We changed our name from IT Central Station: Here's why
Get our free report covering Cloudflare, Imperva, Amazon, and other competitors of Imperva Incapsula. Updated: January 2022.
563,327 professionals have used our research since 2012.

Read reviews of Imperva Incapsula alternatives and competitors

Co-Founder and CTO at Cyber-CP Ltd
Real User
Top 10
It is flexible and lets you easily apply policies, but it needs to support more PoPs
Pros and Cons
  • "Its flexibility is the most valuable because it is a managed service. The good part is that you don't need to set it up. It just needs DNS routing, which is the easiest thing. Our client had Akamai for certain websites because they were using CDN features. They had NetScaler on the internal zone, F5 AWAFs on the data centers, and no WAF at all in the cloud. One of the main activities of the project was to move all these policies into a single WAF so that we could control and use that as a choke point. That exercise itself was very easy because it was a managed service and F5 Silverline Web Application Firewall does that for you. That's the best thing about F5 Silverline Web Application Firewall. It is easy to apply policies on-premises. If you have AWAF on-premises and you want to replicate some policies on F5 Silverline Web Application Firewall, other than the policies that it applies by itself, it is easy because you have a team that supports it. F5 Silverline Web Application Firewall works perfectly fine. It pretty much does everything that an Advanced WAF on-premises should do."
  • "F5 Silverline Web Application Firewall, being a new product in the market or comparatively related to a new product, currently supports less number of PoPs. They should introduce more PoPs. The current number of PoPs that they have is around 10 or 12, which is still relatively less as compared to 2,400 plus PoPs that Akamai offers. The user latency or the number of hops a user needs before reaching the actual web application is less in Akamai because it has its internal fabric to route the traffic. They need to spin up more data to increase its traffic handling capability. They can also include the bot detection capability, though it is a pretty advanced functionality. If they could include DataDome like functionality, that is, bot prediction, then F5 Silverline Web Application Firewall will be top-notch in the market."

What is our primary use case?

We are using this product for a major airline whose traffic is routed via F5 Silverline Web Application Firewall. All B2C sites are behind F5 Silverline Web Application Firewall. The data part is basically to Akamai for CDNs and to F5 Silverline Web Application Firewall for WAF capability. The resources are hosted on AWS or Azure. For parameters, we have another F5 AWAS module, which intercepts the traffic once it is inside the cloud parameters, and then the data goes to the backend application pool. Every B2C traffic gets inspected on F5 Silverline Web Application Firewall. Every HTTP profile is inspected on the Advanced WAF module, which is again F5 on-premises.

We are also deploying this solution for another client in the Middle East. We're basically deploying the architecture. We have F5 Silverline Web Application Firewall and the Check Point firewall as the next-generation firewalls. All HTTP traffic is via F5 Silverline Web Application Firewall, and it is routed back to the Check Point firewall for IPS and malware inspection because F5 Silverline Web Application Firewall does not do that. Non-HTTP profiles go via the Check Point firewall.

What is most valuable?

Its flexibility is the most valuable because it is a managed service. The good part is that you don't need to set it up. It just needs DNS routing, which is the easiest thing.

Our client had Akamai for certain websites because they were using CDN features. They had NetScaler on the internal zone, F5 AWAFs on the data centers, and no WAF at all in the cloud. One of the main activities of the project was to move all these policies into a single WAF so that we could control and use that as a choke point. That exercise itself was very easy because it was a managed service and F5 Silverline Web Application Firewall does that for you. That's the best thing about F5 Silverline Web Application Firewall.

It is easy to apply policies on-premises. If you have AWAF on-premises and you want to replicate some policies on F5 Silverline Web Application Firewall, other than the policies that it applies by itself, it is easy because you have a team that supports it.

F5 Silverline Web Application Firewall works perfectly fine. It pretty much does everything that an Advanced WAF on-premises should do.

What needs improvement?

