Fortinet FortiWeb Reviews

Fortinet FortiWeb's use case is associated with WAF or web application firewall. Before a platform faces the internet, Fortinet FortiWeb inspects the traffic.

Fortinet FortiWeb is much cheaper compared to other solutions like the ones from F5 Networks, which have more capabilities. I think Fortinet FortiWeb is not as capable as F5 Networks, but it is cheaper. The key point for Fortinet FortiWeb is that when I give it to the customers, I see it is cheaper than F5 Networks.

All the players in the market are already using AI. In the AI area, I don't find any specific feature for Fortinet FortiWeb that is special compared to the other products in the market.

Fortinet FortiWeb's ML features are good, but they do not make the tool any special because all the products in the market, like F5 Networks, already use AI features. The AI feature does not make Fortinet FortiWeb any special.

The tool's WAF or web application firewall area has certain aspects that can be improved. I cannot find what features superficially can be improved in the WAF area of the tool.

Fortinet FortiWeb can be applicable for small or big networks. In my opinion, Fortinet FortiWeb can manage or improve its log management capabilities. As far as I know, FortiGate has a limit, which means it can be used for logging for seven days, and maybe it is because Fortinet wants to speed up the selling of another product called FortiAnalyzer. FortiAnalyzer is a device dedicated to logging analytic solutions. Fortinet may limit the capability of logging in Fortinet devices so that customers buy FortiAnalyzer for log analytics.

I have been using Fortinet FortiWeb for three years. My company is a reseller of the solution.

I don't know about the tool's scalability.

I rate the technical support a nine out of ten.

Positive

I also use FortiAuthenticator.

The product's initial setup phase can be somewhat complex depending on what software needs to be protected by Fortinet FortiWeb. If the web application is simple, the configuration can be made simple. If there is any specific need to protect the area in the web application, it is more tricky to configure Fortinet FortiWeb. It depends on what kind of web application needs to be protected by Fortinet FortiWeb. Overall, the tool's configuration is neither easy nor difficult.

If one is cheap and ten is expensive, I rate the tool an eight.

The product's document says that Forinet FortiWeb can detect zero-day attacks, but it needs more devices like FortiSandbox for help. Fortinet FortiWeb needs to be integrated with FortiSandbox. I think it is Fortinet's strategy to upsell other tools because Fortinet doesn't want to put the solution in one box or one device. If you want another feature, Fortinet wants you to buy another box.

I rate the tool an eight out of ten.

FortiWeb is used for protecting against malicious activities, such as SQL injections, for outward-facing web forms.

The most valuable features of FortiWeb include its dashboard and out-of-the-box integrations with other Fortinet products, which enhance its effectiveness. FortiWeb's position as part of the Fortinet platform makes it particularly beneficial for Fortinet customers, offering seamless integration and operational cost savings.

There is room for improvement in the portability on multi-cloud environments. Enhanced DDoS integration to make FortiWeb more unified with other Fortinet products could be beneficial.

I have personally been working with FortiWeb for approximately two years.

I would rate the stability of FortiWeb as nine out of ten, indicating highly stable performance.

I would rate the scalability of the product a seven out of ten. While it is multicloud-enabled, there is more automation in other products that may better suit complex environments.

I would rate the customer service and support as nine out of ten.

Positive

Our team, consisting of three certified Fortinet engineers, handles the deployment, although globally, Exclusive Networks has a large team of certified engineers.

Operational costs decrease when using FortiWeb within the Fortinet stack due to integrated assessments and security event management.

I would rate the licensing cost as seven out of ten, considering it good value for money. The price is affordable and reasonable for the features offered.

We also work with other vendors such as F5, Proofpoint, and Palo Alto, however, Fortinet stands out for its holistic vision of cybersecurity.

Overall, I would rate FortiWeb an eight out of ten for existing Fortinet customers due to its seamless integration and good value for money.

I use the solution in my company to make web applications more secure because we have a special portal or web interface that we have to make secure for cybersecurity and different accesses. We found that FortiWeb Web Application Firewall (WAF) works fine for such use cases.

