Fortinet FortiWeb Reviews

We have websites that clients access from the internet, so we use it to protect these websites and to load balance between the backend servers.

We have FortiGate firewalls with IPS sensors and so on.

The WAF profiles has been most effective at mitigating web-based threats – probably something standardized, but again, we haven't tested it on heavily used websites. The websites that we use it for so far are just average websites. It can likely protect from some requests like bots and stuff like that.  

The AI/ML-based detection in FortiWeb has enhanced our web security posture to some extent. It's good with general stuff. Again, it's not specialized. So, standard WAF threats, like bots, it can detect those faster. It's good for the average website, average requests, and the average security setup. But we have other malicious requests that are probably outside the typical OWASP threats – they're specialized for our organization.

For example, if you have the FIX protocol, the financial protocol... if attackers can get into it with a targeted client ID... these threats aren't in the standard OWASP list because they're not general attacks that everybody faces. They're very specific. Now, many companies use the FIX protocol on private circuits, so they're protected outside of breach attempts. But, believe it or not, we have FIX open on the public internet for some websites, and those need protection. They need something outside the WAF that FortiWeb doesn't have. You can try to apply the WAF, and it might catch a threat if it originated from a bot. But if somebody is malicious enough to go under the bot detection radar, they could still process it.

So, for known threats, like bots, the detection is good. For APIs, it's also good because it can detect anomalies with standard API attacks. Again, these are mostly average, non-targeted attacks.

If an attacker specifically targets your organization, understands your protocols and business model... the standard protection is good because it detects things that aren't coming from a browser – it recognizes that it's not normal user activity or anomalies on your website. That's beneficial.

Most bot-generated attacks don't come from a browser. I did notice that it can detect when the request is not coming from a browser – it recognizes that it's not normal user activity on your website. It can detect anomalies publicly, which is good.

So, what would be good is this: put FortiWeb in front as the first line of defense. It can take care of a lot of the average user traffic and filter it out. You can keep that for your average applications, but when you have specialized applications behind that, then we need specialized protection for those applications – whether it's F5 or something else.

We use FortiWeb to protect our web applications, including web servers, websites, and mobile apps – especially mobile payment apps. As an integrator, we also sell FortiWeb to our clients.

It is mainly for banking and NCS sector clients, but we also have others like universities and industrial companies.

After configuring security profiles and policies in FortiWeb, it does its best to block all web attacks, including SQL injections and other types of attacks. While I don't have the interface in front of me to provide exact details, FortiWeb is highly effective in this regard.

Most of our clients use reverse proxy mode. In this mode, FortiWeb acts as a reverse proxy, preventing attackers from directly connecting to the server or web server. All traffic passes through FortiWeb, allowing us to inspect everything.

We have multiple environments. Some applications are in Oracle Cloud, some are in Azure, some are in GCP, and some are on-prem. We wanted a single solution for web applications, and that's why we chose FortiWeb. In the case of the cloud, we don't even have to manage it. It's a managed service from Fortinet.

We have not been using it for a very long time. It has only been eight months, and so far, there have been two main benefits. The first benefit is that if I have an on-prem solution, I can buy their hardware and deploy it, but the configuration is the same. If I have a cloud, I can use FortiWeb as a service or as a virtual machine. It depends on requirements, but the configuration remains the same. The configuration doesn't change. We have a lot of global parts and a lot of teams are working on it, so it gets easy to communicate and verify the configuration and create a baseline.

Costing is another benefit. The cost is based on the traffic. If an application is used, we pay for it, but if it's not used, we don't have to pay for it. With other solutions, we have to buy the solution, and then we have to purchase or take licenses. If they aren't used, we are just burning money without any use.

We are using anomaly detection and bot mitigation. In terms of anomaly detection, it is able to find the behavior. We have some applications where normal users are logging from India, and if the behavior changes, it gives us an alert, but in terms of bot mitigation, I haven't found much.

It's easy to use. I don't have to do any changes in my environment. For example, if I use Azure WAF, I have to use a traffic gateway, load balancer, or something similar, whereas, with FortiWeb, I don't have to change any architecture. I just have to change my DNS entry. That's it. If I'm able to change my DNS entry, FortiWeb works.

Adding new applications is also quite easy. You just add the application and change the DNS settings, and you are good to go. Whether you want to block or unblock, or you want the learning mode or protection mode, you can enable or disable it with just one click, and you are good to go. Most of the settings are already there if you want to tweak them. It has a GUI. You must have to click here and there. The documentation is also good. If I don't know something, their documentation is quite helpful. A lot of people are using Fortinet, so YouTube videos and articles are also available.

The configuration part is easy. The configuration and implementation process is streamlined. We don't have to change anything. We don't have to follow 10 processes. It's a single process with which everybody is familiar. Manpower and manhours are saved because a lot of discussions are avoided. It also helps us in creating a baseline. We now have a baseline of what we need. So, from an instant response point of view, it's easy for us because we are getting the same results out of it.

It has reduced false positives. As compared to my old solution, there is at least a 17% to 18% reduction.

