F5 Essential App Protect Review

F5, Inc and NGINX, Inc worked together to create the Essential App Protect cloud-based Web Application Firewall (WAF). F5 already had a WAF on the market, but combining that with NGINX’s expertise in webserver technology enabled them to convert its appliance-based system into a SaaS offering.

F5 also offers the same WAF on an appliance and NGINX uses the same code bundled into its Nginx Plus webserver as an add-on, called NGINX App Protect. So, there are three deployment options for the same WAF system.

To work out whether you would be better off getting this web application firewall as a cloud service instead of by one of the other two configurations available, take a look at how a web application firewall works and what it is supposed to do.

What does a web application firewall do?

Firewalls reside at the boundary of a system and monitor incoming traffic, looking for harmful content, programs, or actions. So, a firewall protecting a PC captures all traffic coming in on the network card, a firewall monitoring a network stands at the gateway between it and another network, or the internet.

A web application firewall is designed to specifically protect the services performed by a webserver. A webserver holds all of the code and files that make up a website and sends out relevant files when a request for a specific web page comes in from the internet.

The webserver is a software platform, rather than an operating system. It includes built-in utilities that manage network activity that specifically relate to the task of communicating with other computers over the internet. It also provides utilities that are needed by the code in the web page file. For example, a webserver includes interpreters and compilers for web programming languages, such as Perl or PHP.

All of the elements that make up a web page and help it become available to the general public are grouped under the category “web applications.” Interference with just one of these services could cripple a website. So, a web application firewall is needed to examine all incoming traffic and block any attempts to corrupt or exploit these applications.

Like any firewall, the WAF performs its tasks by looking at all incoming packets. The World Wide Web is distinct from the Internet because all web communication is carried out with messages that comply with the Hypertext Transfer Protocol (HTTP). So, a WAF has to pay particular attention to HTTP packets and the producers of WAF know every trick that hackers try in order to attack web applications. The firewall looks for evidence of hacker activity by referencing every HTTP packet against a list of known hacker strategies.

From time to time, a clever hacker comes up with a new attack plan and until that attack is discovered by cybersecurity analysts, every webserver in the world is unprotected. So, WAFs now also look for unusual HTTP activity in order to block these as yet unknown tricks, which are called “zero-day attacks.”

Confusingly, the bundle of services that manage websites is called a webserver and the computer that the webserver runs on is also referred to as a webserver. As the web applications rely on the resources of the physical webserver, that computer needs to be protected as well. In addition, every device between the internet and the computer hosting the website is a potential target for attack.

Where should I put a web application firewall?

Most people are familiar with firewalls on a computer. For example, the Microsoft firewall, Windows Defender, is included in the Windows operating system for free. It is resident on the computer that it protects. The same configuration is possible for web application firewalls. It can be installed on the same computer as the webserver system.

NGINX integrates its implementation of App Protect in with its webserver package. So, the two systems have to be installed on the same server. That strategy introduces efficiency because there is no network traffic between the two systems and so less risk of hacker intervention. However, that configuration leaves the network gateway and any device between it and the webserver vulnerable. The systems administrator would then need to install another firewall on the gateway to prevent hackers from disabling access to the webserver.

The F5 Advanced WAF is a network appliance that implements the same code as the F5 Essential App Protect system. It needs to be installed directly behind the gateway, so it protects all of the networks before the webserver and the webserver itself. However, that still leaves the network gateway vulnerable.

The F5 Advanced App Protect WAF is resident on an F5 server on the internet, not on the network that it is protecting. This is an “edge service.” This configuration is becoming increasingly common among cybersecurity providers. As F5 and its rivals are experts in cybersecurity, they are better equipped to manage the facilities that support a firewall on their own premises. The protected business doesn’t have to worry about its firewall’s host being interfered with either by disgruntled staff or by clever hackers – F5 takes that responsibility.

The location of the WAF before the internet gateway of the protected webserver means all of the path from the boundary of the subscriber’s system to the webserver is covered by the WAF.

About F5, Inc.

F5, Inc was originally called F5 Labs and used the brand name F5 Networks. The company started up in 1996, making it one of the oldest cybersecurity firms in the USA. The first product of the company was a load balancer, called BIG-IP. This is still the main brand of F5 and its appliance-based version of its WAF is hosted on a BIG-IP iSeries device.

The company floated on NASDAQ in 1999 and now has a market capitalization of $7.4 billion. The company’s headquarters are in a brand new, iconic skyscraper, called F5 Tower in downtown Seattle. Over the decades, F5 has made a number of important acquisitions, strengthening its expertise in cybersecurity. The most notable of these was its purchase of NGINX, Inc in 2019.

NGINC, Inc is the commercial owner of the free, open-source webserver, called Nginx. Usage figures for webservers are difficult to quantify. However, Nginx is figured to be one of the top two webserver systems in the world, alongside Apache HTTTP Server. The combination of F5’s cybersecurity expertise and NGINX’s webserver abilities resulted in the production of the F5 Essential App Protect in May 2020.

