What is our primary use case?
We have websites that clients access from the internet, so we use it to protect these websites and to load balance between the backend servers.
We have FortiGate firewalls with IPS sensors and so on.
How has it helped my organization?
The WAF profiles has been most effective at mitigating web-based threats – probably something standardized, but again, we haven't tested it on heavily used websites. The websites that we use it for so far are just average websites. It can likely protect from some requests like bots and stuff like that.
The AI/ML-based detection in FortiWeb has enhanced our web security posture to some extent. It's good with general stuff. Again, it's not specialized. So, standard WAF threats, like bots, it can detect those faster. It's good for the average website, average requests, and the average security setup. But we have other malicious requests that are probably outside the typical OWASP threats – they're specialized for our organization.
For example, if you have the FIX protocol, the financial protocol... if attackers can get into it with a targeted client ID... these threats aren't in the standard OWASP list because they're not general attacks that everybody faces. They're very specific. Now, many companies use the FIX protocol on private circuits, so they're protected outside of breach attempts. But, believe it or not, we have FIX open on the public internet for some websites, and those need protection. They need something outside the WAF that FortiWeb doesn't have. You can try to apply the WAF, and it might catch a threat if it originated from a bot. But if somebody is malicious enough to go under the bot detection radar, they could still process it.
So, for known threats, like bots, the detection is good. For APIs, it's also good because it can detect anomalies with standard API attacks. Again, these are mostly average, non-targeted attacks.
If an attacker specifically targets your organization, understands your protocols and business model... the standard protection is good because it detects things that aren't coming from a browser – it recognizes that it's not normal user activity or anomalies on your website. That's beneficial.
Most bot-generated attacks don't come from a browser. I did notice that it can detect when the request is not coming from a browser – it recognizes that it's not normal user activity on your website. It can detect anomalies publicly, which is good.
So, what would be good is this: put FortiWeb in front as the first line of defense. It can take care of a lot of the average user traffic and filter it out. You can keep that for your average applications, but when you have specialized applications behind that, then we need specialized protection for those applications – whether it's F5 or something else.
What is most valuable?
I like the integration with our existing Fortinet infrastructure. It's easy to integrate, and it's easy to make policy-driven. That's the feature I like – usability, simplicity, and ease of use.
What needs improvement?
I'd like more customization. I'm not sure if everyone would agree, as it might add complexity. But for advanced users, it would be really useful to have access and the ability to manipulate packets.
If we can access and manipulate the contents of packets, even encrypted packets... that would be powerful. Since we're looking at packets arriving at our network, we would have the private key to access those packets and their information.
For example, I have an encrypted packet, and I have the private key for the certificate provided in that client. If I could tell FortiWeb, "After the packet is decrypted, if you see this thing, do that thing," that would be beneficial for advanced users.
It would open up the possibilities for load balancing and specialized protection that we need but might be outside of the standard feature set.
Maybe we need to manipulate a variable with a specific name that's only relevant to our security needs. That customization would be very beneficial.
For how long have I used the solution?
I have been using it for a year now. We use Fortinet solution – firewall, then FortiWeb, and all that. We have versions six and seven deployed since we're a global company with many different sites.
What do I think about the stability of the solution?
In my experience, it's mostly stable. But, when new versions come out, we've found issues. It seems like new versions fix some problems from older releases, but they also introduce new issues that we have to discover later. So, I'm not a big fan of always going to the latest and greatest version, particularly with Fortinet, since this might be a newer product area for them.
I need to be very careful with availability and reliability when upgrading versions. In comparison to vendors who have been in the business longer – like AWS WAF, or even desktop solutions with more experience – those tend to be more stable. They've been around longer, they've seen more issues, and they've fixed them.
So, FortiWeb's stability is a bit… it depends on how you use it. Let me put it that way. If you want to use something more advanced, be prepared for potential issues.
I would rate the stability a five out of ten because we've encountered a few issues that weren't great. We only discovered later that they were bugs in the system that would get fixed in future updates. So, Fortinet needs to work on that in my opinion. There wasn't the level of thoroughness I would have expected.
What do I think about the scalability of the solution?
It's not very scalable. I would put it on the low end of the scale. But again, that's my opinion because I work with a different business model where we use more advanced products – not just F5, but others as well.
F5 is the main comparison point for FortiWeb. We also use other protection solutions, and those are more scalable. So, I would rate FortiWeb's scalability as low. However, that might be an advantage for some people. If you have an average model and are protecting an average website, that's exactly what you need. You don't want a product with so many features that someone could accidentally misconfigure it and bring everything down.