F5 Silverline Web Application Firewall, being a new product in the market or comparatively related to a new product, currently supports less number of PoPs. They should introduce more PoPs. The current number of PoPs that they have is around 10 or 12, which is still relatively less as compared to 2,400 plus PoPs that Akamai offers. The user latency or the number of hops a user needs before reaching the actual web application is less in Akamai because it has its internal fabric to route the traffic.

They need to spin up more data to increase its traffic handling capability. They can also include the bot detection capability, though it is a pretty advanced functionality. If they could include DataDome like functionality, that is, bot prediction, then F5 Silverline Web Application Firewall will be top-notch in the market.

For how long have I used the solution?

I have been using this solution for a year or so.

What do I think about the stability of the solution?

It is so far stable. When I did a POC for one of my clients, I ran tests for a month on both Imperva, F5, and Akamai. I found F5 to be more regress in terms of infections than Imperva. It could be because of the teams on-site, representing these companies, doing their job right or wrong. If a PS consultant from Imperva did not configure the policies right, it probably would have scored less. 

What do I think about the scalability of the solution?

I know that F5 Silverline Web Application Firewall is scalable. We are using this product in two enterprise setups that can have a hundred thousand-plus requests at any given time.

Scalability for products like F5 Silverline Web Application Firewall or Incapsula is pretty easy because their sizing is managed by the vendor. Therefore, you don't have to really bother about what goes in there because that's a black box for you. However, if you are doing it on-premises, it's a task.

I've been involved in upgrading a traditional WAF to Advanced WAF. It's basically a license upgrade involving testing and re-profiling of applications and things like that. It's a sort of straightforward task. If you have the right team, it is not something really difficult. It isn't something like where you just add a few boxes and then scale.

Our airline client has millions of customers, and all this data is going via F5 Silverline Web Application Firewall, which is a lot of data. It's an enterprise kind of setup. We're not talking about end-user traffic here. We're talking about B2C traffic. For end-user traffic, we have around 400-odd unique URLs behind the F5 Silverline Web Application Firewall on-premises, which is again an Advanced WAF module. F5 Silverline Web Application Firewall has around 60,000 to 80,000 users, not at the peak but spread over time. All B2C requests coming into the website, like booking or looking for your seats on the flight, go via F5 Silverline Web Application Firewall, and that could go up to millions of hits a day.

How are customer service and technical support?

We have a personal rapport with both Imperva and F5 in UAE because we have worked with them for more than a year. I have found them to be really good. I may have once or twice talked to their central support team as the contact person for the account was not available. Otherwise, it has been a personalized experience for both products because we know the teams.

How was the initial setup?

The initial setup is certainly straightforward because F5 Silverline Web Application Firewall does the setup for you. All that you need to worry about doing is routing your DNS via F5 Silverline Web Application Firewall.

If I have a website, I would just make sure that it routes via F5 Silverline Web Application Firewall DNS, and then I would only whitelist the traffic between F5 Silverline Web Application Firewall and my application pool. That's the only configuration that I need to worry about, unlike a traditional WAF that you need to set up. You can't just say that it is a strength of F5 Silverline Web Application Firewall because Imperva's WAF on the cloud, Incapsula, also works the same way. 

What's my experience with pricing, setup cost, and licensing?

F5 Silverline Web Application Firewall works based on your bandwidth. They look at the clean bandwidth and do the pricing. 20% of a total pipe would be a clean bandwidth.

The list price or a non-negotiated price for F5 Silverline Web Application Firewall would be around $2,200 per application per year for everything that you need. When you get into an enterprise kind of a setup, they negotiate this to the last bit. I would easily take 20% on that, which would be the cost, but it should cover all your Advance WAF features, bot protection, tech campaign, etc. It is built as a package and gives you most of the capability.

You don't get the mobile SDK, which is an additional license. Mobile SDK is required only if you're buying or if you have a mobile application, and you are going to instrument F5 or Imperva into your mobile appliance. This anyways would be an additional module. It doesn't come within the WAF, but it is a WAF feature.

