Try our new research platform with insights from 80,000+ expert users
reviewer1217868 - PeerSpot reviewer
Information security officer at a financial services firm with 1-10 employees
Real User
Provides us with security to access critical applications and it's easy to understand how to manage
Pros and Cons
  • "The GUI is user-friendly and it's easy to understand how to manage it."
  • "Describing security rules should be improved. It's tricky to define new feature tools when you want to describe an attack pattern and want to block it."

What is our primary use case?

Our primary use case is to protect an integral application against vulnerabilities. It's a WAF. It protects against vulnerabilities. We have run tests against it. We also use it for two-factor authentication before authorizing anybody to access the critical application.

How has it helped my organization?

We required security to access critical applications. We otherwise would not have been able to use the end notifications. We wanted to use the application and it's critical to us, Fortiweb enabled us to have that ability. 

What is most valuable?

We are able to have an application layer different from the application itself that is protected by the FortiWeb Portal authentication feature. 

What needs improvement?

Describing security rules should be improved. It's tricky to define new feature tools when you want to describe an attack pattern and want to block it. 

Buyer's Guide
Fortinet FortiWeb
March 2025
Learn what your peers think about Fortinet FortiWeb. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.

What do I think about the stability of the solution?

It's very stable. I've never had any issues. 

What do I think about the scalability of the solution?

The scalability is quite good. It's a virtual machine so we know the exact resource so if we would have to increase it would be easily scalable. 

We have around 15 users in our company. The users are end-users and technicians. 

How are customer service and support?

Fortinet support is very good. 

How was the initial setup?

The initial setup was quite straightforward. The GUI is user-friendly and it's easy to understand how to manage it. We used an expert to finalize the last 10% of the configuration because we wanted specific settings regarding the security. We knew what we wanted to block and we needed an expert for the specific rules. Otherwise, 90% of the setup was done in-house. 

The deployment only took two to three days. We only needed one employee to install it. 

What's my experience with pricing, setup cost, and licensing?

The costs are standard. We pay around $1,600 yearly. 

Which other solutions did I evaluate?

We also looked at Software CTM. It was impossible to use compared to FortiWeb. 

What other advice do I have?

Be sure that the security is correctly configured and all the attack patterns are covered. Make sure to do an independent assessment of the security. 

I would rate it a nine out of ten. We are very satisfied with it. 

We have an issue when the underlying web protected generates a logout and we want the authentication portal to recognize that the application has been logged out. When the underlying application generates a logout, the portal does not recognize the logout. I would like a way for the FortiWeb portal to easily recognize the portal. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Technicae31f - PeerSpot reviewer
Technical Advisor at a tech services company with 51-200 employees
Real User
L-7 protection safeguards legacy servers/applications without changing application code
Pros and Cons
  • "Other than the additional security with exploit protection, we have simpler certificate handling, as we can keep internal servers using internal certificates continuously distributed and updated by Active Directory Group Policy, while the public certificates become updated only in a single place, FortiWeb itself."
  • "SSL Offloading simplifies the public certificate handling and brings additional protection features."
  • "L-7 protection makes possible to protect legacy/not up-to-date servers/applications without changing the application code."
  • "Centralized management of multiple devices, and GUI improvement, could reduce the learning curve."
  • "The interface could have the interdependent elements arranged sequentially and wizards that go through most common deployment actions."
  • "Centralized configuration using FortiManager – like what exists for NGFW FortiGate appliances - would improve the configuration."

How has it helped my organization?

Other than the additional security with exploit protection, we have simpler certificate handling, as we can keep internal servers using internal certificates continuously distributed and updated by Active Directory Group Policy, while the public certificates become updated only in a single place, FortiWeb itself.

What is most valuable?

SSL Offloading, as it simplifies the public certificate handling and brings additional protection features. 

Also, L-7 protection, as it makes possible to protect legacy/not up-to-date servers/applications without changing the application code.

What needs improvement?

