We just raised a $30M Series A: Read our story

Top 8 Web Application Firewall (WAF) Tools

Fortinet FortiWebMicrosoft Azure Application GatewayAWS WAFF5 Advanced WAFImperva IncapsulaImperva Web Application FirewallBarracuda Web Application FirewallReblaze
  1. leader badge
    The initial setup is pretty straightforward.FortiWeb offers a good price for the marketplace. In the Sri Lankan market, it's hard to find high-end products that can match FortiWeb's pricing. For high-end solutions, the price is always extremely high.
  2. leader badge
    It has a filter available, although we are not currently using it because it is not part of our requirements. But it is a good option and when it becomes part of our requirements we will definitely use it.
  3. Find out what your peers are saying about Fortinet, Microsoft, Amazon and others in Web Application Firewall (WAF). Updated: October 2021.
    542,721 professionals have used our research since 2012.
  4. leader badge
    The solution is stable. Their technical support has been quite good.
  5. Very easy to implement and works well.The most valuable features of this solution are the WAF protection, Data Safe, and the seven-layer DDoS.
  6. Simplifies putting everything in code. DDoS protection and WAF are the most valuable features. It is easy to deploy a service. It is easy and quick to deploy to a new website.
  7. It has fewer false positivesThe solution is stable.
  8. report
    Use our free recommendation engine to learn which Web Application Firewall (WAF) solutions are best for your needs.
    542,721 professionals have used our research since 2012.
  9. The solution is user-friendly and easy to set up.Our customers value the solution's simplicity.
  10. Provides mobile app security. I very much like the elastic search and reports, allowing us to have a 360-degree view of the customer's activities and enabling us to track down any suspicious bots.

Advice From The Community

Read answers to top Web Application Firewall (WAF) questions. 542,721 professionals have gotten help from our community of experts.
Evgeny Belenky
Hi peers, What are the OWASP Top 10 this year?  What single web app security tool (or a minimum set of tools) would you recommend for overall web app protection (from the most critical security risks covered by these Top 10)?
author avatarAndrew Van Der Stock
Real User

We are due to release the OWASP Top 10 2021 on September 24, 2021. We will be transitioning to GitHub from our private work area soon. There will be three new categories, and some surprising coalescing for many of you who have been using the OWASP Top 10 since 2003. This means it is changing, and we've made an impact in our previous releases.

author avatarCurtis Yanko (Shiftleft)

I’m not sure the top 10 is changing this year but if it is it will be to squeeze more stuff in ;-). 

To effectively detect these in a web app you need a status analyzer with deep data flow analysis. I joined ShiftLeft because I felt they had the best tool to change the way we think about SAST scans and it can do reachability analysis for OSS components to better understand the risk associated with vulnerable libraries and frameworks.

author avatarreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
Real User

Believe no single tool will address all OWASP Top 10 issues. One will need a combination of tools and approaches as was also mentioned in the recent OWASP anniversary webinars.

A01-2021: Broken Access Control has moved to number 1 on the list this year compared to number 5 in 2017.

There are 3 new entries - Insecure design being at number 4. This is to me is a great addition and something which is complex to assess and fix easily.

Unmesh Deshpande
Hello community,  I am the CTO for a large multi-specialty private hospital. We are currently researching WAF solutions. Which WAF solution would you recommend with no heritage for subscription charges? We are a hospital with many web apps that need to be published soon and quickly. We have decent internet access. There could be 100 to 125 concurrent sessions. Thanks! I appreciate your help. 
author avatarAlcides Barros

CromiWAF's WAF solution provides a smooth service for 100 to 125 simultaneous sessions, but we need two additional information to define the most appropriate "package", number of URL's and throughput.

author avatarAum e Hani
Real User

I myself used Cloudflare as the easiest and quicker solution to implement. But if you are concerned on budget you may try AWS WAF as well. It costs minimal and as per usage instead of fixed monthly expense.

Both are super reliable solutions.
Good Luck

author avatarJeremy Rammalaere
Real User

We have been having great success with FortiWeb appliances. They offer various sizes to meet your bandwidth needs. I don't know what "with no heritage for subscription charges" means but any good vendor will have some sort of subscription (whether it is signature updates, general support, firmware updates, etc.). WAFs need to be kept up to date just like all security products.

author avatarSrdjan
Real User

I would always recommend F5 WAF, it is probably the best one on the market, aside from Imperva. However both solutions are very expensive, Imperva even more and both might not be suitable if your IT personnel is junior when it comes to this kind of technology - this product requires "engineer attention" and offers even more in return. If you want to avoid opex, i.e. subscriptions, than you need to go for appliance on-prem version and you can use it for years before having replacement. all cloud solutions probably come with subscriptions. Check it out on https://www.f5.com/products/security/advanced-waf, they have roi calculator as well.

author avatarreviewer1586961 (Chief Information Officer at a computer software company with 11-50 employees)
Real User

Cloudflare - since deployment it's super fast and supports Terraform for automation.


