We just raised a $30M Series A: Read our story

AWS WAF Alternatives and Competitors

Get our free report covering Microsoft, Imperva, F5, and other competitors of AWS WAF. Updated: October 2021.
542,608 professionals have used our research since 2012.

Read reviews of AWS WAF alternatives and competitors

MG
Application Security Engineer at a insurance company with 10,001+ employees
Real User
Top 20
There is not too much to know but that it is one of the best products of this type that you can get

Pros and Cons

  • "There is no need to have an appliance in house for the services because it is on the cloud."
  • "Certificate management could be improved."
  • "The product could use a broader scope in the area of policies."

What is our primary use case?

We are using it as an application-delivery platform for our entire organization.  

What is most valuable?

The most valuable feature is that it is cloud-based and we do not need to have an appliance for it in house.  

What needs improvement?

I do not see any big problems with the product. Imperva has had a lot of experience developing this product platform and it seems appropriate for my use cases. There are a few places where it can be improved.  

An area of improvement that I was looking for in Incapsula at this moment is enhancing the policy levels. For my purposes, I think there are too few policies. The product and what is included may be good, but it has to be improved further in the area of policies.  

Another area that could do with improvement is certificate management. I do not like the way that incapsula handles certificates very much. It needs to be changed or drastically improved to be more fluid.  

We have to be conscious of the architecture updates. Updates for the application architecture may break the existing protection application if we have made any changes. It does not seem that this should be so big of a concern for the end-user and could be handled better.  

For how long have I used the solution?

We have been using Imperva Incapsula for six months.  

What do I think about the stability of the solution?

The stability of the product is not usually the issue. Any stability issues would have to do more with extraneous factors.  

What do I think about the scalability of the solution?

We need to know more about the scalability ourselves. We are working on it now to see what we can do. The scalability is inherently good because it is on the cloud. There is nothing much to worry about with the scalability part. But the hands-on experience with it is something we are still exploring.  

There seems to be no limit to scaling the product from the perspective of adding applications. We just put our product on the market. Until and unless the users complain to us, then we will not know if there are growing pains. It is too early in our experience with the product to get the kind of feedback that we need from them.  

We have had only one serious issue after onboarding 50 applications. For one application, we have had some performance and stability issues. It was just one time over the last six months where the problem was affecting the stability. For that one application, we had severe performance issues, and we rolled it back. We are still investigating that issue. We do not know the reason yet that we had a problem with it. We do not know how many of the applications that we try to work will present problems like that. I saw problems with only two applications in total. One is application had an issue with image loading which was not as severe, and the other one was for performance issues. The performance issue was effecting web services.  

Scaling, as far as the number of users, is another type of scalability. Ultimately everybody who uses our services uses Incapsula in a sense by the end of the day. This is because every application has to go through Incapsula.  

We are also having to look at our own environment when considering scalability and trying to take Incapsula forward as far as we can with expansion. We have some issues with our infrastructure. All the infrastructure is not always optimally compatible with Incapsula. Because our infrastructure is not fit for Incapsula due to various reasons, we are working to resolve those issues. Those are not major things, but they are important to resolve and continue to scale, so we are working on it. It will take some time to identify everything and optimize the system. For example, if we implement something like having multiple authentications it comes with new challenges. In the end, it improves what we offer, but there are issues to consider along the way, and even before the implementation. 

How are customer service and technical support?

The tech support people are good. They are very good.  

Which solution did I use previously and why did I switch?

For web application firewalls we are actually currently using more than one solution. We are using both Imperva and AWS. Which solution that we use depends upon the environment and depends on the situation. So we are using both solutions but for different situations when there is an advantage to using the capabilities of one product over the other.  

How was the initial setup?

Installation is not complex. It is pretty straightforward.  

What about the implementation team?

We have two people who we use for the deployment of updates and also maintaining this solution. They are part of our team and not from the vendor or other consultancy.  

What's my experience with pricing, setup cost, and licensing?

In my opinion, Imperva Incapsula is not expensive compared to the other similar solutions in this category.  

What other advice do I have?

I have some advice for people who are considering using Imperva. When onboarding an application, they need to be careful with their other infrastructure and systems. The concern is in part to make sure they do not have conflicts. There has to be proper authentication for authorization and the RSA (Rivest, Shamir, and Adelman, data security). During the execution of the task of onboarding, they need to be a little careful to make sure that is not creating an outage.  

So what I would recommend to anyone onboarding an application is that they need to go through the architecture of the application thoroughly before implementing the solution. Do not rush to the end to get it done.  

The best way to implement anything is by taking steps to avoid problems beforehand to end up with a result that has fewer issues.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate Imperva Incapsula as the number one solution. There is not too much to know about it but that it is one of the best products of this type that you can get. But on a scale of one to ten, I give it a nine-out-of-ten because it is not perfect, as good as it is.  

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
BrianFortington
GRC Security Consultant at Ionize
Consultant
Top 10
This flexible suite solves compliance problems but that comes at a cost

Pros and Cons

  • "If I need something from tech support, I can get it answered within the hour."
  • "Both the internal firewall management and the cloud can be managed by a single console."
  • "It costs too much."
  • "It is not entirely user-friendly."

What is our primary use case?

Normally I deal with on-premises installations. The firewalls are always on-prem for government departments. In a recent case, I was looking at a cloud solution because it was what the client preferred. So it was the Fortinet rules applied to an AWS solution. I was looking at the architecture around becoming an IRAP (Information Security Registered Assessors Program) certified program and I was looking at the AWS firewalls around how it would be able to comply with the ISM (International Safety Management) standards.  

