We changed our name from IT Central Station: Here's why

Top 8 Web Application Firewall (WAF) Tools

Fortinet FortiWebMicrosoft Azure Application GatewayImperva IncapsulaF5 Advanced WAFAWS WAFImperva Web Application FirewallBarracuda Web Application FirewallAkamai Kona Site Defender
  1. leader badge
    The most valuable feature is the attack signature and machine learning.The solution is stable.
  2. leader badge
    The most valuable features of Microsoft Azure Application Gateway are the policies, the data store they are using, and the cloud platform it operates on.
  3. Find out what your peers are saying about Fortinet, Microsoft, Imperva and others in Web Application Firewall (WAF). Updated: January 2022.
    563,327 professionals have used our research since 2012.
  4. leader badge
    It fits our requirements, as well as our budget. Remote execution of code.
  5. The most valuable features of F5 Advanced WAF are SSL uploading, signature, and anomaly detection. It is overall a high-quality solution.It's scalable and very easy to manage.
  6. The most valuable features of AWS WAF are its cloud-native and on-demand.This is not a product that you need to install. You just use it.
  7. The features I have found most valuable with Imperva Web Application Firewall are account takeover protection, advanced bot protection, and API security.
  8. report
    Use our free recommendation engine to learn which Web Application Firewall (WAF) solutions are best for your needs.
    563,327 professionals have used our research since 2012.
  9. Some of the most valuable features are the ease of deployment, the Barracuda support, the easy-to-use console, and the granularity of the reports. The installation is straightforward.
  10. The most valuable feature is the custom rules feature. This is because many of our customers require a lot of custom rules. Because it's a very customized project for our customers, I think they have the best of everything already.

Advice From The Community

Read answers to top Web Application Firewall (WAF) questions. 563,327 professionals have gotten help from our community of experts.
It seems that there is some overlap between these two types of solutions - how do Bot Managers and WAF differ? How can they work together to improve security?
author avatarMike Kajubi

What’s the Difference Between a WAF and Bot Blocking Solution?

The main difference between a WAF and a bot mitigation solution is that the focal point of a bot mitigation solution is to only target bots. A WAF is capable of targeting them as well but is more focused on protecting against a combined threat profile to prevent app exploitations and safeguard sensitive data.

So which is better? It depends. If a company’s security goal is to minimize the probability of account takeover, content scraping, or denial of service attacks, to name a few examples, a bot mitigation solution would be best. If the goal is to safeguard against internal app exploitations, such as SQL injections or session hijacking, a Web Application Firewall serves best. It all depends on the security objective a company has for their web application, and in many cases, both solutions are leveraged to build a stronger security perimeter.

author avatarOluwatosin Omojola
Real User

A Bot manager differs from a WAF in that it focuses on the management of Bots which comprises about 50% of web traffic today. A good bot manager should be able to differentiate between good and bad bots and perform relevant actions to prevent overwhelming a web application by bot activity ( even in advanced bot attacks ) WAF, on the other hand, manages a broader spectrum of threat activities which also includes bot detection. However, WAF is primarily designed to protect against the exploitation of web application vulnerabilities, like SQL injection, cross-site scripting, cross-site request forgery, and others. By this description, although WAF can do some level of bot filtering, it is not as deep and advanced as a dedicated bot manager. Both can definitely work together to enhance the security posture of an application. A bot manager can be positioned in front of a WAF to filter malicious bot traffic before reaching the WAF which protects the application from bad traffic processing.

author avatarSaurabhPal
Real User

I have prepared some details regarding Bot Manager and WAF.

1. Traditional WAF have LIMITATION Mitigstion of Dynamic IP and headless attack whereas Bot manager can complete protect against the same.

2. WAF can not stop RIsk of blocking geniun false positive users whereas  Bot Manager can resolve the same.

3.  Bot Manager can't protect from API vulnarebilities whereas WAF can protect the same.

4. Bot Manager can't protect from Layer 7 DoS attack whereas WAF can protect the same.

5. Compliance of HIPAA and ACI is very limited for Bot Manager whereas for WAF it fulfill it fulfill compliance.

author avatarRobert Falbo

Bot solutions offer much more targeted protection against Bit traffic vs a WAF that is more owasp, sql injection, cross site scripting, and detailed rules.  Account takeovers using Bots is a common attack protected by these solutions.  

author avatarJosephTran

In general, WAF inspects the requested traffic, mostly incoming and some outgoing (responses), matches rules/ conditions, then takes appropriate actions. 

Again in general.

Bot Manager is a tool to detect a human and automated scripts = Bot traffic.

As automated scripts get smarter, some of them can emulate human behavior.

So, there are different levels of a bot manager release to adapt to the changing of an automated script.

Both should be used in conjunction to reach the maximum benefit of protection.