Which other solutions did I evaluate?

There are a lot of gray areas in WAF. If you take a look at the top ten WAF solutions, most of the WAFs in the market, or at least the advanced ones, do it right because the WAF technology is evolved.

If you look at bot protection, it is probably not everyone's game. I've seen Imperva doing it really well. If I masquerade a browser, for example, if I masquerade a Chrome browser by changing the agent files and make it look like Firefox, and then if I send a request to my F5 Silverline Web Application Firewall (or Imperva firewall), I would want to see if it identifies the real browser behind it. I've seen F5 Silverline Web Application Firewall (and Imperva) handling most of such cases well, but other WAF products in the market fail.

If you look at Imperva, their strength primarily is on the DDoS capability. In the volumetric attack part, Imperva scores or has at least a record of doing better than F5 Silverline Web Application Firewall. Imperva is also in the public domain, so they have mitigated larger attacks than F5 Silverline Web Application Firewall, but this is not something you can test in the lab. You wait for the doomsday, and then you do your actual test.

Overall, if you say F5 Silverline Web Application Firewall as a product, I would vote it over Imperva. It may be because I'm more inclined to work on F5 Silverline Web Application Firewall. I found working with it easier than Imperva.

What other advice do I have?

You should know what you're actually blocking. A lot of customers move to WAF or AWAF because they were told to do that, but they need to identify what they're actually looking to inspect. For example, one of the clients I worked with did not understand the differences in capabilities between a next-generation firewall and a WAF. When I say WAF, I am talking about AWAF, not the previous generation WAF. No one considers that anymore.

People who try to put WAF and think that they are secure are not really secure. There is still a fine grain of security that you need on a next-generation firewall. For example, if I inject a payload, I'm going to have HTTPS traffic that I pass on to WAF. If I do not do my SSL termination and just inspect the remaining stuff, such as headers, WAF is basically useless.

If you're using a WAF solution like F5 Silverline Web Application Firewall, one thing it does really well is the orchestration part. It can terminate your SSL and do the encryption. Basically, it may make your stream decrypted via texts, inspect every element of it, decrypt it back, and then send it. 

As a security consultant, I would add another next-generation firewall behind F5 Silverline Web Application Firewall. I will make sure that I do a service chaining, and every single stream or packet that is decrypted is again routed via a next-generation firewall to do IPS. This is because your WAF cannot do IPS. It is not its major strength; it is a firewall capability. Let's say you have a website where you upload files, and you are going to upload a file that probably has some malicious code that could be executed. When you upload it, it is going to sit on your system. How do you know that a file that is attached to a website is not malicious? A WAF generally doesn't take this up. That's where a combination of WAF and firewall comes into the picture. 

It's about defining and ensuring what is your load and how many applications you want to protect. Do you really have the skills to manage those policies in-house? If you don't have really good engineers who look at the policies and manage these boxes, then it is better to go for managers like Silverline. If you have good hands on the ground, then use an Advanced WAF in your data center. 

Some companies might not need on-premises deployments because they might be using a cloud. In that case, run this on the cloud. You could have virtual licenses or virtual machines running on the cloud, or you could use Silverline. If you're more security passionate, then you probably will have to have a Silverline for it and then another WAF within your cloud. Again, there's no one way to do it. It depends on your network, but do not rely on one product because every product has its limitations.

I would easily rate F5 Silverline Web Application Firewall a seven out of ten. I won't give it an eight because I haven't tested it for a longer period. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Chief Technology Officer at a tech services company with 201-500 employees
Real User
Top 10Leaderboard
A stable system with good security and load balancing
Pros and Cons
  • "The most valuable feature is that I can establish different services from the firewall."
  • "The configuration needs to be more flexible because it is difficult to do things that are outside of the ordinary."

What is our primary use case?