The tool's most valuable feature is the web access it offers. We control every access, like who goes in and what they do.

The tool's price and performance are areas of concern where improvements are required.

I have been using FortiWeb Web Application Firewall (WAF) for three years.

It is a 100 percent stable solution. Stability-wise, I rate the solution a ten out of ten.

My company has three customers using the tool. One of the customers has 1,00,000 users.

My company manages the technical support with around four people, so it is not a complex process for us to handle. In general, the tool's support team is friendly.

The product's initial setup phase was easy.

The solution's deployment needs a bit of time because we have to discuss it with the deployment team, which consists of software. The project keeps growing and changing daily, so if the people involved in the deployment make new software, we have to change something. It is an easy process and can be managed in around two weeks by one person.

The tool is really expensive. In our company, we could do a lot more, but the price is always a point covering areas like why we need one, whether it is important to discuss, why it is so expensive and so on.

Speaking about the licensing model, people need to opt for a subscription-based model. My company likes to have a subscription for at least three or five years because, otherwise, you have to renew the license. Managing the licensing part for one person can also be very complex.

The solution helps protect our company's web applications against common threats up to 99 percent. We feel very safe with the tool.

Speaking about how the tool has effectively mitigated web security threats for an application, I would say that it is an application behind the web portal, so there are about a hundred or thousand people who can access a website. If it is a sensitive application, and we have to watch every access to it to make it really safe, that is the reason why we need WAF on the application.

My company doesn't use AI with the tool.

I recommend the product to others. I would say that others need to have it if they have a shopping website or something similar. I know it is hard to sell because we find it quite hard whenever my company tries to do so.

The solution offers 100 percent integration with other Fortinet security products.

The ease of policy configuration in the tool is okay.

I rate the tool a nine to ten out of ten.

We use the solution as a web access firewall (WAF) to secure our applications and use URL mapping to ensure only traffic filtered through the WAF is allowed. 

The environment the product is used in is one project in our GCP, and we're located in the Western USA. Two members of the infrastructure team operate FortiWeb within our organization.

FortiWeb filters a lot of unwanted traffic, which is good for our organization, as it would negatively impact our reputation if this traffic weren't screened.

The solution helps us to streamline tasks as it features a user-friendly console, and we can apply the WAF to all the URLs required for our publicly available applications. The templates offer either advanced or extended protection for those URLs, and we can see insights for specific URLs, such as total hits and how many requests are being blocked and allowed.  

The FortiWeb Cloud also saved our organization time through machine learning, which analyses traffic based on IP origin and geographic region. This is one of the solution's better features and saved us significant time. 

We have seen time to value with the product. After implementation, we let the solution run for a month, then reconfigured a few policies and templates. Within three months, we were getting the desired results.  

The policies and the filtering are the most valuable features, especially traffic, URL, and application filtering. The solution is excellent at detecting vulnerabilities. 

The product is great for blocking unknown threats and attacks. We've had excellent results over the past two years, and the way it detects and filters traffic is outstanding.  

The FortiWeb Cloud is straightforward to use; with a basic overview of how to apply policies, create NAT rules, etc., it's easy. The console is user-friendly enough that anyone can create and apply policies. 

The solution also helped reduce our false positives by 20-25%. 

Our organization receives fewer alerts thanks to the solution, and we don't have to think about the security of the URLs for applications. We put the whole domain behind the WAF, and if it's configured correctly from the beginning, we spend minimal time making changes and get the precise results we need. Our alerts have been reduced by approximately 5%.  

We want to see more detailed logging, such as audit logging, as this would significantly enhance the solution's reporting. We currently get some information from logs, but more would be better.

We've been using the solution for nearly two years. 

The solution is very stable. 

The product is scalable; we can easily scale up and down as required. 

I did the initial setup, which was very straightforward; the process includes putting an instance in the cloud and then adding the URLs of the domains to the template. The initial deployment took under two hours, but we needed to spend time reconfiguring the template later to reduce the number of false positives. One staff member can complete the setup, and it only requires basic knowledge.

Outside of updates and the initial reconfiguration, the solution requires minimal maintenance. 

