Fortinet FortiWeb Reviews

I use the solution in my company, as we mostly load some web applications at our data center and use it to ensure that the web pages are properly secured.

Actually, most of the features of the tool are really good, but I would like to emphasize the importance of its machine learning features, as it can be implemented smoothly in Fortinet FortiWeb, and it is very helpful for our company.

Though the reporting is a nice aspect associated with the tool, I feel that it has certain shortcomings and can be made better. The reporting part can provide more information and be more specific.

Fortinet FortiWeb's admin guide could offer more, like, examples or features on how to implement the tool. It can provide information on how a user can make use of it in different usages, and that can help a lot. The admin guide is satisfactory, and it meets our company's needs.

Actually, my company would like it if the product could implement scanning attachments for exchange for assets or exchange needs. The aforementioned area consists of the feature that my company wants to apply, but it is not supported in Fortinet yet. My company needs the product to support us in the aforementioned area, and it can help us a lot by providing a layer of security that can check files and attachments in emails and other stuff, which would be great.

I have been using Fortinet FortiWeb for three years. I am an end user of the solution.

Stability-wise, I rate the solution an eight out of ten.

In terms of stability, it is a good solution that is easy to use and has many features and resources. The support offered by the product is good, especially since the support team responds on time, keeps you informed, and even follows up. Generally, it is a good solution to have and use.

My company has not experienced any downtime while using the product.

In our company, we have not implemented the product on a large scale.

Around 2,000 people per month use the product in our company.

Every single day, the tool is used to host web applications.

If our company needs to implement more hosted web servers, we will use Fortinet FortiWeb, but if not, then it will remain at the current number. Increasing the use of the tool is not my decision, and I just accommodate the needs of the organization.

The solution's technical support is good. When my company faced some problems with the product, I found the solution's support team to be very supportive and helpful. I rate the technical support a nine out of ten.

Positive

On a scale of one to ten, where one is difficult and ten is easy, I rate the product's initial setup phase as eight or nine.

The product's initial setup phase was straightforward, and since our company didn't have any problems with it, we didn't encounter many problems with the tool. Maybe our company encountered some problems with the product's setup because we used to use it to set up the servers or stuff, which took time, but now Fortinet FortiWeb handles everything smoothly and easily.

The solution is deployed on an on-premises version.

The solution can be deployed in a week.

If my company did not have Fortinet FortiWeb, then I believe that we would have had to host some of the services in an external data center with extra fees and there we would have had to pay for the web services, but we don't need that anymore because now, we have an on-prem web service that can promote us to be able to host as much as we need of web services.

On a scale of one to ten, where one is zero percent and ten is a hundred percent, I rate the ROI as an eight.

If one is very cheap and ten is very expensive, I rate the product price as three or four. The tool is cost-effective and offers value for money. I didn't mean it was very expensive. The price is fixed, but some features need an extra license.

My company was considering F5, but you actually went for Fortinet FortiWeb after considering the cost aspect.

My company doesn't specifically host e-commerce platforms since we offer mainly government services.

The security part has been satisfactory till now, and we haven't faced any problems yet.

FortiGate FortiWeb's features that have been most effective in mitigating web-based threats are possible because of the signatures. My company doesn't need to enforce a lot of policies or stuff. Fortinet FortiWeb has a lot of internal databases that can help you, and you can use whatever platform you are hosting your web applications through whichever software you use. it can build up a web protection profile that matches your needs, making it a very helpful tool.

Speaking about how machine learning features enhance our security posture, I would say that some aspects of the website are not normally clear for our company, and machine learning helps in such areas. It just traces the normal usage of the web applications along with the websites or links most users visit while also checking which URLs are mostly used, after which the tool differentiates between the normal usage and any abnormalities, based on which it builds the model that can be used to improve the security. Sometimes, a person cannot do things manually and is not sure about all the aspects of our web applications because many are not developers. Machine learning comes into the picture because one may not know all the stuff associated with the product.

A team of four or five people is enough to deploy the tool. Maintaining the tool is actually not a very big task and not many people are required for it.