We use WAF as part of our security solution, protecting applications such as internet banking.

It is used both as a web application firewall and for load balancing. 

What is most valuable?

The most valuable feature is that I can establish different services from the firewall.

Using the standard configuration, it is very easy to set up.

What needs improvement?

The configuration needs to be more flexible because it is difficult to do things that are outside of the ordinary.

This solution would benefit from having a support portal that can be opened directly from the dashboard.

For how long have I used the solution?

We have been using the NGINX WAF for five years.

What do I think about the stability of the solution?

This solution is very much stable. Once it is working, it stays working. We use it on a daily basis.

What do I think about the scalability of the solution?

This solution is not really scalable. Both the virtual appliance and the physical appliance are limited in terms of how much traffic they can handle. If you need to scale up then you need to replace the box with a bigger one.

In my company, we have about 700 users. One of my customers has about 2,500 concurrent users, and another one has about 4,000. These are all internal users. I cannot tell how many external users are connecting from the internet, but it is an enormous number.

How are customer service and technical support?

It takes time to deal with technical support because they are pretty busy, but when you get the support it is very good. They know what they're talking about.

Which solution did I use previously and why did I switch?

Prior to using this solution, we tried open-source pfSense. However, most of my customers went to F5.

How was the initial setup?

The initial installation is very simple. However, there is one issue with security certificates.

Any system that you publish that is a secure system needs to have a certificate implemented, and that is always a struggle. We have plenty of customers with this solution, and every time that we get to the step involving the certificate, extra work is required. It never works smoothly. You always have to go and manipulate the certificate and the system just to set it up. I'm not sure about the latest systems, but in the old models, this could not even be done through the GUI. You had to use the command line, even though the certificate is visible in the GUI. A combination of commands is required just to make it work.

The length of time to deploy a basic system is very short. For more complex scenarios, it can be a long process.

What about the implementation team?

We do have a consultant to assist us with deployment. We do the initial configuration, but when it comes to things that don't work then we speak with F5 directly. 

We have two people in place to maintain this product. One is from IT and the other takes care of the networking aspect.

What's my experience with pricing, setup cost, and licensing?

The licensing fees for this solution are pretty expensive for what it does, but there is no alternative. The only alternative is Imperva, but that is even more expensive.

Which other solutions did I evaluate?

There is not much variety when it comes to web application firewalls that are also load-balancing solutions. Imperva is an alternative, although it is more expensive.

What other advice do I have?

My advice for anybody who is implementing this solution is to plan well. You have to make sure that you plan ahead and know what it is that you want to achieve, then gather all of the relevant information. Otherwise, if you start to configure it and then find out that you don't have the right application server, or the right policy, or the proper certificate to install and configure it, then the installation will be very long. On the other hand, if the plan is very good and you have all of the details in advance, along with the right people to test it, then it should be straightforward.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Especialista en Informática at a maritime company with 5,001-10,000 employees
Real User
Top 5
Stable with good security and a fairly straightforward setup
Pros and Cons
  • "The initial setup is pretty straightforward, especially if you enlist assistance."
  • "We've had some blocks of the application and some false positives."

What is our primary use case?

The solution is our WAF for Azure. It is for operation for Transit CAS applications.

What is most valuable?

We primarily use the solution for the protection of the active WAF. It offers quite good security.

The solution is stable.

The initial setup is pretty straightforward, especially if you enlist assistance.

What needs improvement?

We've had some blocks of the application and some false positives. Barracuda needs to ensure there are fewer false positives in general. There also needs to be less of a learning curve on the application in general. That might help us eliminate false positives as well. Basically, they need to help new users better learn and understand the solution.

I have an issue with the console currently. I cannot access the console from inside the network. When I access the entire network, it kicks me off all the time. I opened a case with technical support. We've checked the firewall the perimeter firewall, and we've tried to fix that problem, however, it's still the problem. I have to access the console from outside all the time to this day.

For how long have I used the solution?