The pricing is average; the product is neither particularly expensive nor affordable. 

Regarding the price-performance ratio, the solution is definitely worth the money.

I rate the tool nine out of ten. 

I advise anyone evaluating the solution to carry out a POC and recommend it overall.

We use the templates available in the Fortinet Web Cloud or WAF, which is sufficient to provide extended protection, traffic filtering, request blocking, and virus detection. 

Fortinet is our only WAF application because we've had excellent experiences with it. If any project requires security checks, we go with the solution.

We use it in front of AWS Web Application Firewalls for our web-based management console, as well as for all of our API services for our Windows agents.

Being a data protection company, we have to meet a lot of specific requirements for customers. When people would say, "Our standard practice is to do a pen test against your outward-facing servers," there was always a little bit of worry in the back of my mind: "Oh, man, is there something that I've forgotten about?" But nowadays, I don't have that at all. I know that it's all configured and running well. I know that people can run a pen test whenever they like and we'll pass with flying colors.

It can take a little bit of time if you want to be very particular about the traffic that you allow. FortiWeb is very configurable and that can take a little bit of time if you do want to be that particular. But apart from that, we don't really touch it much these days except if we get an email to say there's been a node attack. In that case, we might just want to check on things. But in general, once it has been configured, we can forget about that side of things and just get on with all of our other normal tasks.

Machine learning could be a little bit of a buzzword, but that's the whole advantage of using a cloud-based platform. You get the benefits of another site seeing an attack and Fortinet works out if traffic should be filtered or not. It's great all around.

Before this, we had our AWS Web Application Firewalls. The process would be to look at our web servers and see if there was any suspicious-looking traffic that had gotten to those web servers through the AWS firewalls, and then we would adjust the AWS firewalls accordingly to filter that out. We might even have had to write new code to stop things at the server level. FortiWeb has saved us hundreds of hours.

I'm quite particular about what I allow into our network. There were some false positives as we were configuring everything the way that I wanted it, but I can't even remember the last time someone had an issue with a false positive because we had it set too securely. With the machine learning and getting the benefit of traffic that is going to many different sites, Fortinet is able to know which traffic is legit and which isn't. As a result, we get fewer false positives.

Although the number of alerts is not that relevant for us, FortiWeb has definitely reduced the overall stress levels, especially at the management level. It's good to be able to present a report to C-level executives saying, "This is the amount of traffic that we've had coming in, and this is what has been blocked by Fortinet." We're able to show them that it is benefiting the business.

In addition, it has helped free up our infrastructure team, as they don't have to look after the AWS Web Application Firewalls.

When it comes to blocking unknown threats and attacks, I would give it the highest score possible. We first started using AWS and its Web Application Firewalls. That was okay, but it was quite a manual process to keep it up to date, whereas Fortinet is always up to date, and the default rules or the modules that you can turn on are very easy to use.

Overall, the solution is extremely easy to use. It's all very step-by-step. We just tell it what DNS records to approve and it sets up an SSL certificate. And then, all traffic just starts flowing through Fortinet and then straight over to us. Our network is quite secure, so we have allowed individual IPs that are listed by Fortinet so that we're not just blanket-accepting everything. It's enabling our web servers to be more secure by only allowing Fortinet, instead of the whole world, like we used to.

Also, if you want to diagnose something, rather than outright blocking it, you can just log it so you can see what's happening.

You can go through the audit trail as well. There might be a situation where it will prompt you to block everyone's traffic from a specific IP.

In terms of FortiWeb's advanced modules, we have two main, different Fortinet applications. One is for our web-based stuff and the other is for our Windows agents, which is all API traffic. We use different sets of the modules, or the advanced features, but across both, we use pretty much everything.

At the moment, it's very easy to see if an attack has come in, and what they've done. What I would like to see is that they turn on all logging so that we can even see legitimate traffic. But still, that's a very minimal issue.

It would also be helpful if they could introduce easier reporting. It's good to have those reports that go to C-level management, and Fortinet does provide some graphs, but if they went into some more detail, that would be great. Then I wouldn't have to do it myself.

