F5 Distributed Cloud WAF leverages F5's Advanced WAF technology, delivering WAF-as-a-Service and combining signature- and behavior-based protection for web applications. It acts as an intermediate proxy to inspect application requests and responses to block and mitigate a broad spectrum of risks stemming from the OW ASP Top 10, persistent and coordinated threat campaigns, bots, and layer 7 DoS.
Few scenarios 1. For viewing API analytics, I think it is best in the market 2. For earning money via API monetization 3. Securing API 4. Onboarding legacy APIs to provide modern REST endpoints
It helps our website to manage well during high traffic seasons and Holidays. This plaform manages the website overall performance and also protect it against DDoS attacks during these High demand period. It also protects transactions done on our website for the booking of services and products buying by our customers and keep their data safe.
Layer seven attacks are becoming far more common. Traditionally it was always layered three, layer four, where you get an additional firewall, but with the application layer attacks become more frequent, more popular, et cetera. So having the web application firewall protecting us, and then with the recent Log4j, that's the most recent use case when it gave us that instant level of protection whilst we remediated the Log4j that we had that and the F5 Distributed Cloud WAF was protecting us.
I have a great relationship with the account manager, my account manager, and I think he drives the best price possible, um, for me, and I'm happy with that price.
F5 Distributed Cloud WAF is always innovating and evolving.
We run a very competitive proof value where we run numerous competitors against each other, and then we evaluate from that and then make the selection, and F5 Distributed Cloud WAF was the winner.
Prohibited from using JSON.stringify on Apigee objects (tokens)
Debugging is difficult
Unable to rename or delete policies without bumping revision
Why would anyone give a js policy one name, display name something else, and script a different name?
'Trace' limited to only 20 transactions
UI allows users to add target servers, but users must utilize the api to turn on SSL.
I'm sure there's more, they just aren't coming to mind right now.
Apigee forgets (expires?) your password at random intervals without notice. Every few weeks, or days, sometimes even three times in one day, I'll attempt to login to Apigee and my password will be 'wrong'. I've reset my password and Apigee still claims it's wrong. I've had to reset my password three times before it finally let me log back in.
Fail over between devices feels unstable if there are thousands of objects attached to the traffic-group. Needs to be more simpler.
We have seen issues with malicious user detection where we have used open protocols due to legacy applications, and have been caught with legitimate traffic being blocked.
I am not the one deciding whether to use apigee or not really. But personally, I would recommend the use of it as developing APIs on it is easy. And as a mediator between backend servers, we could easily modify request and responses in it without touching any backend code while having a centralize gateway to access our backend APIs too.
We gave it an 8 because it protects our web apps well and is reliable. The WAF is flexible and meets most of our needs. It could improve in user interface and make integrations easier, but overall, it’s a solid and effective security tool for us.
I believe is a solution that was designed from the start to be simple and easy to use. Coming from Imperva, it simply eased the burden and complexity of managing and securing our apps on different environments (cloud and on-prem). It easy to scale and very quick to deploy (as a cloud waf should be), provide us with DevOps integrations, visibility and automatic insights from multiple events that guarantee peace of mind for us analysts and opp managers.
Quite hard to get support, at least on the coding side, when we encounter blockers. But general concerns, they would schedule a call to you for them to get a whole picture of your concern. Albeit in my experience, bad really as they haven't replied about the progress, but otherwise seems to have been fixed.
Apigee is the best in the market in terms of API Analytics Apigee is having wonderful Documentation with short videos Security is a major concern and Apigee provides an easily configurable policy to secure API Quota and rate-limit is again very easy to configure on every API basis It provides various policies to transform the response from one form to another form e.g. JSON to XML or XML to JSON
It provides fewer false positives and a more granular approach to eliminating them, allowing us to focus on threats. Also, with the need to secure both on-premise and cloud-based web applications, we can only use Azure on the cloud part, but we still need to cover on-premise apps with WAF, so we would need to double the time to deploy and manage. Also, its flexibility of deployment scenarios offers us a faster time to deploy WAF without adjusting the app delivery process to WAF's existence.
As a public entity it is hard to say how much ROI we can have. We have yet to create a billing and ROI plan. We are thinking of other ways to create ROI, possibly through data/service barter.
The biggest gain for us was speed. Before F5 Distributed Cloud WAF, onboarding a new app to our WAF stack meant manual rule tuning, traffic sampling and regression testing. Right now, we spin up a service, tag it with the right policy and its ready (production ready) within hours