Imperva Clod WAF is the best option. Not only can you protect your IPs, DNS, Apps, you can also mitigate DDoS attack on your network or apps. Imperva has the best and biggest capacity to handle DDoS.
It is fast to deploy, easy to use and a very friendly user interface. Need I say more? You pay only for what yo need.

author avatarCole Bisset
Real User

I'd highly recommend using the Snapt ADC.

The ADC is a full suite..You get one of the world's finest Load Balancers with included functionality of a WAF, Web Accelerator & a GSLB. All of the Snapt support is done in house as well which gives you a direct line to the people who built the solution.

author avatarRaynielBadiola
Real User

If you are looking for an effective WAF solution, I would recommend Radware Appwall, it provides a complete web application security that you are looking for. Radware Appwall WAF comes with a hybrid solution in which you can deploy an on-prem device or via a cloud. Since you don’t want any subscription charges, for now, you can just deploy the on-prem device which will blocks attacks at the perimeter and ensures fast, reliable and secure delivery of mission-critical web applications.

I may not be able to size-up the exact model for you since there are a lot of things to consider like the number of applications, the number of CEC/CPS/HTTP TPS need to pass through the WAF, etc.but I do recommend to contact your local Radware vendor which can assist you on sizing up the Radware WAF solution.

Hi professionals, There seems to be some controversy around whether or not SSL Inspection should be used by businesses.  What is your opinion - should they be used, and if so when? Conversely, what are the reasons for not using SSL inspection?
author avatarLeo Tse
Real User

SSL inspection requires high firewall resources, the use depends on what your objectives are. E.g., the SSL inspection is a must on WAF or Layer-7 IPS to protect inbound traffic to your servers,if you need very granular access control for your user to the Internet.  

On the other hand, explicit proxy deployment can achieve the URL/URI filtering purpose without SSL inspection for client outbound traffic protection. While SSL inspection is useless for layer-4 only firewall/IPS and webserver running TLS 1.3, DLP/sandbox in endpoint seems to be more effective than the network approach, because the delay in scan result will timeout the network connection. 

Consider SSL inspection on specific traffic types: it can save cost and settle the internal controversy. 

author avatarsupervis809292 (Supervisor of IT Infrastructure & Cybersecurity at a tech consulting company with 51-200 employees)

As more Internet traffic is encrypted each day at some point the majority of Internet traffic will be encrypted. SSL inspection is needed when a business needs to audit what their users are doing on the Internet. Cost and complexity are the largest reasons to not perform SSL inspection, especially on the network edge.

I'm not a huge proponent of performing SSL inspection at the network edge. Most solutions performance levels drops off the face of the planet when enabled and it is complex to setup and maintain. I think the better solution for SSL inspection is to perform it on endpoint devices. This will be cheaper and less complex overall and provide SSL inspection on laptops even when they are not in the office.

author avatarDavid Storey

SSL Inspection is great for corporate/organizational security as it allows you visibility into the traffic going across the network. It can also break access to some sites as it is technically a man-in-the-middle. (Anything requiring certificate authentication.) If you're going to do it, you really need a login banner for your systems that advises users that their activities are being monitored. You'll also need to install certificates on people's PC's. This won't work for guest users. I wouldn't store decrypted content though as you will have to safeguard that data as it will contain sensitive information. (Is it really worth the risk?)

author avatarEvert Ruiten

In general, there are some vulnerabilities in SSL that you should try to mitigate whenever possible. SSL inspection should help indeed.

author avatarLuis Apodaca

These days you should use it no matter if you are a home user, it is about security, and it will be easier each time to have leaked on your personal or professional info, a serious IT guy always should say you should use it.

author avatarrobofl

I used to be against this but leaning the other way now since just about every site is encrypted.  I think some sites need to be avoided like banking, credit card processing, payroll, etc.  Management, and especially the Accounting Dept needs to be in the loop.

author avatarMohammadAta

SSL Inspection or HTTPS Inspection is the process of intercepting SSL encrypted internet communication between the client and the server. The interception can be done between the server and the client and vice-versa, SSL Inspection intends to filter out dangerous content, such as malware. This inspection is also called Deep SSL Inspection or Full SSL Inspection. It allows the user to do web and email filtering, antivirus scanning, etc.SSL inspection not only protects you from attacks that use HTTPS, but also from other commonly used SSL-encrypted protocols, such as SMTPS, POP3S, IMAPS, and FTPS.

Menachem D Pritzker
Hi community,  There are so many firewall products in the market today. Who are we going to be talking about 3-5 years from now?
author avatarNehad Elkordi
Real User

Cisco Portfolio is focusing on total security inside and outside including cloud security,two factor authentication & SDWAN.