The integration capabilities of the product with other security tools have benefited our company's security strategy as it sits smoothly in our network. The tool doesn't cause any problems with the integration part.

I would recommend that users use the tool's high availability. With the tool, one box is not enough, so there is a need to have a cluster of two boxes. Users need to measure their needs regarding the logging process and everything else, including processing. Even before starting to use it, we have to set up everything, or you would be confused about how to use the tool in the future, and it would be difficult to figure out how much retention log retention we would need in our company. It is important to set up everything related to the users' needs so that they don't need to change a lot of settings in the future.

I rate the tool an eight out of ten.

We sell a SaaS product deployed on the Azure cloud platform using Kubernetes. We offer a bundle of cloud-based services. The Azure firewall solution is too expensive, so we need to find an alternative solution. 

We are currently testing FortiWeb in a QA environment and plan to deploy it on top of our SaaS product. We are about 95 percent covered now, but we still need to work out some technical details. I believe we will be ready to deploy it into production in the next few months. 

We currently are using Azure's WAF solution, but it is a little bit expensive for a startup project. The Azure firewall has limited configuration options that aren't helpful in our use case. FortiWeb is easier to configure and has pay-as-you-go pricing based on traffic, which is ideal for a startup company. Once our product starts having steadier traffic, switching to something with fixed pricing might make more sense. Currently, it's a risk for the company. 

It's too soon to say what other benefits we'll see from FortiWeb because we're still in the testing phase. We've watched some training presentations, and we're still working on a strategy for how we'll use the tool. Once we have a clear plan, we'll put it into development, configure the template, and deploy it into production when it's ready. 

it isn't in production. If the developers say a setting isn't working, we adjust the firewall rule, the goal is complete the template before going into production. 

I like FortiWeb's usability and ease of configuration. It's simple to configure rules and exceptions inside the attack log. We block everything by default. If something isn't working, we ask the system admin to adjust the template and add exceptions. I'm interested in the AI attack pattern-matching feature, but we haven't tested it yet. 

API is another feature that we haven't used in production, but I'm generally pleased that FortiWeb has this ability, and we can customize our application how we want. 

We use Kubernetes, so I would like to have a plugin to configure FortiWeb Cloud automatically using Kubernetes Ingress. That would reduce the complexity of setting up an Ingress object in Kubernetes. Some competing solutions help you configure Ingress and Kubernetes automatically. 

We have been testing FortiWeb for the last four months. 

FortiWeb seems to be stable so far. 

FortiWeb features automatic scaling because it's in the cloud, so scaling up is easy. 

I rate Fortinet support an eight out of ten. We have only contacted them with a few questions, and they responded promptly. 

Positive

In recent years, we've spent money on various projects that required us to protect applications. We have the Azure firewall deployed, and we paid a third-party SOC company to monitor it for attacks. It didn't offer out-of-the-box complete protection easy to customize, so we configure it for watching threats and raised alerts, that's means additional effort. 

We feel that FortiWeb is a better way to go than Azure Web Firewall in our scenario because FortiWeb has some advantages in pricing and features. It's easier to configure and maintain. Also, FortiWeb uses templates. 

There was no initial setup because it's a SaaS solution. We only needed to configure it for our environment. The configuration was straightforward and only took a couple of hours. The only maintenance required is updating the templates. 

I would like to use the product based on our initial testing, so I think it's a sound investment. 

We still don't know what the real cost will be because the pricing is based on traffic, and the solution isn't in production. However, we expect it to be cheaper than the Azure Web Firewall.

I rate Fortinet FortiWeb an eight out of ten. 

We use the solution as a web access firewall (WAF) to secure our applications and use URL mapping to ensure only traffic filtered through the WAF is allowed. 

The environment the product is used in is one project in our GCP, and we're located in the Western USA. Two members of the infrastructure team operate FortiWeb within our organization.

FortiWeb filters a lot of unwanted traffic, which is good for our organization, as it would negatively impact our reputation if this traffic weren't screened.