I have been using FortiWeb for two to three years.

The stability is a 10 out of 10. We haven't had any issues.

We have thousands of customers that use our platform around the world. All of them go through Fortinet. We also have a few thousand Windows agents that all go through Fortinet. With the load balancing inside Fortinet, we're able to scale up our servers and Fortinet can always handle the traffic.

I haven't had to contact support much. These days, people don't really like contacting support. I have needed to do it on one or two occasions and they have been very helpful. It was by email and I got the answers that I needed straight away.

But the fact that I haven't had to contact support speaks to the ease of use of the system itself.

Positive

We just had web servers on the internet and the AWS Web Application Firewalls in front of them. I wasn't happy with those, so I added Fortinet in front of them. We still use AWS, but Fortinet is the first line.

We switched because I'm very paranoid. I'm big on security. Working in IT for many years, Fortinet was always a trusted name in routers, so I thought I'd give the FortiWeb web application firewalls a go and I haven't looked back.

The initial setup was a piece of cake, done step-by-step. We just had to add some DNS entries and that was about it. It tells you exactly what you need to do. I didn't need to contact support or ask for any help.

There were a lot of additional modules that I wanted to check out and that took a little bit of time. But getting a basic setup running was very quick.

There is no maintenance involved.

We haven't been hacked. I don't know what price tag you'd put on that.

I'm very security conscious, but at the same time, I can be somewhat cheap and I will only spend money if I think it's worthy or providing the value that it should. At no point have I thought of getting rid of Fortinet.

We saw value from it immediately. We were uncertain about how AWS Web Application Firewalls were protecting us. We weren't that confident, because we couldn't really see what was happening. Management was kind of uneasy as a result. As soon as we had this implemented, we could see the stats and a few graphs. Immediately, that peace of mind was had by all.

The pricing is pretty good. We do pass a lot of traffic through our API servers. Something like 100 gigs of web traffic is a fair amount for reduced JSON API calls, but the cost is $50. For that peace of mind, we have thousands and thousands of customers that are protected by that $50, so it's a no-brainer.

I had a look around, but I didn't test anything else. Fortinet was the first one that I did testing with and it met all my criteria, so I figured, "Why waste time looking at some others when this does the job?"

I recommend it to everyone. Because we're a data protection company, we have a lot of people who want to do pen testing against us, and I'm very confident that we're protected because of Fortinet.

If you're looking for a very comprehensive web application firewall, which is both simple to set up and also has a huge number of features to turn on, features that can give you some added protection for specific needs, give Fortinet a go. It's worth your time, and it won't take much time either.

The primary use case involves using FortiWeb to protect web servers from various malicious activities by integrating it into a firewall with features like URL filtering and application control. Additionally, it was deployed to meet the requirements of PCI DSS.

FortiWeb has been helpful in securing our web servers effectively. Fortinet FortiWeb is reliable, providing seamless protection and peace of mind regarding the security of our web applications.

FortiWeb has antivirus, web filtering, and application control features. Being part of the next-generation firewall, it's highly effective in ensuring security. The capability to protect from malicious activities is significant, alongside other features like application control.

I cannot provide feedback on what needs improvement as I haven't used other solutions to compare it against and therefore cannot identify any areas lacking in FortiWeb. Overall, FortiWeb is reliable.

It's been a year since I last used FortiWeb, while I previously configured and used it actively.

FortiWeb is reliable in terms of stability. There haven't been specific downtimes or technical issues with FortiWeb.

We haven’t encountered issues necessitating contact with customer service for FortiWeb, implying stable support from Fortinet.

Neutral

I have no experience with other solutions.

The initial setup depends on familiarity with the product. It's manageable with the right expertise. In cases of a simple application, setting up could be achieved in as little as one day.

I can't determine the exact cost of licensing as it was part of a bundle that offered multiple features and licenses.

I have no experience with other solutions.

I must emphasize the reliability.

I'd rate the solution seven out of ten.

Our company provides data center and cloud services as infrastructure providers. When customers need infrastructure like VMs or server allocation, we provide them with the vendor and offer services to operate, manage, implement, and integrate these security components.