Evgeny Belenky
Hi peers, What are the OWASP Top 10 this year?  What single web app security tool (or a minimum set of tools) would you recommend for overall web app protection (from the most critical security risks covered by these Top 10)?
author avatarAndrew Van Der Stock
Real User

We are due to release the OWASP Top 10 2021 on September 24, 2021. We will be transitioning to GitHub from our private work area soon. There will be three new categories, and some surprising coalescing for many of you who have been using the OWASP Top 10 since 2003. This means it is changing, and we've made an impact in our previous releases.

author avatarCurtis Yanko (Shiftleft)

I’m not sure the top 10 is changing this year but if it is it will be to squeeze more stuff in ;-). 

To effectively detect these in a web app you need a status analyzer with deep data flow analysis. I joined ShiftLeft because I felt they had the best tool to change the way we think about SAST scans and it can do reachability analysis for OSS components to better understand the risk associated with vulnerable libraries and frameworks.

author avatarreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
Real User

Believe no single tool will address all OWASP Top 10 issues. One will need a combination of tools and approaches as was also mentioned in the recent OWASP anniversary webinars.

A01-2021: Broken Access Control has moved to number 1 on the list this year compared to number 5 in 2017.

There are 3 new entries - Insecure design being at number 4. This is to me is a great addition and something which is complex to assess and fix easily.

Unmesh Deshpande
Hello community,  I am the CTO for a large multi-specialty private hospital. We are currently researching WAF solutions. Which WAF solution would you recommend with no heritage for subscription charges? We are a hospital with many web apps that need to be published soon and quickly. We have decent internet access. There could be 100 to 125 concurrent sessions. Thanks! I appreciate your help. 
author avatarAlcides Barros

CromiWAF's WAF solution provides a smooth service for 100 to 125 simultaneous sessions, but we need two additional information to define the most appropriate "package", number of URL's and throughput.

author avatarAum e Hani
Real User

I myself used Cloudflare as the easiest and quicker solution to implement. But if you are concerned on budget you may try AWS WAF as well. It costs minimal and as per usage instead of fixed monthly expense.

Both are super reliable solutions.
Good Luck

author avatarJeremy Rammalaere
Real User

We have been having great success with FortiWeb appliances. They offer various sizes to meet your bandwidth needs. I don't know what "with no heritage for subscription charges" means but any good vendor will have some sort of subscription (whether it is signature updates, general support, firmware updates, etc.). WAFs need to be kept up to date just like all security products.

author avatarSrdjan
Real User

I would always recommend F5 WAF, it is probably the best one on the market, aside from Imperva. However both solutions are very expensive, Imperva even more and both might not be suitable if your IT personnel is junior when it comes to this kind of technology - this product requires "engineer attention" and offers even more in return. If you want to avoid opex, i.e. subscriptions, than you need to go for appliance on-prem version and you can use it for years before having replacement. all cloud solutions probably come with subscriptions. Check it out on https://www.f5.com/products/security/advanced-waf, they have roi calculator as well.

author avatarreviewer1586961 (Chief Information Officer at a computer software company with 11-50 employees)
Real User

Cloudflare - since deployment it's super fast and supports Terraform for automation.


Imperva Clod WAF is the best option. Not only can you protect your IPs, DNS, Apps, you can also mitigate DDoS attack on your network or apps. Imperva has the best and biggest capacity to handle DDoS.
It is fast to deploy, easy to use and a very friendly user interface. Need I say more? You pay only for what yo need.

author avatarCole Bisset
Real User

I'd highly recommend using the Snapt ADC.

The ADC is a full suite..You get one of the world's finest Load Balancers with included functionality of a WAF, Web Accelerator & a GSLB. All of the Snapt support is done in house as well which gives you a direct line to the people who built the solution.

author avatarRaynielBadiola
Real User

If you are looking for an effective WAF solution, I would recommend Radware Appwall, it provides a complete web application security that you are looking for. Radware Appwall WAF comes with a hybrid solution in which you can deploy an on-prem device or via a cloud. Since you don’t want any subscription charges, for now, you can just deploy the on-prem device which will blocks attacks at the perimeter and ensures fast, reliable and secure delivery of mission-critical web applications.

I may not be able to size-up the exact model for you since there are a lot of things to consider like the number of applications, the number of CEC/CPS/HTTP TPS need to pass through the WAF, etc.but I do recommend to contact your local Radware vendor which can assist you on sizing up the Radware WAF solution.

Hi professionals, There seems to be some controversy around whether or not SSL Inspection should be used by businesses.  What is your opinion - should they be used, and if so when? Conversely, what are the reasons for not using SSL inspection?
author avatarLeo Tse
Real User

SSL inspection requires high firewall resources, the use depends on what your objectives are. E.g., the SSL inspection is a must on WAF or Layer-7 IPS to protect inbound traffic to your servers,if you need very granular access control for your user to the Internet.  