It has reduced the number of alerts that our organization receives. There is a 50% to 60% reduction in alerts.

It has saved us time. We were spending around three to four days setting up our old solution, whereas now, we are spending a maximum of four hours.

We use FortiWeb as our web application firewall. 

FortiWeb provides the level of security we need at an excellent price point. It's easy to deploy and operationally efficient. FortiWeb enables us to streamline tasks. It's a robust solution that's effortless to configure. The AI and machine learning features help us block unknown threats. 

We can bring our web applications online faster because FortiWeb shortens the time needed to bring any application into production. Compared to other application firewalls, FortiWeb has a smoother process for bringing applications online. 

FortiWeb has few false positives. It's more accurate than other solutions, so we also see fewer alerts. FortiWeb has helped free up IT staff for other projects. You don't need to spend much time getting applications ready for the web, so IT staff can use this time to manage other things. 

We are a payment processor with infrastructure deployed across various environments, including AWS, on-prem, and various other environments. We are PCI Level One certified, and one of our requirements is WAF. FortiWeb is a tool we use to secure access to our public-facing applications and services.

Our environment is primarily cloud-based, and all of our services are AWS. We were in the process of migrating to the cloud when we implemented FortiWeb, but we still needed to maintain some on-premise infrastructure to serve different regions. We were happy with the solution after deploying it in the cloud, so we discussed the possibility of also using it with our on-premise applications based on the initial results. Many of those services are now moving to the cloud, so we won't deploy them on-premise anymore. 

We are using FortiWeb across multiple locations in London and Singapore, so we have WAF services sitting in front of applications across both sites. Our applications include various payment processing platforms, fraud prevention tools, and other related customer-facing services based in various locations within the AWS cloud.

A ten-person network team is responsible for administering FortiWeb. It's difficult to say precisely how many end-users there are because we provide this solution to third parties, but around 160 clients connect to the applications behind these services. Our clients are typically small or medium-sized enterprises.

FortiWeb provides an additional layer of security that we didn't have previously. We have a next-generation firewall deployed in our cloud infrastructure, but the WAF is the most external-facing piece. The WAF passes traffic to our internal next-generation firewalls.

We have also benefited from FortiWeb's load-balancing capabilities. FortiWeb enables us to load-balance without the need to take on an additional service. In most cases, we've been able to use load balancing provided by the AWS gateway. We have two servers with services deployed across multiple availability zones behind there. In addition to security, WAF allows us to load balance traffic across those servers in various availability zones without adding more load balancers.

FortiWeb streamlines tasks because we've eliminated other functions like load balancing. The API is also excellent. Someone on my team created an application that integrates with the API to quickly add new IP addresses without changing the templates. We've found it's helped us streamline some of our usual BAU tasks.

We already had a low false positive rate, but FortiWeb has lowered it further. Detections in our report tend to be accurate. We still get occasional false positives, but some of that probably relates to our custom-built applications. FortiWeb decreased our false positives by around 30 percent. 

We used to get a lot of alerts from our traditional firewall, but the number has declined significantly since deploying FortiWeb. It was a reduction of about 70 to 80 percent. The alerts coming from FortiWeb are helpful. They inform us of things that require action. We previously got many alerts from our public-facing services. We didn't have an efficient means of getting alerts. The same threat provided multiple alerts. That would keep going and could be overwhelming at times.

We use the solution as a web access firewall (WAF) to secure our applications and use URL mapping to ensure only traffic filtered through the WAF is allowed. 

The environment the product is used in is one project in our GCP, and we're located in the Western USA. Two members of the infrastructure team operate FortiWeb within our organization.

FortiWeb filters a lot of unwanted traffic, which is good for our organization, as it would negatively impact our reputation if this traffic weren't screened.

The solution helps us to streamline tasks as it features a user-friendly console, and we can apply the WAF to all the URLs required for our publicly available applications. The templates offer either advanced or extended protection for those URLs, and we can see insights for specific URLs, such as total hits and how many requests are being blocked and allowed.  

The FortiWeb Cloud also saved our organization time through machine learning, which analyses traffic based on IP origin and geographic region. This is one of the solution's better features and saved us significant time. 

We have seen time to value with the product. After implementation, we let the solution run for a month, then reconfigured a few policies and templates. Within three months, we were getting the desired results.  

I use FortiWeb to protect all the domains in my organization. It safeguards my entire web segment. All the connections to my environment that do not come over VPN are protected by it, which is crucial as I work in the financial sector with a strong focus on security. FortiWeb stands in front of my environment, where either a firewall or WAF is used to inspect all inbound traffic.

It helps protect my organization by providing robust security measures for our web segment. By onboarding all my APIs and web applications onto FortiWeb, it ensures that traffic not coming through the firewall adheres to stringent security protocols. The SaaS model of FortiWeb also helps in managing latency effectively despite our users being in Nigeria while the infrastructure is based in Europe.

Our company uses the solution to protect websites from SQL injection and excessive attacks on Layer 7. 

We have 500 users throughout our company. 

The solution is very easy to use with little instruction. 

The anti-defacement feature is very useful because it looks for web changes over time to protect pages.