The solution helps us to streamline tasks as it features a user-friendly console, and we can apply the WAF to all the URLs required for our publicly available applications. The templates offer either advanced or extended protection for those URLs, and we can see insights for specific URLs, such as total hits and how many requests are being blocked and allowed.  

The FortiWeb Cloud also saved our organization time through machine learning, which analyses traffic based on IP origin and geographic region. This is one of the solution's better features and saved us significant time. 

We have seen time to value with the product. After implementation, we let the solution run for a month, then reconfigured a few policies and templates. Within three months, we were getting the desired results.  

The policies and the filtering are the most valuable features, especially traffic, URL, and application filtering. The solution is excellent at detecting vulnerabilities. 

The product is great for blocking unknown threats and attacks. We've had excellent results over the past two years, and the way it detects and filters traffic is outstanding.  

The FortiWeb Cloud is straightforward to use; with a basic overview of how to apply policies, create NAT rules, etc., it's easy. The console is user-friendly enough that anyone can create and apply policies. 

The solution also helped reduce our false positives by 20-25%. 

Our organization receives fewer alerts thanks to the solution, and we don't have to think about the security of the URLs for applications. We put the whole domain behind the WAF, and if it's configured correctly from the beginning, we spend minimal time making changes and get the precise results we need. Our alerts have been reduced by approximately 5%.  

We want to see more detailed logging, such as audit logging, as this would significantly enhance the solution's reporting. We currently get some information from logs, but more would be better.

We've been using the solution for nearly two years. 

The solution is very stable. 

The product is scalable; we can easily scale up and down as required. 

I did the initial setup, which was very straightforward; the process includes putting an instance in the cloud and then adding the URLs of the domains to the template. The initial deployment took under two hours, but we needed to spend time reconfiguring the template later to reduce the number of false positives. One staff member can complete the setup, and it only requires basic knowledge.

Outside of updates and the initial reconfiguration, the solution requires minimal maintenance. 

The pricing is average; the product is neither particularly expensive nor affordable. 

Regarding the price-performance ratio, the solution is definitely worth the money.

I rate the tool nine out of ten. 

I advise anyone evaluating the solution to carry out a POC and recommend it overall.

We use the templates available in the Fortinet Web Cloud or WAF, which is sufficient to provide extended protection, traffic filtering, request blocking, and virus detection. 

Fortinet is our only WAF application because we've had excellent experiences with it. If any project requires security checks, we go with the solution.

We use it in front of AWS Web Application Firewalls for our web-based management console, as well as for all of our API services for our Windows agents.

Being a data protection company, we have to meet a lot of specific requirements for customers. When people would say, "Our standard practice is to do a pen test against your outward-facing servers," there was always a little bit of worry in the back of my mind: "Oh, man, is there something that I've forgotten about?" But nowadays, I don't have that at all. I know that it's all configured and running well. I know that people can run a pen test whenever they like and we'll pass with flying colors.

It can take a little bit of time if you want to be very particular about the traffic that you allow. FortiWeb is very configurable and that can take a little bit of time if you do want to be that particular. But apart from that, we don't really touch it much these days except if we get an email to say there's been a node attack. In that case, we might just want to check on things. But in general, once it has been configured, we can forget about that side of things and just get on with all of our other normal tasks.

Machine learning could be a little bit of a buzzword, but that's the whole advantage of using a cloud-based platform. You get the benefits of another site seeing an attack and Fortinet works out if traffic should be filtered or not. It's great all around.

Before this, we had our AWS Web Application Firewalls. The process would be to look at our web servers and see if there was any suspicious-looking traffic that had gotten to those web servers through the AWS firewalls, and then we would adjust the AWS firewalls accordingly to filter that out. We might even have had to write new code to stop things at the server level. FortiWeb has saved us hundreds of hours.

I'm quite particular about what I allow into our network. There were some false positives as we were configuring everything the way that I wanted it, but I can't even remember the last time someone had an issue with a false positive because we had it set too securely. With the machine learning and getting the benefit of traffic that is going to many different sites, Fortinet is able to know which traffic is legit and which isn't. As a result, we get fewer false positives.