  • Centralized management of multiple devices, and GUI improvement, could reduce the learning curve. 
  • The interface could have the interdependent elements arranged sequentially and wizards that go through most common deployment actions. 
  • Centralized configuration using FortiManager – like what exists for NGFW FortiGate appliances - would improve the configuration.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

No issues with stability.

What do I think about the scalability of the solution?

No issues with scalability. (Actually, our traffic usually does not reach 50% of unit capacity).

How are customer service and technical support?

Good. Usually takes one day to get over all the assessment procedures to start to handle the issue.

Which solution did I use previously and why did I switch?

The previous vendor discontinued its product.

How was the initial setup?

A little bit complex, as understanding the GUI arrangement and terms took more time and effort than we expected.

What's my experience with pricing, setup cost, and licensing?

Keep a loose margin between your actual bandwidth and the product sizing when using hardware appliances. Only virtual machines are upgradable to larger sizes.

Which other solutions did I evaluate?

We acquired a Fortinet-based project, so we didn’t evaluate other ones.

What other advice do I have?

I rate it eight out of 10. I understand that a 10 is for products that not only execute smoothly but are also easy to use and manage, even when used on a multi-site corporation.

Take at least the Fortinet online course, or make sure that your reseller has experienced professionals.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
Buyer's Guide
Fortinet FortiWeb
March 2025
Learn what your peers think about Fortinet FortiWeb. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.
PeerSpot user
Information Security Leader at a government
Vendor
It has helped us prevent exploitation of vulnerabilities while we are working on code. Signatures are basic and prone to firing false positives.

What is most valuable?

  • It supports OWASP top 10.
    As you can see, the attack types are mapped to OWASP top 10. The policy creation always follows the procedure:
  1. Create first the objects needed.
  2. Assemble the policy.
  • The GUI interface is intuitive. I have never needed to use the CLI
  • It has good reports.It is easy to manage.

How has it helped my organization?

The portal has a lot of vulnerabilities, which are not easy to solve quickly. The device has helped us to prevent exploitation of them while we are working on the code.

What needs improvement?

The signatures are very basic and prone to firing false positives. For example, FortiWeb detects this string as an attack because it detects "perl" in it:

User-Agent: Mozilla/5.0 (compatible; PaperLiBot/2.1; https://support.paper.li/entries/20023257-what-is-paper-li)

This is a false positive. If the signature was more complex, that would not occur.

For how long have I used the solution?

I have been using it for four years.

What do I think about the stability of the solution?

I have not encountered any stability issues, but it always consumes a lot of memory.

How are customer service and technical support?

Technical support is 7/10. We had a pair of cases without solution; one URL-rewriting related and another one Lync Enterprise-related. In both cases, we had to search for alternate solutions.

Which solution did I use previously and why did I switch?

ISA Server was working as a reverse proxy, but it lacks web attack prevention. Also, because the platform is dedicated and the OS is hardened.

How was the initial setup?

It has an auto-learn module that makes it easy to establish the first policy, after which you can customize it. It is straightforward to configure the FortiWeb. We have encountered that it is especially difficult to work with URL rewriting, because of regular expressions.

What's my experience with pricing, setup cost, and licensing?

Price and licensing is fine; it is one of the cheapest solutions and does its job.

Which other solutions did I evaluate?

We also evaluated F5 and Imperva. Fortinet won because of its price. It has done its work for the last four years; the only problem that I have seen is the high false-positives rate which prevents us from focusing on the real attacks.

What other advice do I have?

It has a good quality/price relationship. The web vulnerability scan module is useless.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
IT Support Engineer at a consumer goods company with 51-200 employees
Real User
You can set QoS according to application priority.

Valuable Features

  • Security profiles with application control & web filtering. You can filter which applications are allowed or blocked inside your network, according to the port they are using. Web filtering - which can be applied to Skype for example, prevent botnets, and P2P - also is very helpful when you want to control what is allowed inside the network.
  • QoS. You can set QoS according to application priority.
  • Antivirus from end to end
  • Remote and site-to-site VPN

Improvements to My Organization

We have minimized our expenses for internet security/antivirus in host-side products such as FortiClient installation, which has antimalware/web security/antivirus and protects the host from vulnerabilities while connected to the server.