Forti Portfolio is focusing on total security too inside and outside including cloud security & two factor authentication.

both are working with Sandbox which is important for 0 day attack.

Therefore If R&D for both vendors will keep as they are today i think they'll be market leaders and away by far for the next 5 years 

author avatarPaul Yuen

In 3 years' time, we believe that "Firewalls Gold" will reach its heights. 

This is because the current firewall's features and affordability had already surpassed those of Check Point, Sophos, SonicWall and Fortinet.  

Firewalls will dominate the market in future years given their immense innovation capability.

author avatarLuisCastro
Real User

1- Pfsense

2- Kerio Control

3- Fortinet

4- Cisco solutions

author avatarBrianCook

I can think of 2 Firewalls that should be doing much better then they are, Kerio Control and ZyXEL ZyWall. Both have been around for a long time but have never gained the market share I feel they should have and I often find people have never heard of them. 

author avatarStuart Berman
Real User

I doubt we will see a new firewall vendor, but I believe we will see new architectures that leverage the advanced capabilities of NGFW delivery through ISPs, think of it is a clean pipe for Internet access. The ISPs will use firewalls (virtualized and segmented by customers) to do the filtering before it hits your networks, just like we see with spam filtering.

I also believe we will see more edge networking, 5G networking where the firewall function will be built into the network at the edge. We already are seeing early versions of the with things like Curiosity OS by Sprint working with Ericsson. I think they will easily add existing VM firewalls to their platform and not reinvent the wheel.


Those firewalls that allow extend the perimeter. Nowadays, there is a issue with the static perimeter and all is going to change in the next semesters. In my opinion, solutions like Netskope are offering this extended perimeter functionality and they could lead the market.

author avatarLipaz Hessel
Real User

Well with the SD-WAN raising it is common to see cloud firewall implementations, like ZScaler.

but as data center firewall, I don’t see any new player comes out unless it will come with a new surprising feature as the market have so many good vendors.

Edwin EzeOsiago
Should one go for a URL Filtering as an add-on to NGFW or just deploy a Web proxy, instead? I am one who advocates that firewalls with URL Filtering can't serve better than Web security solutions (i.e., a Web proxy). What's your opinion?
author avatarMike Hounsome

Over 50% of security vulnerabilities are non-Web based traffic, such as DNS, DDOS etc and this is where some Web Proxys fall short as they only inspect the Web traffic that is forwarded to them, NGFW's provide superior protection at the edge to inspect all traffic for on-prem users locally.

This is where a SASE solution can help for remote working by providing best of both worlds capabilities such as SWG, NGFW, ZTNA, CASB etc delivered from a Cloud architecture in a unified (single-pass) manor, protecting 'All Traffic from Any user/device anywhere not just Web. 

author avatarchiefexe795285 (Chief Executive Officer at a tech services company with 1-10 employees)
Real User

Use a Web Proxy that will protect your users when they are working at home as well. The FW will provide protection when the user is behind it. The web proxy will protect the user at any place, anytime. 

author avatarV for Reviewer
Real User

You are analyzing a central solution (perimeter), correct? 
So, NGFW with URL filtering is simple & easy to go live without any issues.

But, what is going on with the endpoints, local URL filtering? 

author avatarCesar Beut
Real User

Web Proxy like Cisco Umbrella works very well, you have protection at home and at office, with a lot of employees working some days at home and others at the office is a great solution.

author avatarBasil Dange
Real User

NGFW does streaming based scanning it means it will pass the packet as it received due to which there is high probability of malware getting passed via Firewall. Where as Proxy wait for complete

author avatarLuis Apodaca

Hi Edwin

organization size ?
usual final users behavior?
how strong its the security you want ?
budget ?

if what you need its not that big i allways recomend kind a free solution as a " Pihole server " (in a virtual container its the best way) but,,, also you can find a SOPHOS UTM as the best solution either or maybe a Unifi USG Router or unifi dream machine, of course if your budget allows it

good luk.

author avatarPrideChieza
Real User

I think the NGFW should do all the work for you if configured properly eg deep packet inspection and not just certificate inspection mode on the policies.

With deep packet inspection the Firewall will deconstruct and reconstruct the packet this will give you full visibility into network traffic and network protection.

The NGFW like fortigate will also give you protection when connected to the public network through sslvpn with tunnel mode enabled such that all your traffic goes through the HQ when browsing resulting in the same policies that you use when onsite to be the same when you are offsite.

author avatarimadam
Real User

This depends on many factors like size of organization, how organization is geo-spread, type of NGFW and Proxy you are looking at or you have. And where proxy is deployed, onprem or cloud? With cloud you have additional options and companies like Zscaler and Netskope started to eat this part of market. 

Find out what your peers are saying about Fortinet, Microsoft, Amazon and others in Web Application Firewall (WAF). Updated: October 2021.
542,721 professionals have used our research since 2012.