product at customer side
What problems is the product solving and how is that benefiting you?
Securing application
Britney control
Advanced waf
Application Firewall enhancement with F5
What do you like best about the product?
It provides the application security to the next level. Server-side security is ok, but application security is also of equal importance and it provides it. It is also very stable.
What do you dislike about the product?
It is not very much user-friendly and cab be more intuitive for better reach of the users.
What problems is the product solving and how is that benefiting you?
It helps in application security and load balancing capabilities. Which befits the application availability.
