Product Comparison: Web Application Firewall (WAF)

This side-by-side web application firewall comparison can help you determine which solution is the best for you and your clients.

web application firewall comparison

Security is a priority for all of your clients, from large enterprises to one-person shops. No business, regardless of size or industry, is immune to the threat of cyberattacks and data breaches — or the costs and reputation damage that they cause. Some companies never recover from the outfall of a data breach and are out of business within months after an attack.

As crucial as security is to protecting a business, many of your clients simply don’t have the in-house resources or time to adequately protect their web applications. This creates an opportunity for managed services providers (MSPs) to solve a significant challenge for their clients and to grow their businesses by providing web application firewalls.

Web application firewalls are designed specifically to protect web applications from attacks such as SQL injection, cross-scripting (XSS), cookie poisoning, and parameter tampering. They stop known malicious traffic, and can, using artificial intelligence, spot anomalies that can identify and stop attacks even before the malicious application or code has been blacklisted.

There is a wide variety of web application firewalls on the market, which can make selecting the right web application firewall for your clients a challenge. To help you evaluate your options a more easily, we invited web application firewall vendors to share details about their products. The companies that provided information for this product comparison are:

In the coming months, we’ll be adding additional solutions from vendors that didn’t make the deadline for this first comparison post.

Note: Managed Services Journal product comparisons aren’t about rating products or choosing “the best.” And they aren’t paid listings or ratings that some websites publish. Our objective, as always, is to provide MSPs with unbiased resources to help them make the best decisions for their businesses.

We also recognize that each MSP’s business is unique, so different businesses may derive the greatest value by choosing different web application firewalls. We’ve organized information by features so it will be easier for you to compare and contrast those that are the most important to your clients and to your MSP.

For more information provided by the vendors, download our “Overview of Web Application Firewalls”  spreadsheet.

Protection from Attacks

As a part of our web application firewall comparison, we asked vendors whether their products protected from these specific types of cyberattacks:

Type of Attack/VulnerabilityAirlockBarracudaCitrixFortinetSucuri
Zero-Day Threatxxxxx
Cookie Poisoningxxxxx
Web Scrapingxxxxx
Parameter Tamperingxxxxx
Buffer Overflow Vulnerabilityxxxxx
SQL injectionxxxxx

In addition, all of the products in this comparison provide protection against application layer attacks, including the OWASP Top Ten.

DDoS Protection

Distributed Denial of Service (DDoS) attacks can interfere with the ability for a business to provide services through a web application by flooding the service with an excessive amount of web traffic. The products in our comparison prevent DDoS attacks in the following ways:


Airlock uses the following techniques: geoblocking; traffic throttling per application, and request filtering. It also restricts the number of requests and/or sessions (from a single source IP) within a configurable time interval. Back ends are protected from overload using load balancing. In addition, enforcement of upstream authentication at the WAF keeps attacks off applications.


Barracuda addresses DDoS attacks at two levels:

L4 (transport layer) DDoS is handled by the DDoS service layer hosted in Barracuda cloud through which the traffic passes through before reaching WAF deployed in customer’s datacenter.

L7 (application layer) DDoS capabilities are built into the product that looks at L7 traffic and applies multiple checks to detect and block bad clients.


The Citrix  Web App Firewall protects against DDOS through a variety of features, including layer 3 and layer 4 (network and transport layers) protection against floods, reflection attacks, slowloris, TCP small window, DNS DDoS defense via request thresholds over time, rate limiting, throughput limiting, and IP reputation.


FortiWeb provides Layer 3-7 DDoS protection with predefined rules that can be edited and changed to customer specific requirements.


Sucuri’s global Anycast CDN absorbs traffic across its network and offers emergency DDoS protection, which presents a JavaScript challenge to visitors’ browsers in order to block illegitimate traffic.

Combine WAF With These Additional Services

VARs and MSPs can provide even more value and protection to their clients by combining web application firewalls with other services. Options for combining the products in our comparison include:


  • SIEM solution
  • Threat intelligence solutions
  • Malware protection
  • Fraud detection solutions


  • Authentication services (via SAML), for example, Microsoft Azure AD
  • Advanced DDoS prevention service
  • Advanced threat protection for zero-day malware detection and protection
  • Logging services such as Sumo Logic/Loggly
  • Automation/orchestration mechanisms such as Puppet, Chef, Ansible or Terraform
  • Public cloud services such as Azure Security Center or Microsoft OM


Citrix Web App Firewall is part of Citrix’s Application Delivery Controller (ADC) platform, a full-featured load balancer, application accelerator, WAN accelerator, web application firewall, content inspector, gateway and VPN, SSO solution. It can be configured as a forward or reverse proxy. Citrix ADC generates powerful and actionable application and security insights via Citrix ADM (application delivery management).


Load balancing


The Sucuri Website Firewall can work with any CDN, load-balancing, or high-availability architecture. It can also export logs to SIEM systems and offer customizations for enterprise customers. 

AI/Machine Learning Features

With the rapid evolution of new threats, a web application firewall must do more than stop know threats from a static list. Each of the products in our comparison employ artificial intelligence (AI) and machine learning to constantly spot and stop new threats.


Is now limited to learning the application structure, but new capabilities are set for release this year:

Barracuda Web Application Firewall: Advanced bot protection capabilities augmented with machine learning to differentiate between humans and advanced bots trying to mimic human behavior

Barracuda WAF-as-a-Service: Auto-configuration that will analyze the traffic going to the application and suggests/deploys effective rules based on traffic patterns


Security insights are available via Citrix ADM, powered by Citrix Analytics, which applies machine learning to data that spans network traffic, users, files, and endpoints to identify and take action on malicious user behavior and app performance anomalies.