On the other hand, explicit proxy deployment can achieve the URL/URI filtering purpose without SSL inspection for client outbound traffic protection. While SSL inspection is useless for layer-4 only firewall/IPS and webserver running TLS 1.3, DLP/sandbox in endpoint seems to be more effective than the network approach, because the delay in scan result will timeout the network connection. 

Consider SSL inspection on specific traffic types: it can save cost and settle the internal controversy. 

author avatarsupervis809292 (Supervisor of IT Infrastructure & Cybersecurity at a tech consulting company with 51-200 employees)

As more Internet traffic is encrypted each day at some point the majority of Internet traffic will be encrypted. SSL inspection is needed when a business needs to audit what their users are doing on the Internet. Cost and complexity are the largest reasons to not perform SSL inspection, especially on the network edge.

I'm not a huge proponent of performing SSL inspection at the network edge. Most solutions performance levels drops off the face of the planet when enabled and it is complex to setup and maintain. I think the better solution for SSL inspection is to perform it on endpoint devices. This will be cheaper and less complex overall and provide SSL inspection on laptops even when they are not in the office.

author avatarDavid Storey

SSL Inspection is great for corporate/organizational security as it allows you visibility into the traffic going across the network. It can also break access to some sites as it is technically a man-in-the-middle. (Anything requiring certificate authentication.) If you're going to do it, you really need a login banner for your systems that advises users that their activities are being monitored. You'll also need to install certificates on people's PC's. This won't work for guest users. I wouldn't store decrypted content though as you will have to safeguard that data as it will contain sensitive information. (Is it really worth the risk?)

author avatarEvert Ruiten

In general, there are some vulnerabilities in SSL that you should try to mitigate whenever possible. SSL inspection should help indeed.

author avatarLuis Apodaca

These days you should use it no matter if you are a home user, it is about security, and it will be easier each time to have leaked on your personal or professional info, a serious IT guy always should say you should use it.

author avatarrobofl

I used to be against this but leaning the other way now since just about every site is encrypted.  I think some sites need to be avoided like banking, credit card processing, payroll, etc.  Management, and especially the Accounting Dept needs to be in the loop.

author avatarMohammadAta

SSL Inspection or HTTPS Inspection is the process of intercepting SSL encrypted internet communication between the client and the server. The interception can be done between the server and the client and vice-versa, SSL Inspection intends to filter out dangerous content, such as malware. This inspection is also called Deep SSL Inspection or Full SSL Inspection. It allows the user to do web and email filtering, antivirus scanning, etc.SSL inspection not only protects you from attacks that use HTTPS, but also from other commonly used SSL-encrypted protocols, such as SMTPS, POP3S, IMAPS, and FTPS.

Menachem D Pritzker
Hi community,  There are so many firewall products in the market today. Who are we going to be talking about 3-5 years from now?
author avatarNehad Elkordi
Real User

Cisco Portfolio is focusing on total security inside and outside including cloud security,two factor authentication & SDWAN.

Forti Portfolio is focusing on total security too inside and outside including cloud security & two factor authentication.

both are working with Sandbox which is important for 0 day attack.

Therefore If R&D for both vendors will keep as they are today i think they'll be market leaders and away by far for the next 5 years 

author avatarPaul Yuen

In 3 years' time, we believe that "Firewalls Gold" will reach its heights. 

This is because the current firewall's features and affordability had already surpassed those of Check Point, Sophos, SonicWall and Fortinet.  

Firewalls will dominate the market in future years given their immense innovation capability.

author avatarLuisCastro
Real User

1- Pfsense

2- Kerio Control

3- Fortinet

4- Cisco solutions

author avatarBrianCook

I can think of 2 Firewalls that should be doing much better then they are, Kerio Control and ZyXEL ZyWall. Both have been around for a long time but have never gained the market share I feel they should have and I often find people have never heard of them. 

author avatarStuart Berman
Real User

I doubt we will see a new firewall vendor, but I believe we will see new architectures that leverage the advanced capabilities of NGFW delivery through ISPs, think of it is a clean pipe for Internet access. The ISPs will use firewalls (virtualized and segmented by customers) to do the filtering before it hits your networks, just like we see with spam filtering.

I also believe we will see more edge networking, 5G networking where the firewall function will be built into the network at the edge. We already are seeing early versions of the with things like Curiosity OS by Sprint working with Ericsson. I think they will easily add existing VM firewalls to their platform and not reinvent the wheel.


Those firewalls that allow extend the perimeter. Nowadays, there is a issue with the static perimeter and all is going to change in the next semesters. In my opinion, solutions like Netskope are offering this extended perimeter functionality and they could lead the market.

author avatarLipaz Hessel
Real User

Well with the SD-WAN raising it is common to see cloud firewall implementations, like ZScaler.

but as data center firewall, I don’t see any new player comes out unless it will come with a new surprising feature as the market have so many good vendors.

Find out what your peers are saying about Fortinet, Microsoft, Imperva and others in Web Application Firewall (WAF). Updated: January 2022.
563,327 professionals have used our research since 2012.