Although the number of alerts is not that relevant for us, FortiWeb has definitely reduced the overall stress levels, especially at the management level. It's good to be able to present a report to C-level executives saying, "This is the amount of traffic that we've had coming in, and this is what has been blocked by Fortinet." We're able to show them that it is benefiting the business.

In addition, it has helped free up our infrastructure team, as they don't have to look after the AWS Web Application Firewalls.

When it comes to blocking unknown threats and attacks, I would give it the highest score possible. We first started using AWS and its Web Application Firewalls. That was okay, but it was quite a manual process to keep it up to date, whereas Fortinet is always up to date, and the default rules or the modules that you can turn on are very easy to use.

Overall, the solution is extremely easy to use. It's all very step-by-step. We just tell it what DNS records to approve and it sets up an SSL certificate. And then, all traffic just starts flowing through Fortinet and then straight over to us. Our network is quite secure, so we have allowed individual IPs that are listed by Fortinet so that we're not just blanket-accepting everything. It's enabling our web servers to be more secure by only allowing Fortinet, instead of the whole world, like we used to.

Also, if you want to diagnose something, rather than outright blocking it, you can just log it so you can see what's happening.

You can go through the audit trail as well. There might be a situation where it will prompt you to block everyone's traffic from a specific IP.

In terms of FortiWeb's advanced modules, we have two main, different Fortinet applications. One is for our web-based stuff and the other is for our Windows agents, which is all API traffic. We use different sets of the modules, or the advanced features, but across both, we use pretty much everything.

At the moment, it's very easy to see if an attack has come in, and what they've done. What I would like to see is that they turn on all logging so that we can even see legitimate traffic. But still, that's a very minimal issue.

It would also be helpful if they could introduce easier reporting. It's good to have those reports that go to C-level management, and Fortinet does provide some graphs, but if they went into some more detail, that would be great. Then I wouldn't have to do it myself.

I have been using FortiWeb for two to three years.

The stability is a 10 out of 10. We haven't had any issues.

We have thousands of customers that use our platform around the world. All of them go through Fortinet. We also have a few thousand Windows agents that all go through Fortinet. With the load balancing inside Fortinet, we're able to scale up our servers and Fortinet can always handle the traffic.

I haven't had to contact support much. These days, people don't really like contacting support. I have needed to do it on one or two occasions and they have been very helpful. It was by email and I got the answers that I needed straight away.

But the fact that I haven't had to contact support speaks to the ease of use of the system itself.

Positive

We just had web servers on the internet and the AWS Web Application Firewalls in front of them. I wasn't happy with those, so I added Fortinet in front of them. We still use AWS, but Fortinet is the first line.

We switched because I'm very paranoid. I'm big on security. Working in IT for many years, Fortinet was always a trusted name in routers, so I thought I'd give the FortiWeb web application firewalls a go and I haven't looked back.

The initial setup was a piece of cake, done step-by-step. We just had to add some DNS entries and that was about it. It tells you exactly what you need to do. I didn't need to contact support or ask for any help.

There were a lot of additional modules that I wanted to check out and that took a little bit of time. But getting a basic setup running was very quick.

There is no maintenance involved.

We haven't been hacked. I don't know what price tag you'd put on that.

I'm very security conscious, but at the same time, I can be somewhat cheap and I will only spend money if I think it's worthy or providing the value that it should. At no point have I thought of getting rid of Fortinet.

We saw value from it immediately. We were uncertain about how AWS Web Application Firewalls were protecting us. We weren't that confident, because we couldn't really see what was happening. Management was kind of uneasy as a result. As soon as we had this implemented, we could see the stats and a few graphs. Immediately, that peace of mind was had by all.

The pricing is pretty good. We do pass a lot of traffic through our API servers. Something like 100 gigs of web traffic is a fair amount for reduced JSON API calls, but the cost is $50. For that peace of mind, we have thousands and thousands of customers that are protected by that $50, so it's a no-brainer.

I had a look around, but I didn't test anything else. Fortinet was the first one that I did testing with and it met all my criteria, so I figured, "Why waste time looking at some others when this does the job?"