I've been using the solution for a while now. It's been about five years.

What do I think about the stability of the solution?

The stability is okay. We don't have issues with the reliability of Barracuda. There aren't bugs or glitches. It doesn't crash or freeze at all. I'd describe it as stable for the most part.

What do I think about the scalability of the solution?

The scalability may be okay. However, we have only one Barracuda gateway. We don't really need to scale the solution fight now.

We might have about 500 users within our company using the solution right now.

How are customer service and technical support?

I've reached out to technical support in relation to a console problem and they have yet to fix the issue for us. All they've done is told me to check the firewall, which I have, and to install a new version. I upgraded the version, however, the issue persists. They haven't been extremely helpful and I'd have to say that I am disappointed with their level of service so far.

Overall, I would rate the support at an eight out of ten.

Which solution did I use previously and why did I switch?

We also use Imperva. We use both solutions at once.

How was the initial setup?

I'm not the administrator of the installation process. Therefore, it's hard for me to say if it was difficult or complex. I can't really comment on the initial implementation.

That said, it's my understanding, from talking to the administrator in the past, that it wasn't too complex.

I'm not sure how long the deployment took. I only really deployed the last application protection.

What about the implementation team?

We had the support of the partner for the implementation, which helped iron out any difficulties.

What other advice do I have?

We're just a transportation company. We're a customer. We don't have a business relationship with Barracuda.

I recommend the solution to other organizations for protecting applications specifically in Azure.

Overall, I would rate the solution at a nine out of ten.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Network Engineer at a retailer with 10,001+ employees
Real User
An intuitive solution that's great for a small business
Pros and Cons
  • "From what I've seen so far, there are no negatives to report as of yet"
  • "Although I think it's quite good, it doesn't provide me with all the features I would expect to have if I were using Imperva."

What is most valuable?

Cloudflare is easy to use. It's very intuitive. Although I think it's quite good, it doesn't provide me with all the features I would expect to have if I were using Imperva. I think Imperva is far richer in features from what I can see, but I think that can bring its own pains to be honest. For this reason, I think Cloudflare is a simpler version. 

With Imperva, you can drill down to packet-level very easily. It's very, very good at drilling down deeper and deeper into the packet. I think that is available with Cloudflare, but it's not as good. It doesn't seem to provide us with the same kind of search capability as Imperva. Having said that, I think that's one of the advantages of Cloudflare because you just have to click a button and drill down via clicking. I actually like Cloudflare to be honest. Imperva is almost too difficult for normal businesses — it's too complex. There's almost too much information there. Whereas with Cloudflare, it's easier to drill down and it's more intuitive.

For how long have I used the solution?

I've only been using Cloudflare for a week.

What's my experience with pricing, setup cost, and licensing?

I wasn't involved in the implementation, so I have no idea how much it costs. 

What other advice do I have?

I think this solution is quite intuitive. For businesses that don't have a dedicated security team, I think it's a better product; it's more intuitive for people like us. I'm a network security engineer, but I'm not a dedicated security official. I've too many other things going on to have the time to do the rule sets that you need if you're working with Imperva — I think a lot of that is down to you as the customer. With Cloudflare, I think a lot of that happens in the background. 

I've been working with it for a week and a half so I'm not the best person to say if it's better or worse than Imperva. My only reaction is that maybe it's not as feature-rich for the end-user. Whether that's an advantage, well, that's questionable. Maybe we don't need all of those features sometimes — it depends on the business. The business I'm working in now is a very different business with a different kind of security model. The business I was working with when I used Imperva probably needed that feature-rich capability.

Overall, on a scale from one to ten, I would give Cloudflare a rating of eight. It's quite intuitive. I like it. From what I've seen so far, there are no negatives to report as of yet.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Get our free report covering Cloudflare, Imperva, Amazon, and other competitors of Imperva Incapsula. Updated: January 2022.
563,327 professionals have used our research since 2012.