Room for Improvement

I would like to see support for throughput up to 10 gbps and WAN support. Depending on your device’s design, I’d like to see throughput support up to 2 mbps for SSL, 3 mbps for IPS, and 1.5 mbps for applications. This might already be offered with newer versions.

I haven't used the latest release of device. From my current device perspective, reporting is good, but I want to see, in the future releases if they haven't done yet, is the total traffic alert (highest peak) that could receive on mobile or email. This is very helpful if you could set in required interval to monitor the total traffic that could feel the traffic in your hands.

Use of Solution

I have used it for five years.

Stability Issues

No issues encountered.

Scalability Issues

No issues encountered.

Customer Service and Technical Support

I rate the level of technical support 9/10.

Initial Setup

It was straightforward for minimal configuration and requirements, CLI for complex configuration.

Pricing, Setup Cost and Licensing

Pricing and licensing is good and it depends on what the business solution requires.

Other Advice

FortiNet shows me the health of the entire network. Evaluate how you would use FortiNet UTM. Look for the solution which fits your business infrastructure requirements such as VPNs, firewalls, application and web filtering, throughput, and most of all, which device which gives you the best performance.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Presales Solutions Architect at Hilal Computers
Real User
It is stable but needs good service and training
Pros and Cons
  • "It is a stable product."
  • "Fortinet WAF came out recently, and there is not much feedback about customer experience. For each project, customers ask about the scenarios and references of the customers who have implemented this solution, which we don't have. They need to simplify the customer experience and provide more information so that we can propose Fortinet Fortiweb as a WAF solution to customers and convince them. They need to improve their service and training. We need good training to implement and use it properly and know more about it. We still don't know much about Fortinet WAF. We didn't get any proper training sessions. Other vendors like Cisco, Palo Alto, Check Point, and Barracuda provide such sessions. Whenever we receive a request from a customer for this solution, we just give the price. We don't propose this solution because we don't know much about it. We propose whatever we are familiar with and what is supported."

What is most valuable?

It is a stable product. 

What needs improvement?

Fortinet WAF came out recently, and there is not much feedback about customer experience. For each project, customers ask about the scenarios and references of the customers who have implemented this solution, which we don't have. They need to simplify the customer experience and provide more information so that we can propose Fortinet Fortiweb as a WAF solution to customers and convince them.

They need to improve their service and training. We need good training to implement and use it properly and know more about it. We still don't know much about Fortinet WAF. We didn't get any proper training sessions. Other vendors like Cisco, Palo Alto, Check Point, and Barracuda provide such sessions. Whenever we receive a request from a customer for this solution, we just give the price. We don't propose this solution because we don't know much about it. We propose whatever we are familiar with and what is supported.

For how long have I used the solution?

We have been using Fortinet FortiWeb for four years. 

What do I think about the stability of the solution?

Its stability is fine wherever we have implemented it.

How are customer service and technical support?

Its support is a bit difficult to get. They need to improve the service. 

How was the initial setup?

It is straightforward, but we still need good training.

What's my experience with pricing, setup cost, and licensing?

It is fine now. We had to earlier negotiate the price.

What other advice do I have?

We are a solution provider and system integrator company. We work for DCC countries. We deal with Fortinet, Meraki, Sophos, Check Point, Barracuda, and Juniper SRX solutions.

Fortinet FortiWeb is comparable to Barracuda. We don't have many customers for Fortinet WAF, and we couldn't get that much good feedback. We mostly use Barracuda WAF. We use it even in the cloud environment. 

Fortinet is fine on the firewall side. We haven't sold many Barracuda firewalls, but for WAF, we mostly use Barracuda. We prefer Barracuda because they provide good training, and they always follow up. Customers also prefer Barracuda or any other WAF service. Customers receive good support from Barracuda. Fortinet WAF is rare. 

