Fortinet FortiWeb Reviews

Generally, we are using it to protect our internet-facing web applications. So if there are any security vulnerabilities in our applications, the solution can provide protection.

It offers some feedback and suggestions that guide our system development while helping our vendors to update their applications and fix any issues or bugs.

They have a sort of table that defines the functions of certain applications, ex. which function has the slowest or fastest response. This enables our in-house development team or vendors to review our application and fix the functions if necessary. 

The dashboard evaluating the performance of each application connected to the web app's firewall is quite helpful, but the tool is only available in application performance management. So I think if Fortinet could better integrate that particular feature, it would add a lot of value to the product.

I have been using FortiWeb for three years.

I think it's quite reliable so long as it's configured. 

As long as we accurately scale our requirements from the start, I think the solution is quite scalable and quite easy to scale up later on.

They are quite helpful. But I think because our department is quite stable and configured correctly, we are rarely using the support. Everything works perfectly.

I think it's quite complex because we need to know how the application works.  

We are using local support to configure the solutions for us. We also purchase local maintenance and support on top of the routine product support and updates. Because it is a
very specialized product, we need a very skillful person with expertise in the product to configure the solution for us.

In a high availability cluster configuration, where the primary FortiGate is working and the secondary is a backup, Fortinet requires us to buy two licenses instead of one whether we are actually using it or not. With other products, you only purchase one license because we only use one license per instance.

You need to accurately calculate the requirements of your infrastructure before implementing FortiWeb or any other web application firewall. Accuracy is very critical when scaling the product or the model that will be deployed on your infrastructure. 

I would rate FortiWeb an eight out of ten.

Our primary use case is to protect an integral application against vulnerabilities. It's a WAF. It protects against vulnerabilities. We have run tests against it. We also use it for two-factor authentication before authorizing anybody to access the critical application.

We required security to access critical applications. We otherwise would not have been able to use the end notifications. We wanted to use the application and it's critical to us, Fortiweb enabled us to have that ability. 

We are able to have an application layer different from the application itself that is protected by the FortiWeb Portal authentication feature. 

Describing security rules should be improved. It's tricky to define new feature tools when you want to describe an attack pattern and want to block it. 

It's very stable. I've never had any issues. 

The scalability is quite good. It's a virtual machine so we know the exact resource so if we would have to increase it would be easily scalable. 

We have around 15 users in our company. The users are end-users and technicians. 

Fortinet support is very good. 

The initial setup was quite straightforward. The GUI is user-friendly and it's easy to understand how to manage it. We used an expert to finalize the last 10% of the configuration because we wanted specific settings regarding the security. We knew what we wanted to block and we needed an expert for the specific rules. Otherwise, 90% of the setup was done in-house. 

The deployment only took two to three days. We only needed one employee to install it. 

The costs are standard. We pay around $1,600 yearly. 

We also looked at Software CTM. It was impossible to use compared to FortiWeb. 

Be sure that the security is correctly configured and all the attack patterns are covered. Make sure to do an independent assessment of the security. 

I would rate it a nine out of ten. We are very satisfied with it. 

We have an issue when the underlying web protected generates a logout and we want the authentication portal to recognize that the application has been logged out. When the underlying application generates a logout, the portal does not recognize the logout. I would like a way for the FortiWeb portal to easily recognize the portal. 

Other than the additional security with exploit protection, we have simpler certificate handling, as we can keep internal servers using internal certificates continuously distributed and updated by Active Directory Group Policy, while the public certificates become updated only in a single place, FortiWeb itself.

SSL Offloading, as it simplifies the public certificate handling and brings additional protection features. 

Also, L-7 protection, as it makes possible to protect legacy/not up-to-date servers/applications without changing the application code.

• Centralized management of multiple devices, and GUI improvement, could reduce the learning curve. 
• The interface could have the interdependent elements arranged sequentially and wizards that go through most common deployment actions. 
• Centralized configuration using FortiManager – like what exists for NGFW FortiGate appliances - would improve the configuration.

No issues with stability.

No issues with scalability. (Actually, our traffic usually does not reach 50% of unit capacity).

