We just raised a $30M Series A: Read our story

NGINX App Protect OverviewUNIXBusinessApplication

NGINX App Protect is #1 ranked solution in top API Security tools, #4 ranked solution in Container Security Solutions, and #12 ranked solution in top Web Application Firewalls. IT Central Station users give NGINX App Protect an average rating of 8 out of 10. NGINX App Protect is most commonly compared to AWS WAF:NGINX App Protect vs AWS WAF. The top industry researching this solution are professionals from a computer software company, accounting for 29% of all views.
What is NGINX App Protect?

NGINX App Protect application security solution combines the efficacy of advanced F5 web application firewall (WAF) technology with the agility and performance of NGINX Plus. The solution runs natively on NGINX Plus and addresses some of the most difficult challenges facing modern DevOps environments:

  • Integrating security controls directly into the development automation pipeline
  • Applying and managing security for modern and distributed application environments such as containers and microservices
  • Providing the right level of security controls without impacting release and go-to-market velocity
  • Complying with security and regulatory requirements

NGINX App Protect offers:

  • Expanded security beyond basic signatures to ensure adequate controls
  • F5 app‑security technology for efficacy superior to ModSecurity and other WAFs
  • Confidently run in “blocking” mode in production with proven F5 expertise
  • High‑confidence signatures for extremely low false positives
  • Increases visibility, integrating with third‑party analytics solutions
  • Integrates security and WAF natively into the CI/CD pipeline
  • Deploys as a lightweight software package that is agnostic of underlying infrastructure
  • Facilitates declarative policies for “security as code” and integration with DevOps tools
  • Decreases developer burden and provides feedback loop for quick security remediation
  • Accelerates time to market and reduces costs with DevSecOps‑automated security

NGINX App Protect was previously known as NGINX WAF, NGINX Web Application Firewall.

Buyer's Guide

Download the Web Application Firewall (WAF) Buyer's Guide including reviews and more. Updated: November 2021

NGINX App Protect Video

Pricing Advice

What users are saying about NGINX App Protect pricing:
  • "The licensing fees for this solution are pretty expensive for what it does, but there is no alternative."
  • "Really understand the licensing model, because we underestimated that."
  • "Our licensing costs are about $40,000 a year."

NGINX App Protect Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
AI
Chief Technology Officer at a tech services company with 201-500 employees
Real User
Top 10Leaderboard
A stable system with good security and load balancing

Pros and Cons

  • "The most valuable feature is that I can establish different services from the firewall."
  • "The configuration needs to be more flexible because it is difficult to do things that are outside of the ordinary."

What is our primary use case?

We use WAF as part of our security solution, protecting applications such as internet banking.

It is used both as a web application firewall and for load balancing. 

What is most valuable?

The most valuable feature is that I can establish different services from the firewall.

Using the standard configuration, it is very easy to set up.

What needs improvement?

The configuration needs to be more flexible because it is difficult to do things that are outside of the ordinary.

This solution would benefit from having a support portal that can be opened directly from the dashboard.

For how long have I used the solution?

We have been using the NGINX WAF for five years.

What do I think about the stability of the solution?

This solution is very much stable. Once it is working, it stays working. We use it on a daily basis.

What do I think about the scalability of the solution?

This solution is not really scalable. Both the virtual appliance and the physical appliance are limited in terms of how much traffic they can handle. If you need to scale up then you need to replace the box with a bigger one.

In my company, we have about 700 users. One of my customers has about 2,500 concurrent users, and another one has about 4,000. These are all internal users. I cannot tell how many external users are connecting from the internet, but it is an enormous number.

How are customer service and technical support?

It takes time to deal with technical support because they are pretty busy, but when you get the support it is very good. They know what they're talking about.

Which solution did I use previously and why did I switch?

Prior to using this solution, we tried open-source pfSense. However, most of my customers went to F5.

How was the initial setup?

The initial installation is very simple. However, there is one issue with security certificates.

Any system that you publish that is a secure system needs to have a certificate implemented, and that is always a struggle. We have plenty of customers with this solution, and every time that we get to the step involving the certificate, extra work is required. It never works smoothly. You always have to go and manipulate the certificate and the system just to set it up. I'm not sure about the latest systems, but in the old models, this could not even be done through the GUI. You had to use the command line, even though the certificate is visible in the GUI. A combination of commands is required just to make it work.

The length of time to deploy a basic system is very short. For more complex scenarios, it can be a long process.

What about the implementation team?

