You should know what you're actually blocking. A lot of customers move to WAF or AWAF because they were told to do that, but they need to identify what they're actually looking to inspect. For example, one of the clients I worked with did not understand the differences in capabilities between a next-generation firewall and a WAF. When I say WAF, I am talking about AWAF, not the previous generation WAF. No one considers that anymore.

People who try to put WAF and think that they are secure are not really secure. There is still a fine grain of security that you need on a next-generation firewall. For example, if I inject a payload, I'm going to have HTTPS traffic that I pass on to WAF. If I do not do my SSL termination and just inspect the remaining stuff, such as headers, WAF is basically useless.

If you're using a WAF solution like F5 Silverline Web Application Firewall, one thing it does really well is the orchestration part. It can terminate your SSL and do the encryption. Basically, it may make your stream decrypted via texts, inspect every element of it, decrypt it back, and then send it. 

As a security consultant, I would add another next-generation firewall behind F5 Silverline Web Application Firewall. I will make sure that I do a service chaining, and every single stream or packet that is decrypted is again routed via a next-generation firewall to do IPS. This is because your WAF cannot do IPS. It is not its major strength; it is a firewall capability. Let's say you have a website where you upload files, and you are going to upload a file that probably has some malicious code that could be executed. When you upload it, it is going to sit on your system. How do you know that a file that is attached to a website is not malicious? A WAF generally doesn't take this up. That's where a combination of WAF and firewall comes into the picture. 

It's about defining and ensuring what is your load and how many applications you want to protect. Do you really have the skills to manage those policies in-house? If you don't have really good engineers who look at the policies and manage these boxes, then it is better to go for managers like Silverline. If you have good hands on the ground, then use an Advanced WAF in your data center. 

Some companies might not need on-premises deployments because they might be using a cloud. In that case, run this on the cloud. You could have virtual licenses or virtual machines running on the cloud, or you could use Silverline. If you're more security passionate, then you probably will have to have a Silverline for it and then another WAF within your cloud. Again, there's no one way to do it. It depends on your network, but do not rely on one product because every product has its limitations.

I would easily rate F5 Silverline Web Application Firewall a seven out of ten. I won't give it an eight because I haven't tested it for a longer period. 

As a customer, if we need more control, then we should choose F5 ASM. We use multiple applications and products. We use the tool for corporate applications because it fulfils our requirements. I will recommend the solution. If it fulfils your requirement, you can definitely go ahead and use it. Overall, I rate the tool a seven out of ten.

I am a user of the product.

I'm not an implementor. I cannot choose which product to use, I just optimize the product that is provided to me by my company. That's why I use F5. 

I'd rate the solution seven out of ten. 

F5 Silverline Managed Services is an add-on for on-prem DDoS protection. If, for example, you are using Advanced Firewall Manager (AFM) on-premise, F5 Silverline Managed Services will serve as additional layer of protection when you are under attack. It has a hybrid deployment structure using both on-prem and cloud technology.

F5 Silverline Managed Services' scrubbing and mitigation is done in-cloud, so there are no new versions. Their soc team does the manual mitigations in the cloud in their scrubbing center.

F5 Silverline Managed Services provides industry-standard DDoS protection. It is not missing anything that any other vendor would be offering in that regard. As a client, you want to have a solution that will successfully defend you from volumetric attacks from the internet, and F5 Silverline Managed Services does that.

It also offers standard reporting. It shows you how hard you have been hit and how mitigation kicked in and what it did.

There is no universal, one-size-fits-all solution in this field, but when a customer has a lot of public services – they provide a web application or API – F5 Silverline Managed Services is the way to go for them.

Overall, I would rate the solution an eight out of ten. 

The solution is easy to use and not technical. We use the solution for white lists. For example, if we want to let people have access we can, and on the other side if we want to block people we can, such as people from Pakistan or China. If people want their applications secured or restrict access it is a great solution.

From a network security standpoint, the solution is not capable to cover all areas needed for protection, there are other features that should be added.

I rate F5 Silverline Managed Services a seven out of ten.

I would rate the F5 Silverline Web Application Firewall an eight out of ten. Pricing is the reason why I wouldn't give it a ten. There's really no 10 I think in the market. They always have something that needs to improve or upgrade.

I would recommend this solution to others.

I rate F5 Silverline Managed Services an eight out of ten.

We just renewed our license and will be continuing to use this product.

Overall, this is a good security solution, but there is no such thing as a perfect appliance in IT.

I would rate this solution an eight out of ten.

This is a good product that you can rely on. It has great features, including the LTM, ASM, and GTM. You can improve your security with this product.

Because I am the SOC manager and reporting is really important for me, I cannot give this product a perfect score.

I would rate this solution a seven out of ten.

For someone considering this solution, they have to do a POC at first.

On a scale from 1 to 10, I would rate Sliverline DDoS an eight. 

They are so new in Turkey that they don't have too much to offer here yet.

My advice to others is this is a very reliable solution. I can recommend the solution to customers that have the funds available.

I rate F5 Silverline Managed Services a 

On a scale from one to ten, one being the worst and ten being the best, I would rate F5 Silverline a seven. Seven, because it does what we need it to do but we need to see more features. However, I do recommend this solution.

If you are looking for web security and don't have any solution, just try it.

I don't think the solution needs too much more. Sometimes you try to build too much and you make things worse. They should just take what they have right now and continuously improve it to make it better. With caching and security, everything so far is fine.

I would rate this solution 9 out of 10.