Good. Usually takes one day to get over all the assessment procedures to start to handle the issue.

The previous vendor discontinued its product.

A little bit complex, as understanding the GUI arrangement and terms took more time and effort than we expected.

Keep a loose margin between your actual bandwidth and the product sizing when using hardware appliances. Only virtual machines are upgradable to larger sizes.

We acquired a Fortinet-based project, so we didn’t evaluate other ones.

I rate it eight out of 10. I understand that a 10 is for products that not only execute smoothly but are also easy to use and manage, even when used on a multi-site corporation.

Take at least the Fortinet online course, or make sure that your reseller has experienced professionals.

• It supports OWASP top 10.
  As you can see, the attack types are mapped to OWASP top 10. The policy creation always follows the procedure:

1. Create first the objects needed.
2. Assemble the policy.

• The GUI interface is intuitive. I have never needed to use the CLI
• It has good reports.It is easy to manage.

The portal has a lot of vulnerabilities, which are not easy to solve quickly. The device has helped us to prevent exploitation of them while we are working on the code.

The signatures are very basic and prone to firing false positives. For example, FortiWeb detects this string as an attack because it detects "perl" in it:

User-Agent: Mozilla/5.0 (compatible; PaperLiBot/2.1; https://support.paper.li/entries/20023257-what-is-paper-li)

This is a false positive. If the signature was more complex, that would not occur.

I have been using it for four years.

I have not encountered any stability issues, but it always consumes a lot of memory.

Technical support is 7/10. We had a pair of cases without solution; one URL-rewriting related and another one Lync Enterprise-related. In both cases, we had to search for alternate solutions.

ISA Server was working as a reverse proxy, but it lacks web attack prevention. Also, because the platform is dedicated and the OS is hardened.

It has an auto-learn module that makes it easy to establish the first policy, after which you can customize it. It is straightforward to configure the FortiWeb. We have encountered that it is especially difficult to work with URL rewriting, because of regular expressions.

Price and licensing is fine; it is one of the cheapest solutions and does its job.

We also evaluated F5 and Imperva. Fortinet won because of its price. It has done its work for the last four years; the only problem that I have seen is the high false-positives rate which prevents us from focusing on the real attacks.

It has a good quality/price relationship. The web vulnerability scan module is useless.

• Security profiles with application control & web filtering. You can filter which applications are allowed or blocked inside your network, according to the port they are using. Web filtering - which can be applied to Skype for example, prevent botnets, and P2P - also is very helpful when you want to control what is allowed inside the network.
• QoS. You can set QoS according to application priority.
• Antivirus from end to end
• Remote and site-to-site VPN

We have minimized our expenses for internet security/antivirus in host-side products such as FortiClient installation, which has antimalware/web security/antivirus and protects the host from vulnerabilities while connected to the server.

I would like to see support for throughput up to 10 gbps and WAN support. Depending on your device’s design, I’d like to see throughput support up to 2 mbps for SSL, 3 mbps for IPS, and 1.5 mbps for applications. This might already be offered with newer versions.

I haven't used the latest release of device. From my current device perspective, reporting is good, but I want to see, in the future releases if they haven't done yet, is the total traffic alert (highest peak) that could receive on mobile or email. This is very helpful if you could set in required interval to monitor the total traffic that could feel the traffic in your hands.

I have used it for five years.

No issues encountered.

No issues encountered.

I rate the level of technical support 9/10.

It was straightforward for minimal configuration and requirements, CLI for complex configuration.

Pricing and licensing is good and it depends on what the business solution requires.

FortiNet shows me the health of the entire network. Evaluate how you would use FortiNet UTM. Look for the solution which fits your business infrastructure requirements such as VPNs, firewalls, application and web filtering, throughput, and most of all, which device which gives you the best performance.

It is a stable product. 

Fortinet WAF came out recently, and there is not much feedback about customer experience. For each project, customers ask about the scenarios and references of the customers who have implemented this solution, which we don't have. They need to simplify the customer experience and provide more information so that we can propose Fortinet Fortiweb as a WAF solution to customers and convince them.