Citrix is expanding its machine learning and AI capabilities to drive next-generation functionality such as dynamically profiling and automatically adapting applications, as well as improving security insights by eliminating false positives.


FortiWeb automatically and dynamically monitors all application elements for activity that strays from predicted entries. If this first engine flags what it determines is an anomaly, it is then sent to the second machine learning layer to assess if it is a threat or simply a benign variance such as a typo or new character that hasn’t been seen previously. If it is an attack, then FortiWeb can take actions such as logging, alerting and/or blocking the request. The second machine learning layer uses threat models that are included as part of the FortiWeb solution and are updated with the FortiGuard WAF Security Service to provide protection from new threats that require model retraining and testing

Fortinet is launching AI-based bot mitigation in FortWeb’s next major version — version 6.1 —scheduled for March 2019.


Sucuri correlates attack data across its network and runs behavior analysis to fuel its whitelist model.


Airlock includes AI/machine learning features. 


Pricing structures for web application firewalls vary, depending on whether you choose a cloud-based or on-premises solution as well as by vendor:


Pricing depends on the number of back ends, number of identities protected and the runtime. The Airlock Web application firewall is part of Airlocks Secure Access Hub which consist of a web application firewall, customer identity and access management and API Gateway. 


WAF-as-a-Service is billed on a monthly basis per application.


For on-premises systems, Citrix provides physical or virtual appliances, with pricing based on throughput and license level.

For cloud-based systems, Citrix provides the Citrix Web App Firewall, a WAF service delivered entirely in the cloud. They also provide virtual appliances that customers can host within their AWS or Azure environments.

Pricing for both systems is comparable.


Fortinet uses a perpetual license model for appliances and VM solutions. Most customers purchase yearly support and services contracts as well.

FortiWeb provides five subscription services — security services that include signatures and other product component updates, AV, IP reputation, credential stuffing protection and sandbox. For its cloud product, Fortinet offers yearly contracts.


Sucuri’s basic web application firewall is $9.99/month, which includes the Sucuri CDN, free SSL on the firewall server, and no limitations when it comes to intrusion prevention or DDoS mitigation. If there is an SSL certificate on the origin server, an upgrade is required to Sucuri’s Professional or Business plans. Enterprise plans are based on the level of support, customizations, and the number of websites.

Sucuri offers referral partnerships with no commitment; its agency and enterprise plans require a contract.

VAR/MSP Resources

The vendors highlighted in our web application firewall comparison offer several resources that can help managed services providers optimize and enhance the service they provide to their customers.


Airlock offers partners attractive partner models with an academy to receive trainings on its products. They also offer full support with their first projects. Also, partners can resell solutions with discounts related to their commitment. 


Barracuda offers self-paced learning videos, available to all registered partners through Barracuda Campus, as well as paid in-classroom training.


Citrix offers extensive enablement services to all partners, as well as the opportunity for certifications and specializations. Partners also receive special pre-release communications, early access to new software and features and special pricing for their customers.


Fortinet offers full RBAC controls and multi-tenancy to address MSSP requirements.


Sucuri security consultants help MSPs establish custom partnerships. They also offer API integrations for hosting providers, agency plans for web professionals, and sales training.

What Makes Each Web Application Firewall Stand Out Among the Competition

We also wanted to give web application firewall vendors the opportunity to tell MSPs what makes their products unique:


“We are a combination of an API Security Gateway and Access Management Solution.” 


“Barracuda Web Application Firewall: Cloud instances in Azure/AWS/GCP and virtual appliances: It is easy to set up and get going and has a comprehensive set of APIs and supports infrastructure-as-code paradigm for customers looking to build a fully automated WAF layer for large deployments.”

“Barracuda WAF-as-a-Service: An easily scalable service that MSPs can offer to further protect customers’ applications. For MSPs that would like to tune the applications themselves, it provides the same depth of control as the WAF.”


“The integration of Citrix Web App Firewall into a full-featured product like the Citrix ADC  providers greater performance and scale than stand-alone offerings and enables companies to deliver the next generation of hybrid, multicloud workspaces anywhere, anytime to any device in a more secure and reliable manner.”


“Innovation. FortiWeb is the only product that delivers various AI capabilities across the most difficult challenges — anomaly detection and bot mitigation.”


“Our WAF is specialized for application profiling and leverages a whitelist model, which is different from other WAFs. Customers appreciate the ability of our WAF to block vulnerability scanners and 98 percent of zero-day vulnerabilities reported by WPVulnDB. Our enterprise team can support any special configuration requests by enterprise customers, including load balancing and custom rule sets. Our WAF has the highest reviews on Gartner Peer Insights, and received a Customer’s Choice distinction in December.” 

Final Thoughts

Although a web application firewall can provide your clients with protection from cyberattacks, there is much more value in providing your clients with a comprehensive Security as a Service offering that includes antivirus, network firewall management, endpoint security, patch management, access control, and backup and disaster recovery. Work with your clients to understand all of their security vulnerabilities, and provide them with total solutions that will keep their entire networks, data — and their businesses — safe.

If you want to see additional information in our product comparison or insights on how providing a web application firewall can make a positive impact on your business, please reach out. We welcome your feedback.