We do have a consultant to assist us with deployment. We do the initial configuration, but when it comes to things that don't work then we speak with F5 directly. 

We have two people in place to maintain this product. One is from IT and the other takes care of the networking aspect.

What's my experience with pricing, setup cost, and licensing?

The licensing fees for this solution are pretty expensive for what it does, but there is no alternative. The only alternative is Imperva, but that is even more expensive.

Which other solutions did I evaluate?

There is not much variety when it comes to web application firewalls that are also load-balancing solutions. Imperva is an alternative, although it is more expensive.

What other advice do I have?

My advice for anybody who is implementing this solution is to plan well. You have to make sure that you plan ahead and know what it is that you want to achieve, then gather all of the relevant information. Otherwise, if you start to configure it and then find out that you don't have the right application server, or the right policy, or the proper certificate to install and configure it, then the installation will be very long. On the other hand, if the plan is very good and you have all of the details in advance, along with the right people to test it, then it should be straightforward.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
MS
Head Competence Center Agile & Communication at a insurance company with 1,001-5,000 employees
Real User
Capable of complete automation but is costly

Pros and Cons

  • "We were looking for a product that is capable of complete automation and a container based solution. It's working."
  • "As far as scalability, it takes a long time for deployment."

What is our primary use case?

We tried to secure our public exposed APIs with NGINX App Protect. The cases must be all completely automated, because we want to build a self-service engine so that a decentralized approach is possible in the organization.

What is most valuable?

We were looking for two main valuable features. We were looking for a product that is capable of complete automation and a container based solution. It's working.

What needs improvement?

The solution is working on OpenShift, but we have the feeling the product was designed not only for OpenShift or a container-based solution to operate. 

In addition, they have a messy license model; it's not really made for microservice architecture. It's getting expensive really, really fast.

NGINX made some promises for a roadmap which they weren't able to deliver. One was about virus scanning, and the other was WebSocket inspection. I think they will provide both features in the future, but the communication was really bad. Then there was a problem in production during config reload. If you want to deploy a new API, it takes around 20 seconds. For one API it's not a lot, but if you have 300 APIs, it takes a lot of time. It's not made for deployment in a self-service model. 

Most important to see in a new release would be the WebSocket inspection and virus scan.

For how long have I used the solution?

I have been using this solution for about six months.

What do I think about the stability of the solution?

The stability of App Protect was pretty good.

What do I think about the scalability of the solution?

As far as scalability, it takes a long time for deployment.

How are customer service and support?

Tech support wasn't really helpful. They asked the wrong questions. We tried to help them and head them in the right direction, but we always had the feeling the wrong people were in charge because we had more knowledge than they had.

How was the initial setup?

The initial setup was straightforward; maybe a bit uncomfortable because you have to build your own ConfigMap application so that you're able to produce all these configs. They don't have any support tool or similar.

What about the implementation team?

We implemented the solution ourselves. We have two engineers for deployment and maintenance.

What's my experience with pricing, setup cost, and licensing?

The licensing is yearly, and we have two teams using NGINX App Protect. Just our team has a yearly fee of maybe $25,000. It's not a lot, but it's because we made decisions on the architecture style to save some money. If we didn't do that, we were heading up to $300,000, $400,000.

Which other solutions did I evaluate?

We are developing an integration platform based on the API gateway and web application firewall. We went live this year, and we have some production issues with the chosen technologies. We use NGINX App Protect as a web application firewall and 3scale as an API gateway. Both products are working, but it's not a perfect match for us. Because of this, we did some research during the summer and decided to change the whole solution to AWS.

What will be definitely better is the AWS license model for us. We pay maybe 10% of the whole solution we had before. So it's much cheaper. They are technical as well because we are able to instantiate per API, our own web application firewall, and API gateway. So it's not just the price, it's the whole that looks like AWS is a much better solution than NGINX.

What other advice do I have?

Regarding the solution, be clear on the consequences of writing your own configuration files; that's one part that was really cost-intensive and time-consuming for us. Also, really understand the licensing model, because we underestimated that.

I would rate this solution a six out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Find out what your peers are saying about F5, Amazon, Microsoft and others in Web Application Firewall (WAF). Updated: November 2021.
554,676 professionals have used our research since 2012.
LM
Product Manager - Technical at a tech services company with 5,001-10,000 employees
Real User
Top 10Leaderboard
WAF is very good at tracking mitigation, inclusion, prevention, and the parametric firewall

Pros and Cons

  • "WAF is useful to track mitigation, inclusion, prevention, and the parametric firewall."
  • "It's challenging if you need to go for a high throughput."