The most valuable feature is the tool's integration with load-balancing applications, similar to FortiADC. Its importance depends on customer requirements, such as whether they prioritize application load balancing or layer seven protection.

Regarding areas for improvement, the documentation needs work. We had issues with a customer because the documentation didn't clearly show which devices can connect with FortiWeb WAF, leading to misconfiguration and difficult meetings. We also need deeper technical support - finding who's responsible for technical aspects is challenging. Hungary has a good Fortinet office with strong sales and pre-sales employees.

I have been using the product for four to five years. 

I rate the tool's stability a nine out of ten. 

It's not good with normal perpetual licensing, but we can solve the problem using flex licensing. That's why I'd rate it nine out of ten. We're satisfied with it. Many of our customers, including small, medium, and enterprise businesses, use FortiWeb WAF.

I rate the tool's deployment ease as seven out of ten. We have spent about 600 working hours to implement it. 

The product provides very good prices to customers. The price is set well and offers great value for money.

I rate the overall solution an eight out of ten. I advise others looking to use FortiWeb WAF to create deeper policy rules.

We sell a SaaS product deployed on the Azure cloud platform using Kubernetes. We offer a bundle of cloud-based services. The Azure firewall solution is too expensive, so we need to find an alternative solution. 

We are currently testing FortiWeb in a QA environment and plan to deploy it on top of our SaaS product. We are about 95 percent covered now, but we still need to work out some technical details. I believe we will be ready to deploy it into production in the next few months. 

We currently are using Azure's WAF solution, but it is a little bit expensive for a startup project. The Azure firewall has limited configuration options that aren't helpful in our use case. FortiWeb is easier to configure and has pay-as-you-go pricing based on traffic, which is ideal for a startup company. Once our product starts having steadier traffic, switching to something with fixed pricing might make more sense. Currently, it's a risk for the company. 

It's too soon to say what other benefits we'll see from FortiWeb because we're still in the testing phase. We've watched some training presentations, and we're still working on a strategy for how we'll use the tool. Once we have a clear plan, we'll put it into development, configure the template, and deploy it into production when it's ready. 

it isn't in production. If the developers say a setting isn't working, we adjust the firewall rule, the goal is complete the template before going into production. 

I like FortiWeb's usability and ease of configuration. It's simple to configure rules and exceptions inside the attack log. We block everything by default. If something isn't working, we ask the system admin to adjust the template and add exceptions. I'm interested in the AI attack pattern-matching feature, but we haven't tested it yet. 

API is another feature that we haven't used in production, but I'm generally pleased that FortiWeb has this ability, and we can customize our application how we want. 

We use Kubernetes, so I would like to have a plugin to configure FortiWeb Cloud automatically using Kubernetes Ingress. That would reduce the complexity of setting up an Ingress object in Kubernetes. Some competing solutions help you configure Ingress and Kubernetes automatically. 

We have been testing FortiWeb for the last four months. 

FortiWeb seems to be stable so far. 

FortiWeb features automatic scaling because it's in the cloud, so scaling up is easy. 

I rate Fortinet support an eight out of ten. We have only contacted them with a few questions, and they responded promptly. 

Positive

In recent years, we've spent money on various projects that required us to protect applications. We have the Azure firewall deployed, and we paid a third-party SOC company to monitor it for attacks. It didn't offer out-of-the-box complete protection easy to customize, so we configure it for watching threats and raised alerts, that's means additional effort. 

We feel that FortiWeb is a better way to go than Azure Web Firewall in our scenario because FortiWeb has some advantages in pricing and features. It's easier to configure and maintain. Also, FortiWeb uses templates. 

There was no initial setup because it's a SaaS solution. We only needed to configure it for our environment. The configuration was straightforward and only took a couple of hours. The only maintenance required is updating the templates. 

I would like to use the product based on our initial testing, so I think it's a sound investment. 

We still don't know what the real cost will be because the pricing is based on traffic, and the solution isn't in production. However, we expect it to be cheaper than the Azure Web Firewall.

I rate Fortinet FortiWeb an eight out of ten.