In that scenario, it could take hours to get it back online, and there would be significant financial losses.
So, overall, I would rate the scalability a four out of ten. We have five endpoints for this solution in our company.
How are customer service and support?
The customer service and support are very good. They're responsive.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We switched from Check Point to FortiWeb. There were two main reasons behind it:
- FortiNet offers more options when compared to Check Point.
- Also, support is cheaper. Like support-wise, it's significantly cheaper to get support from Fortinet.
Those were the main reasons.
We actually considered Palo Alto. I have lots of experience with Palo Alto, but we ended up not going with them because it's more expensive. The expense is not just in terms of support, but also the hardware itself. Check Point is more expensive in terms of support.
Fortinet wins in terms of lower cost, both for support and comparable hardware. And they have more options – a broader product line. It seems like Fortinet is trying to cover everything in the network. Check Point specifically focuses on firewalls.
Palo Alto offers broader security coverage than Check Point, but not as much as FortiNet, and they're the most expensive option. So, Check Point is just a standard firewall company – not flexible and very expensive for support.
We're still evaluating FortiWeb. In my opinion, it's a good solution for simple websites that you can set up and then mostly leave alone.
If it's an average website without advanced features or one that won't be developed into something more complex, then FortiWeb fits well. This simplicity could be an advantage for some users. I try not to rate things as simply good or bad – it depends on how you use them. It's a good product, especially since we have a lot to handle. If I have an average website, the last thing I want is someone making a wrong configuration change or an application update crashing everything. That would waste our department's time and money to troubleshoot.
FortiWeb is actually ideal if I have a small website with basic features – a place where people can go to read, post text, and maybe make simple purchases.
I would set it up and then mostly forget about it. It's great when it gives you no headaches and works reliably. It's like using the right vehicle for the job. You don't want a huge truck to go grocery shopping. You need a small, efficient car. But if you're in the moving business, a truck is what you want. So again, it's a tool for its purpose. I don't see it as good or bad, but rather if it's good for this specific thing. I do see scalability as a limitation, but it's scalable for its intended use. It's a great tool for what it's designed to do.
We might use it more in the future, likely as a result of more website development, not driven by our IT plans. Our websites might evolve as the market does. I'd put FortiWeb on our standard user sites. I'm happy with that. But if we need specialized features, then we'll need a specialized solution. That's just my opinion.
Ultimately, how FortiWeb evolves depends on business needs and justification. If something new and big comes along in the market – something that needs to move huge amounts of data – we might need different tools. Or, if the market just demands short video clips, then maybe FortiWeb is fine.
How was the initial setup?
There are limited options with FortiWeb, and there's not much you can configure incorrectly. So it's easier in that sense – you go next, next, next, and it works.
So, the initial setup was pretty easy. I would rate my experience with the initial setup an eight out of ten, with ten being easy to set it up. That's really what I like about it.
In my understanding, I'd position FortiWeb as a first line of defense, a tier-one solution. It would remove all the known attacks easily. I set it up once, and it handles probably 80% to 90%of undesirable traffic. But then, for the remaining ten percent, where specialized attacks require more tailored protection, I'd need a second line of defense – something more specialized.
It passed all the standard attacks; now I need to detect those malicious actors who are deliberately trying to stay under the radar of published detection mechanisms.
That's something FortiWeb could improve upon for advanced users. And it's really about advanced features for specialized applications or specific business models. It's for those companies where they need deeper protection.
What about the implementation team?
I didn't deploy it myself. We received a solution where our firewall was changed, and FortiWeb was included. We migrated policies, so our situation was different. However, something like this could be deployed over a weekend. If you have a Fortinet firewall and want to add FortiWeb for protection, it's likely a weekend project. That's just my opinion.
I don't think this solution needs dedicated maintenance. But with any product like this, you need someone to monitor it. It depends on your company's model. If you're a 24/7 operation, you probably need 24/7 support.
What was our ROI?
From a technical perspective, it's been reliable for average applications and doesn't consume a lot of our time for management.
The support is handled by Fortinet, so our administrative overhead is low, which seems like an acceptable return.
What's my experience with pricing, setup cost, and licensing?
The pricing is in the middle. I would rate the pricing a five out of ten. It feels like a justified cost for the features, but it might get more expensive in the future. Also, keep in mind that Check Point's support contracts are particularly expensive.