I recommend it to everyone. Because we're a data protection company, we have a lot of people who want to do pen testing against us, and I'm very confident that we're protected because of Fortinet.

If you're looking for a very comprehensive web application firewall, which is both simple to set up and also has a huge number of features to turn on, features that can give you some added protection for specific needs, give Fortinet a go. It's worth your time, and it won't take much time either.

Our company uses the solution to provide firewall and web security services to our customers around the globe.

Our use cases are on the back end for banks and the financial sector where we automate monitoring and deployment. 

We do not have a portal, so are limited to a maximum of 3,000 users. We currently have 2,000 users and three maintenance technicians. 

In the future, we will add front-end service. 

Depending on our client's needs, we pair the solution with other business applications.

The solution is easy to configure and deploy.

There is a richness in the rules and out-of-the-box tools that is not available with native firewall solutions.

A user interface or dashboard for troubleshooting is needed so technicians without knowledge of the network or common hardware can visualize the environment. 

Accounts should be set up in the user's name, not the company's name. 

I have been using the solution for two years. 

The solution is stable and I rate it an eight out of ten. 

The solution is scalable and I rate it a ten out of ten. 

The initial setup was a bit complex for us because we were new to the solution. 

Technical support helped and trained us so we now handle setups with ease. 

We worked with the solution's technical support for our initial implementation but our internal team now handles setup and implementation for customers. 

The solution is a bit expensive when compared to other products. 

There are many security constraints that cannot be fulfilled by native cloud firewalls such as Azure and AWS. 

For example, AWS has a limitation of 8GB with regard to request values. 

We recommend the solution and its next-generation capabilities including ease of configuration, code being contained within the IIC engine, how templates and terraforms are handled, and superior wave and firewall security.

We are continually conducting research on next-generation firewalls because the solution can be a bit expensive.  

I use solution a lot and recommend it with a rating of seven out of ten.

We use it for all our hosted web applications, so they are routed via FortiWave and Fortinet. We use both the network firewall and the application firewall. The whole infrastructure and everything else are protected. Fortinet protects the web infrastructure.

There are very few specific things that are not present in cloud-native firewalls, like Azure Firewall or AWS Firewall. They lack many features, such as the ability to handle paths in requests larger than eight KB. For example, if you upload a document or the page size exceeds eight KB, you might face issues with AWS and other cloud-native firewalls. FortiWeb can handle requests of up to 10MB, providing this capability. It also has a very user-friendly UI. Even someone new to FortiWeb or any firewall system, with the right contextual knowledge, can configure it effectively. The support and documentation provided by Fortinet are generally sufficient for any team to manage infrastructure using Fortinet and FortiWeb.

Native cloud firewalls, like AWS WAF or Azure Firewall, have limitations compared to next-generation firewalls like Fortinet FortiWeb or other solutions. While AWS and Azure have security features, they are often tailored to their specific technologies and may lack some advanced capabilities in next-generation firewalls. This is why we sometimes opt for solutions like Fortinet, even in a cloud environment.

Fortinet FortiWeb has strengths, but there is room for improvement. For example, its threat intelligence capabilities may not be as advanced as some competitors. While Fortinet excels in many areas, it could enhance its advanced intelligence features. However, in terms of configuration, maintenance, and securing infrastructure, Fortinet remains a strong option.

I have been using Fortinet FortiWeb as a partner for five to five years.

I rate the solution’s stability a seven out of ten.

It is suitable for enterprises.

I rate the solution’s scalability as seven or eight out of ten.

We have a procurement team and a support engagement team that is helping us with issues. They are maintaining the SLA and all those things.

Deployment can be straightforward, like spinning up EC2 instances or Azure VMs with Fortinet, which can be a one-click process. The complexity arises from configuring Fortinet within your specific ecosystem. The configuration depends on the size and nature of your infrastructure, including the number of machines and appliances and the types of systems you are protecting, such as APIs, normal instances, or mobile applications. While deploying Fortinet itself might be quick, configuring it to fit your environment and security needs takes additional time and effort.