They need to improve their service and training. We need good training to implement and use it properly and know more about it. We still don't know much about Fortinet WAF. We didn't get any proper training sessions. Other vendors like Cisco, Palo Alto, Check Point, and Barracuda provide such sessions. Whenever we receive a request from a customer for this solution, we just give the price. We don't propose this solution because we don't know much about it. We propose whatever we are familiar with and what is supported.

We have been using Fortinet FortiWeb for four years. 

Its stability is fine wherever we have implemented it.

Its support is a bit difficult to get. They need to improve the service. 

It is straightforward, but we still need good training.

It is fine now. We had to earlier negotiate the price.

We are a solution provider and system integrator company. We work for DCC countries. We deal with Fortinet, Meraki, Sophos, Check Point, Barracuda, and Juniper SRX solutions.

Fortinet FortiWeb is comparable to Barracuda. We don't have many customers for Fortinet WAF, and we couldn't get that much good feedback. We mostly use Barracuda WAF. We use it even in the cloud environment. 

Fortinet is fine on the firewall side. We haven't sold many Barracuda firewalls, but for WAF, we mostly use Barracuda. We prefer Barracuda because they provide good training, and they always follow up. Customers also prefer Barracuda or any other WAF service. Customers receive good support from Barracuda. Fortinet WAF is rare. 

I would recommend this product only based on customer requirements. At the end of the day, how you install, configure, and meet customer requirements are more valuable. I never place a product ahead of a customer. Fortinet WAF might not be suitable for certain customers. Similarly, Barracuda WAF might not be suitable for certain customers. I always get customer requirements and then supply the product according to their requirements.

I would rate Fortinet Fortiweb a five out of ten. It is neither good nor bad.

• Firewall
• Load balancing

It makes our web site system work nice and smooth.

The UI is a little complicated for new users.

I have been using it for over a year.

I have not yet encountered any stability issues.

I have not yet encountered any scalability issues.

I have even contacted technical support once.

My web site used MS NLB service for load balancing and IPS firewall at first, but when our site's connection grew bigger, we discovered that we needed another solution. We chose FortiWeb after a little research into the market.

Initial setup was straightforward.

The pricing is a little high.

We use them for VPN, standard layer 4, web filtering, anti-malware and DLP – they are used as our perimeter firewall solution.

I would not say it has improved how we function because I think that other leading vendors firewalls are as good. However, I do think that FortiGate can do it at a much better price point than, for example, Cisco ASA or Palo Alto.

The CLI could be improved by removing all default syntax from the config. The debugging of crypto VPN is not as informative as other vendors’ firewalls. The GUI is also not as good as some vendors, but overall as a package and considering price, it still provides value for money.

I first used the Fortinet solutions in 2005 when it was version 2 & 3; since then, it has matured a lot and is much better. I would definitely recommend it, primarily on value for money. For the newer versions, I have been using 1000C and 300D, with FortiGate VM01 firewalls running a mix of software versions 5.4 and 5.2 for almost two years.

I did not encounter any stability issues.

FortiManager is required for scalable managing of multiple devices, but we do not have enough to need that. I think that the logging could be better but for that, FortiAnalyzer is recommended, which we do not have.

We have not needed to use Fortinet TAC.

This solution replaced some old Juniper ISG firewalls that were EoL; nobody in the company had Juniper SRX experience and the choice was made for Fortinet before I started at the company.

Initial setup for what we need to use it is very straightforward. There are certain features (such as TACACS) where you need to use CLI, but most things can be done with the GUI.

Very competitive; Fortinet would always be an option for a perimeter firewall for me if I were needing new kit. I would always include it in any quotes and options, although depending on the requirements, I might decide to choose something else.

I have used firewalls that I find easier to manage, configure and troubleshoot. However, the Fortinet firewalls are pretty good, and in terms of value for money, they are outstanding.

Pros: Cost for performance, very feature rich, GUI is pretty good.

Cons: Debugging is not as good as I find Cisco ASA. CLI is overly complicated by all syntax showing in the configuration. The GUI is not as nice as CheckPoint or Palo Alto.

Evaluate the product first and compare it to what you are used to and what you want. It provides very good value for money, but if the budget were there, I would probably choose another vendor in certain circumstances.