What is most valuable?

For me personally, the most valuable thing is that I like the fact that it is standardized so both internal firewall management and the cloud can be managed by the same company. Communication between the two works well and it can be a benefit. We can keep a single console to manage both.  

What needs improvement?

User administrative controls could be a little bit better. I guess that would be the main thing. The usability within Fortinet could be a little bit easier on the users. But it is what it is.  

The thing that was more difficult was not the tool itself but dealing with the logistics of the compliance issues. I was applying a standard set of rules to an AWS firewall. It served a purpose. The complex part of the solution was more of a compliance issue.  

For how long have I used the solution?

We have been using Fortinet FortiWeb probably for over a year-and-a-half. Closer to two years.  

What do I think about the scalability of the solution?

At this point in time, scalability seems to be fine. I mean, we are talking processing requests from all over Australia. It seems to be keeping up quite well. My impression of it at this stage is that it is very scalable. It is quite well suited for data management.  

How are customer service and technical support?

I think judging our experience with technical support is a little bit unfair because I know all the local support people. I do go into the help desk when I have to, but I do know most of the teachers or technical support staff. I would rate them as being very responsive to customers. I have had no issues. If I need something I can get it answered within the hour. It is quite good.  

How was the initial setup?

It was quite easy to do the initial setup and apply basic rules. Administratively, keeping an AWS firewall and applying the Fortinet rules made it quite simple for the difficulty level of this particular requirement.  

What's my experience with pricing, setup cost, and licensing?

I think that ForiWeb is expensive for what they are offering. At the end of the day, when you sell a suite, compliance within the suite is easy to maintain. That is the good part. It is an expensive suite and it is an expensive solution, but it is a manageable one for an enterprise. It should just be cheaper for what they are offering in comparison to other tools on the market.  

What other advice do I have?

My advice to people would be to evaluate the marketplace against your requirements and choose appropriately. Fortinet does operate at the enterprise level. It is listed on the Australian standard and it does carry Australia's approval for common criteria. So it does address the requirements needed for security for the assessments. Not every product can.  

On a scale from one to ten (where one is the worst and ten is the best), I would rate this Fortinet solution as a seven-out-of-ten because of user administrative controls, usability, and price.  

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SA
Principal Architect at a mining and metals company with 10,001+ employees
Real User
Top 5
A SaaS solution that is API configurable and a convenient part of a suite but needs updating of core rules

Pros and Cons

  • "It is configurable via API."
  • "It is a SaaS solution unlike much of the competition."
  • "The ModSecurity core rules need to be updated."

What is our primary use case?

Our primary use is as a SaaS-based firewall solution for web applications.  

What is most valuable?

The most valuable part of the solution for us overall is exactly that it is a Software-as-a-Service product. It fits our use needs because it is configurable via API.  

What needs improvement?

There is really only one area of the product that I think needs to be improved. That is that Cloudflare should update the version of the ModSecurity core rule set that they run on. They run a pretty old version of ModSecurity from 2013 and they need to update it. That is one thing I would very much like to see in a future release.  

The main issue that we have is really a decision about how the product fits our model. We use both AWS and Azure, and they have similar products. We are trying to determine whether or not we go for a cloud-native solution per the cloud provider we are using or stick with our current model and continue to use Cloudflare. Switching to AW or Azure as a lone solution means we would go with one or the other across all cloud providers to unify our WAF approach. It might simplify how we look at the maintenance of our web application firewall.  

For how long have I used the solution?

We have been using Cloudflare's web application firewall for twelve months.  

What do I think about the stability of the solution?

I am one-hundred percent convinced of the stability of the product.  

What do I think about the scalability of the solution?

I can say I am pretty confident in the scalability of Cloudflare WAF. I believe that they are the largest WAF provider on the internet at the moment. That is probably at least in part because they are pretty scalable. It is our primary WAF product at the moment.  

How are customer service and technical support?

As far as technical support, we have not really had any issues that require contacting them.  

How was the initial setup?

The initial setup of Cloudflare WAF was very easy. It is a SaaS service so it is just online and it is really only a few clicks away to get started with it. There is no physical infrastructure to bother with so that whole component of maintenance is removed.  

What's my experience with pricing, setup cost, and licensing?

There is no upfront cost for infrastructure because it is a SaaS solution. You just pay per month for the product and usage.  

Which other solutions did I evaluate?

We have evaluated other WAF (Web Application Firewall) solutions. In fact, that is what we are investigating now in taking a deeper look at the advantages of AWS and Azure. That evaluation is really part of my current job.  

At this stage, we have not really considered replacing Cloudflare as a solution with either of those specific solutions or other WAF products. The thing that differentiates Cloudflare WAF is that is it Software-as-a-Service. It is integrated tightly with all of Cloudflare's other services. That is probably the better way to look at it: it is an integrated part of a product suite and not really a separate solution.  

What other advice do I have?

My advice to people who are considering Cloudflare WAF is to check service limits of other providers. Cloudflare does not really have a lot of service limits and that makes a difference. Also, look at the pricing and the pricing models carefully as other products seem to me to become more complicated as your demand scales. It is more straightforward with Cloudflare — or at least it seems to be in comparison to other providers.  

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Get our free report covering Microsoft, Imperva, F5, and other competitors of AWS WAF. Updated: October 2021.
542,608 professionals have used our research since 2012.