I would recommend this product only based on customer requirements. At the end of the day, how you install, configure, and meet customer requirements are more valuable. I never place a product ahead of a customer. Fortinet WAF might not be suitable for certain customers. Similarly, Barracuda WAF might not be suitable for certain customers. I always get customer requirements and then supply the product according to their requirements.

I would rate Fortinet Fortiweb a five out of ten. It is neither good nor bad.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
PeerSpot user
reviewer1472592 - PeerSpot reviewer
Director at a tech services company with 51-200 employees
Real User
Good for compliance, load balancing, and high availability
Pros and Cons
  • "Banks have to be compliant with PCI and other things, and FortiWeb is absolutely amazing in terms of providing these reports. Otherwise, they will have to spend a lot of time on them."
  • "The automation piece can be improved. Although they say it can be automated very well, there is still manual work. Its usability should be improved in terms of automation because we want to build an infrastructure with code, but you can't do that easily with this solution. If they can give us APIs in the firewalls that we can tap into, it would be perfect."

What is our primary use case?

We mainly use it for protection. OS scanning and load balancing are two of its main use cases.

My team is most probably working with its latest version. In terms of the deployment, lately, it has been on the cloud because the end-user-facing web applications are usually live on the cloud.

How has it helped my organization?

Banks have to be compliant with PCI and other things, and FortiWeb is absolutely amazing in terms of providing these reports. Otherwise, they will have to spend a lot of time on them.

What is most valuable?

The compliance piece is the best feature. Load balancing is also valuable, which is something that all web application firewalls do. Another valuable feature is high availability. You can scale it very well. Load balancing and high availability are the two reasons why we picked it for a couple of banks.

What needs improvement?

From the feature perspective, it is pretty rich. The automation piece can be improved. Although they say it can be automated very well, there is still manual work. Its usability should be improved in terms of automation because we want to build an infrastructure with code, but you can't do that easily with this solution. If they can give us APIs in the firewalls that we can tap into, it would be perfect. 

I would also like it to scale automatically based on the traffic.

For how long have I used the solution?

I have been using this solution for about six years.

What do I think about the stability of the solution?

I've never seen any issues, but when you turn on all the features or every single scanning, that's when it slows down a bit.

What do I think about the scalability of the solution?

It is scalable, but it is a roundabout way of automated scaling. It is not truly automated scaling. In general, when the size is okay, scaling is not a problem. I would like it to scale automatically based on the traffic, but that doesn't happen because automation is not there.

I haven't seen any big issues with performance. We ran 20,000 connections through it, and it was okay. When you deploy it in the cloud, you can increase the size of the VM, and with extra licensing, it is fine performance-wise.

It is suitable for medium and large customers. My team has deployed at least 500 of these in the last few years. In general, it's okay. We don't have any issue with it.

How are customer service and support?

They have been pretty good, honest, and upfront. It all comes down to expectations when you buy these things.

I know the country manager very well. He is my friend for Fortinet. They are very good in terms of support. 

When you buy these things from a marketplace like Amazon or AWS, the support is not as good as it can be because the first line of support is the cloud provider, and then there is the vendor. So, our preference usually is to go directly to the vendor because they know more about it.

Which solution did I use previously and why did I switch?

One of the best things about Azure Firewall is the automation. There is a huge difference. The second thing is pricing. 

With FortiWeb, when you want to buy HA, you need to start designing high availability across different regions. With Azure, it comes by default.

How was the initial setup?

It depends on the customer and the use case. Usually, it's straightforward, but as you add more applications, it can become more and more complex.

The deployment duration varies. Usually, designing, building, and putting in production take about four weeks, but it also depends on the application type.

It requires maintenance all the time. Everything requires maintenance. Usually, we build it and operationalize it, and we then hand it over to the customer.

What's my experience with pricing, setup cost, and licensing?