In general, there is additional cost for support. But Fortinet support is generally cheaper than Check Point support. Palo Alto is even more expensive. This information is publicly available – you can compare comparable hardware and support contracts on their websites.
Check Point tends to be the most expensive. This is just general information, and my understanding might not be perfectly accurate.
Which other solutions did I evaluate?
We also use F5. What happened is that we used Check Point as well. So when we replaced Check Point, we were offered this product with FortiWeb. So, we use it for some websites, but we have another solution we use for web applications. We want to test how FortiWeb works before potentially replacing F5. That's the advantage. We offered to use it with that POC first, and then we rolled it to a few of our websites since we have many different websites in the organization.
In my personal experience, F5 gives us more flexibility to do whatever we want. Fortinet FortiWeb is very restricted. We have templates and some profiles, but there's limited customization.
F5 is a more open platform. You can customize how you want to handle requests and what you want the device to do. FortiWeb is an easy solution to implement; F5 is not as easy.
I find F5 easy because I've been working with it for a long time. If you're a newcomer without experience, it would be easier for you to get FortiWeb working than F5, definitely. There are limited options with FortiWeb, and there's not much you can configure incorrectly. So it's easier in that sense – you go next, next, next, and it works.
To summarize my personal opinion, I see FortiWeb as targeting people who don't want to spend a lot of time configuring or customizing. If you need something quick and not very customizable, FortiWeb is an option. You don't need people with lots of experience with it because there aren't many choices. It seems, and this is again my personal opinion, that the people who designed FortiWeb are the same people who designed their firewall, which makes sense.
With the Fortinet NG firewall, you have a GUI to allow traffic from point A to point B – anyone can do this from the get-go. It's the same concept with FortiWeb, but it's very limited in what you can do. It's restricted, so it's ideal for somebody who just has a classic website without many options and they have average clients accessing it from the Internet. You don't have many options to make a mistake. But for our organization, and others with in-house developed products, you need something more flexible.
Fortinet won't cut it if you need people to come in and log in to trade stocks or exchange data using custom-built clients. You want to restrict and control these things. You have to go with something like F5 because it gives you that flexibility. With F5, you can capture a packet and rewrite it – it's programmable. You cannot do that with Fortinet.
Another limitation is with load balancing. FortiWeb gives you limited options, good for someone who has three or four servers and wants to load balance between them. F5 has a plethora of load-balancing algorithms, plus you can create your own.
To give examples, we have applications with a set of servers in different sites. We use geolocation, but also user behavior. Based on where the user is coming from and what they do on the site, we direct them to different servers. Fortinet FortiWeb doesn't have that flexibility, F5 does. Those are the main differences from my perspective.
So, FortiWeb is good for somebody who wants something to turn on, doesn't have a lot of experience, and just needs to protect a couple of servers behind a load balancer. If something goes wrong, troubleshooting is easier, and you can raise a ticket with Fortinet. With F5, you need to go deeper into troubleshooting code if you have complex configurations.
FortiWeb is good for classic websites. We do use it for situations like a couple of servers, or three or four servers – even seven in certain data centers – where we need to load balance between them, protect them, and have web access from the internet for public access. Your average users and average requests, it works fine. You turn it on, you don't touch it, and it works fine. But if we want something with a lot of products that we develop in-house, you can't do all these things. You need different load balancing algorithms because of specific use cases.
For example: We also have users uploading a lot of data. We can't just put them with many other users because they cause congestion. So, we need to load balance them – when they do normal requests, send them to the regular servers, but when they do bulk data transfers, we want to send them elsewhere. We need to do this, and these requests come from the same users on the same webpage, but they're clicking a different button. So we need to intercept that and say, "Oh, now the user wants to do this, let's send them there."
What other advice do I have?
I can't give general advice because I work with medium to large-scale organizations – my perspective is different from someone who uses a few servers in a data center. So, my advice for larger companies is that you need to have a very clear analysis of your specific needs. Each configuration option can make or break your business at that scale.
In my opinion, FortiWeb would be a good fit for load balancing between three or four servers in a single physical data center location. And if you primarily want protection from standard, known web threats – OWASP type of stuff. If you have an application in one place and don't need to do specialized manipulation of requests to the website, then it's a good solution.
Overall, I would rate the solution a five out of ten because it lacks advanced options and isn't very scalable. It seems suitable for average websites – that's my personal opinion.
Which deployment model are you using for this solution?
On-premises
*Disclosure: I am a real user, and this review is based on my own experience and opinions.