What is our primary use case?

I'm carrying out some research work on NGINX because I am in academia. All my use cases relate to scaling from private to public cloud and vice versa. The other use case is for our perimeter security for cloud-based EDCs. We are customers of NGINX and I'm a technical product manager.

How has it helped my organization?

The solution has helped us greatly during this Covid period. When everything went remote, we had to scale up some applications and provide remote access to our users. It meant that we needed more security for our applications, the EDCs, and that's when we made use of the WAF module from NGINX to ensure the applications are secure.

What is most valuable?

The WAF itself was a feature that I found very useful to track mitigation, inclusion, prevention, and the parametric firewall.

What needs improvement?

The solution does well when there's low throughput but when we go for any high throughput, it's always a challenge. I'm expecting the next version to have a better high throughput. I also find that the bug fix rate is pretty slow.

I would like to see some more tools and to have some more automation capabilities in the next release, because right now the exposure of the API in NGINX is pretty limited. So I would like to see more of that as well as robustness in the scaling of the solution. 

For how long have I used the solution?

I've been using this solution for six months. 

What do I think about the stability of the solution?

This is a stable solution. 

What do I think about the scalability of the solution?

Scalability can be a bit of a challenge because there are some use cases that are not tackled. Our Dev Ops, IT staff and support service all use this solution. Let's say about 100 people at any given time. We have two staff responsible for support, they are IT support admins. We use the solution on a daily basis. 

Which solution did I use previously and why did I switch?

I previously used the HAProxy. We switched to NGINX because it is more advanced. And then after the F5 networks bought them, their product portfolio increased and that was another reason for us to shift.

How was the initial setup?

The initial setup was straightforward but I am well versed in this implementation. If I was a novice, it would be difficult. We have pretty much automated all our deployments, and then we schedule a downtime for our apps and deploy the patches or the new versions through automation so it'll take a lot less time.

What was our ROI?

We have seen a good ROI. Because of the Covid virus, we were able to see it immediately. When everyone went remote, we were scrambling to see how we could deploy and secure the apps and this came in at the right time.

What's my experience with pricing, setup cost, and licensing?

Our licensing costs are about $40,000 a year. We pay on an annual basis. We just have our operating costs on top of that. 

What other advice do I have?

I would recommend getting your deployments before you jump into buying or trying out this solution. Have a clear road map for your deployments and your future solutions. The solution has a rich feature set but on the down side is the issue with the high throughputs.

I would rate this solution an eight out of 10. 

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Vijay Lalwani
Manager - Cyber Security (SOC) at a financial services firm with 10,001+ employees
Real User
Top 10Leaderboard
Easy to analyze security abnormalities, stable, and the support is good

Pros and Cons

  • "The most valuable feature is that there is a link in the system that will help to analyze the security of an application when something abnormal is found."
  • "Setting policies and parameters through the UI should be more automated because the process is manual, where we can only edit one rule at a time."

What is our primary use case?

We use this solution to protect our entire set of web applications. This includes protecting against vulnerabilities as a result of programming errors.

What is most valuable?

The most valuable feature is that there is a link in the system that will help to analyze the security of an application when something abnormal is found.

What needs improvement?

This firewall should support more of the network layers.

Profiling capability should be improved.

Setting policies and parameters through the UI should be more automated because the process is manual, where we can only edit one rule at a time.

For how long have I used the solution?

I have been using the NGINX Web Application Firewall for more than a year and a half.

What do I think about the stability of the solution?

In terms of stability, this solution is much better than Imperva.

What do I think about the scalability of the solution?

In terms of scalability, depending on the application, there is a limit to how many policies I can design.

How are customer service and technical support?

The technical support for this solution has improved. Imperva used to be better, but now, NGINX is more responsive.

Which solution did I use previously and why did I switch?

I have also used Imperva. The stability and interface are better in the NGINX WAF. For example, it is easier to create new policies. Technical support from NGINX is also more responsive than that of Imperva.

How was the initial setup?

The initial setup was complex in terms of deployment and fine-tuning.

We have more than ten applications so it took us between four and five months to deploy.

What about the implementation team?

We had to contract a third-party consultant to assist us with the deployment. We are satisfied with their work

What other advice do I have?

Based on my experience, this solution is better than the other choices on the market.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Web Application Firewall (WAF) Report and find out what your peers are saying about F5, Amazon, Microsoft, and more!