It keeps changing, but it's based on the size of the VM you buy and also the traffic throughput you want from it, whereas what we have on Azure is just the traffic throughput. You can also pay on a monthly basis from Azure. During each part of the project, it's okay to get Azure-based licensing or AWS-based licensing for FortiWeb, but over time, you would want to go with the perpetual license. You should go to Fortinet and buy the license from them. So, there is a two-step process there.

What other advice do I have?

I would advise getting the right engineer. You need someone who is a specialist, and that's very important.

I would rate it an eight out of 10. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
PeerSpot user
Senior Developer, Project Manager at FPT Software
MSP
It makes our web site system work nice and smooth. The UI is a little complicated for new users.

What is most valuable?

How has it helped my organization?

It makes our web site system work nice and smooth.

What needs improvement?

The UI is a little complicated for new users.

For how long have I used the solution?

I have been using it for over a year.

What do I think about the stability of the solution?

I have not yet encountered any stability issues.

What do I think about the scalability of the solution?

I have not yet encountered any scalability issues.

How are customer service and technical support?

I have even contacted technical support once.

Which solution did I use previously and why did I switch?

My web site used MS NLB service for load balancing and IPS firewall at first, but when our site's connection grew bigger, we discovered that we needed another solution. We chose FortiWeb after a little research into the market.

How was the initial setup?

Initial setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

The pricing is a little high.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Director with 51-200 employees
Vendor
Other firewalls are just as good, but this product is at a much better price point.

What is most valuable?

We use them for VPN, standard layer 4, web filtering, anti-malware and DLP – they are used as our perimeter firewall solution.

How has it helped my organization?

I would not say it has improved how we function because I think that other leading vendors firewalls are as good. However, I do think that FortiGate can do it at a much better price point than, for example, Cisco ASA or Palo Alto.

What needs improvement?

The CLI could be improved by removing all default syntax from the config. The debugging of crypto VPN is not as informative as other vendors’ firewalls. The GUI is also not as good as some vendors, but overall as a package and considering price, it still provides value for money.

For how long have I used the solution?

I first used the Fortinet solutions in 2005 when it was version 2 & 3; since then, it has matured a lot and is much better. I would definitely recommend it, primarily on value for money. For the newer versions, I have been using 1000C and 300D, with FortiGate VM01 firewalls running a mix of software versions 5.4 and 5.2 for almost two years.

What do I think about the stability of the solution?

I did not encounter any stability issues.

What do I think about the scalability of the solution?

FortiManager is required for scalable managing of multiple devices, but we do not have enough to need that. I think that the logging could be better but for that, FortiAnalyzer is recommended, which we do not have.

How are customer service and technical support?

We have not needed to use Fortinet TAC.

Which solution did I use previously and why did I switch?

This solution replaced some old Juniper ISG firewalls that were EoL; nobody in the company had Juniper SRX experience and the choice was made for Fortinet before I started at the company.

How was the initial setup?

Initial setup for what we need to use it is very straightforward. There are certain features (such as TACACS) where you need to use CLI, but most things can be done with the GUI.

What's my experience with pricing, setup cost, and licensing?

Very competitive; Fortinet would always be an option for a perimeter firewall for me if I were needing new kit. I would always include it in any quotes and options, although depending on the requirements, I might decide to choose something else.

Which other solutions did I evaluate?

I have used firewalls that I find easier to manage, configure and troubleshoot. However, the Fortinet firewalls are pretty good, and in terms of value for money, they are outstanding.

Pros: Cost for performance, very feature rich, GUI is pretty good.

Cons: Debugging is not as good as I find Cisco ASA. CLI is overly complicated by all syntax showing in the configuration. The GUI is not as nice as CheckPoint or Palo Alto.

What other advice do I have?

Evaluate the product first and compare it to what you are used to and what you want. It provides very good value for money, but if the budget were there, I would probably choose another vendor in certain circumstances.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Fortinet FortiWeb Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2025
Buyer's Guide
Download our free Fortinet FortiWeb Report and get advice and tips from experienced pros sharing their opinions.