F5 Essential App Protect overview

The Essential App Protect system is a proxy server. It stands in for the gateway and physical servers of the protected system. The DNS records for the websites being monitored by the WAF are altered so all traffic goes to the F5 server instead of to the real webserver. This means that all of the attacks that the hackers of the world launch against the protected website hit the F5 server.

Key Features:

  • DDoS Protection: Shields web applications from Distributed Denial of Service attacks.
  • Integrated Security: Works seamlessly with F5’s wider web application security framework.
  • DevOps Friendly: Supports secure deployment practices for development and operations teams.

A proxy server doesn’t pass through traffic. It is the endpoint of all communication. The proxy selectively re-sends approved traffic on a separate connection to its customer’s system. The one weakness in the system lies in the backend internet connection between the F5 network and the network of the protected webserver. This is fully secured with a VPN.


  • Multiple Deployment Options: Available as a cloud service, appliance, or integrated with NGINX.
  • Comprehensive Protection: Covers OWASP Top 10 attacks, provides threat intelligence, and global IP blacklisting.
  • API Protection: Secures APIs alongside websites and mobile apps.
  • Automated Threat Mitigation: Automatically responds to detected threats to minimize damage.


  • Frequent reCAPTCHA Challenges: Utilizes reCAPTCHA often, potentially disrupting user experience.

F5 Essential App Protect details

The key abilities of the F5 Essential App Protect WAF are:

  • Protection against the OWASP Top 10 attacks
  • A threat intelligence feed
  • Global IP address blacklisting
  • A live threat map
  • API protection
  • Cookie protection
  • Automated threat mitigation

The main services of the F5 Essential App Protect WAF cover all inbound threats to any element of a system that is needed in order to deliver a website to a remote browser.

F5 Essential App Protect dashboard

The dashboard for the F5 WAF is hosted on the cloud and so can be accessed from anywhere through any standard browser. The screens for the service are attractive and well planned, with the Home screen featuring a map of the world showing the sources of all live connections to the protected webserver.

F5 Essential App Protect Dashboard - Application event map

The dashboard presents a very well-balanced combination of statistics tables and graphs. All data elements are active links through to drill down screens, such as the Events Details screen, which correlates all suspicious activities related to a flagged conversation.

F5 Essential App Protect - Events detail

Statistics shown in the screens include general performance information for all transactions and then data related to suspicious activity. The service creates an alert for any transaction that is deemed to be malicious and can optionally be set to intervene automatically to shut down a suspected attack.

F5 Essential App Protect subscriptions

As a cloud-based system, F5 App Protect is charged for by subscription. Charges are levied through a combination of metered factors. One element is the number of servers protected at a rate of $0.25 per endpoint per hour. The other fee component is a data throughput charge, which is set at $0.63 per GB.

An F5 Essential App Protect account can be set up immediately and can be canceled without any penalty charges. F5 offers a 15-day free trial of Essential App Protect which has a limit of 5 endpoints and 15 GB/day throughput.

F5 App Protect Alternatives

The F5 Essential App Protect service is a very competent web application firewall. It’s SaaS delivery model and subscription pricing makes it very accessible to small businesses and startups. However, not everyone wants a cloud-based firewall. Also, it pays to check out two or three of any type of service before committing to one producer.

When looking for a new software package or service, you have to spend a lot of time researching the market. You also need to work out your exact requirements because no two products are exactly the same even though they are marketed as performing the same task.

In order to get more insights into web application firewalls, you could read the Buyer’s Guide to the Top WAFs. We have also summarized our recommendations for the top ten WAFs below.

Here is our list of the ten best alternatives to the F5 Essential App Protect:

  1. BIG-IP iSeries Platform – A network appliance with the F5 Advanced Web Application Firewall pre-loaded on it. This is the onsite version of the F5 Essential App Protect.
  2. AppTrana Managed Web Application Firewall A managed security service that includes a team of technicians and experts to run the software as well as the web application server itself and the necessary processors and storage to support it. It includes a CDN and an application scanner.
  3. Fortinet FortiWeb A group of edge services that include a web application firewall, a load balancer, and an SSL off-loader. It is offered as a cloud service, a network appliance, or a virtual machine.
  4. Sucuri Website Firewall A cloud-based service that includes load balancing, system malware scans, and a CDN as well as a web application firewall.
  5. MS Azure Web Application Firewall A cloud-based edge service bundle that includes a web application firewall, load balancing, DDoS protection, and data loss prevention.
  6. Imperva Cloud WAF A cloud-based web application firewall with a managed security option. This system also includes data loss prevention, CDN, and virtual patching.
  7. Barracuda Web Application Firewall A group of web protection and enhancement services that include DDoS protection, caching, and site optimization as well as a WAF. It is delivered as a network appliance, a cloud-based system, or a virtual appliance.
  8. Citrix Netscaler Application Firewall Offered as a cloud-based service or as a network appliance. This web application firewall includes a load balancer.
  9. Radware AppWall A signature-based web application firewall that is available in a network appliance.