Many other companies offer similar capabilities. We also use other solutions, but Fortinet FortiWeb has strong bot capabilities for threat protection and excellent geo-restriction features. It also handles malicious IP prevention and is easy to use. Our experience has been positive. We’ve only enabled the algorithms provided by FortiWeb and haven’t customized the configuration beyond what FortiWeb offers. The existing rules and features for FortiWeb are good.

If you need a next-generation firewall to meet industry and security demands, relying solely on native cloud firewalls like Azure Firewall, AWS Firewall, or Google Cloud Firewall may not be sufficient. These native firewalls often lack the advanced features to protect against various threats. It is advisable to consider solutions like Fortinet FortiWeb or Cloudflare to ensure robust protection.

It's a trade-off between price and the service you receive. If you're paying less for a solution that provides good services compared to a competitor where you might pay more for similar support and features, then Fortinet could be a viable option. It might be better if another solution, like Cloudflare, offers better value across multiple aspects such as service, cost, and support.

Overall, I rate the solution a seven out of ten.

The solution offers good configurations and works well with other Fortinet products.

The solution is scalable. 

We found the implementation process to be simple. 

If you want to block domains, you can do so. You do have the power to control access.

The product needs to be more stable. 

We have issues between primary and secondary IP. Secondary IP addresses cannot be on the same subnet as any primary or secondary subnet. You need to follow up between the primary and secondary. If you don't, there will be a problem. When your public applications are not working properly, the single point of communication from the public domain is an issue. If I want to resolve the situation, a quick solution is I need to fail over the primary to the secondary, and it will just start working. However, that is not a permanent solution. I don't know what the problem is exactly, and how we can permanently address the issue. 

If the price was lower, it would be a bit more attractive, as an option, to the customers. 

You do need to ensure you do the configurations carefully. Otherwise, you may have issues. 

I've been using the solution for two years. 

We can scale the solution. We typically work with enterprises, so, larger-scale companies. In our customer's company, they have about 6,000 to 10,000 people on the solution. 

Technical support is very good. they are quite helpful and responsive. 

I also use F5. It's got better pricing and is quite stable as well. However, if you don't know how to configure it, it can be a disaster. 

The initial setup is easy. It's not overly complex or difficult. 

It can be deployed in about half an hour. It doesn't take long to have it up and running. 

I handle a lot of implementations and can handle the process. 

The pricing could be better. They charge a bit more. That's why F5 is everywhere right now. The customer can see that F5 is stable and everything is working well, and then they see the price, and it's very attractive to them. 

I'm just a customer and end-user. 

I'm a consultant. Our customers are working with Fortiweb in their companies.

I'd rate the solution eight out of ten. 

The primary use case of this solution is to protect web applications, web servers, and our customers' mobile applications. We are a Fortinet partner and integrator, installing both appliances and VMs. I'm a network security consultant. 

There are many valuable features in this solution including vulnerability scanning, IPS, and geolocalization. The product is user-friendly and simple.

The solution currently lacks a VM demo to enable testing prior to purchasing. It would make things easier for our clients to choose this product if they had that ability. We are based in Tunisia and the lack of multilingual technical support is problematic at times. 

I've been using this solution for five years. 

The solution is stable. 

The solution is scalable. 

We generally use the chat or phone for technical support with the occasional remote session with the technical team. The customer service is good but lacks a multilingual element that would benefit us. 

Positive

I previously used the Cisco IOS CLI for the web interface. It's more complicated than Fortinet. Fortinet offers simple, easy-to-use solutions. We are also a vendor for F5 which offers similar features and functionality to Fortinet but is more expensive. 

The initial setup is straightforward, it's a matter of choosing the architecture, the deployment mode, and configuring. Deployment time depends on the client's application. If it's a matter of one or two applications, deployment can take between two or three days. If there are many more applications that require protection, it can take over a month.

This solution works best for medium and enterprise-size companies. One of our clients is a bank, another is an educational institute with over 20,000 users. 

I rate this solution eight out of 10.