Fortinet FortiWeb Reviews

Our primary use case is to protect an integral application against vulnerabilities. It's a WAF. It protects against vulnerabilities. We have run tests against it. We also use it for two-factor authentication before authorizing anybody to access the critical application.

We required security to access critical applications. We otherwise would not have been able to use the end notifications. We wanted to use the application and it's critical to us, Fortiweb enabled us to have that ability. 

We are able to have an application layer different from the application itself that is protected by the FortiWeb Portal authentication feature. 

Describing security rules should be improved. It's tricky to define new feature tools when you want to describe an attack pattern and want to block it. 

It's very stable. I've never had any issues. 

The scalability is quite good. It's a virtual machine so we know the exact resource so if we would have to increase it would be easily scalable. 

We have around 15 users in our company. The users are end-users and technicians. 

Fortinet support is very good. 

The initial setup was quite straightforward. The GUI is user-friendly and it's easy to understand how to manage it. We used an expert to finalize the last 10% of the configuration because we wanted specific settings regarding the security. We knew what we wanted to block and we needed an expert for the specific rules. Otherwise, 90% of the setup was done in-house. 

The deployment only took two to three days. We only needed one employee to install it. 

The costs are standard. We pay around $1,600 yearly. 

We also looked at Software CTM. It was impossible to use compared to FortiWeb. 

Be sure that the security is correctly configured and all the attack patterns are covered. Make sure to do an independent assessment of the security. 

I would rate it a nine out of ten. We are very satisfied with it. 

We have an issue when the underlying web protected generates a logout and we want the authentication portal to recognize that the application has been logged out. When the underlying application generates a logout, the portal does not recognize the logout. I would like a way for the FortiWeb portal to easily recognize the portal. 

Other than the additional security with exploit protection, we have simpler certificate handling, as we can keep internal servers using internal certificates continuously distributed and updated by Active Directory Group Policy, while the public certificates become updated only in a single place, FortiWeb itself.

SSL Offloading, as it simplifies the public certificate handling and brings additional protection features. 

Also, L-7 protection, as it makes possible to protect legacy/not up-to-date servers/applications without changing the application code.

• Centralized management of multiple devices, and GUI improvement, could reduce the learning curve. 
• The interface could have the interdependent elements arranged sequentially and wizards that go through most common deployment actions. 
• Centralized configuration using FortiManager – like what exists for NGFW FortiGate appliances - would improve the configuration.

No issues with stability.

No issues with scalability. (Actually, our traffic usually does not reach 50% of unit capacity).

Good. Usually takes one day to get over all the assessment procedures to start to handle the issue.

The previous vendor discontinued its product.

A little bit complex, as understanding the GUI arrangement and terms took more time and effort than we expected.

Keep a loose margin between your actual bandwidth and the product sizing when using hardware appliances. Only virtual machines are upgradable to larger sizes.

We acquired a Fortinet-based project, so we didn’t evaluate other ones.

I rate it eight out of 10. I understand that a 10 is for products that not only execute smoothly but are also easy to use and manage, even when used on a multi-site corporation.

Take at least the Fortinet online course, or make sure that your reseller has experienced professionals.

• It supports OWASP top 10.
  As you can see, the attack types are mapped to OWASP top 10. The policy creation always follows the procedure:

1. Create first the objects needed.
2. Assemble the policy.

• The GUI interface is intuitive. I have never needed to use the CLI
• It has good reports.It is easy to manage.

The portal has a lot of vulnerabilities, which are not easy to solve quickly. The device has helped us to prevent exploitation of them while we are working on the code.

The signatures are very basic and prone to firing false positives. For example, FortiWeb detects this string as an attack because it detects "perl" in it:

User-Agent: Mozilla/5.0 (compatible; PaperLiBot/2.1; https://support.paper.li/entries/20023257-what-is-paper-li)

This is a false positive. If the signature was more complex, that would not occur.

I have been using it for four years.

I have not encountered any stability issues, but it always consumes a lot of memory.

Technical support is 7/10. We had a pair of cases without solution; one URL-rewriting related and another one Lync Enterprise-related. In both cases, we had to search for alternate solutions.

ISA Server was working as a reverse proxy, but it lacks web attack prevention. Also, because the platform is dedicated and the OS is hardened.

It has an auto-learn module that makes it easy to establish the first policy, after which you can customize it. It is straightforward to configure the FortiWeb. We have encountered that it is especially difficult to work with URL rewriting, because of regular expressions.

Price and licensing is fine; it is one of the cheapest solutions and does its job.

We also evaluated F5 and Imperva. Fortinet won because of its price. It has done its work for the last four years; the only problem that I have seen is the high false-positives rate which prevents us from focusing on the real attacks.

It has a good quality/price relationship. The web vulnerability scan module is useless.

• Security profiles with application control & web filtering. You can filter which applications are allowed or blocked inside your network, according to the port they are using. Web filtering - which can be applied to Skype for example, prevent botnets, and P2P - also is very helpful when you want to control what is allowed inside the network.
• QoS. You can set QoS according to application priority.
• Antivirus from end to end
• Remote and site-to-site VPN

We have minimized our expenses for internet security/antivirus in host-side products such as FortiClient installation, which has antimalware/web security/antivirus and protects the host from vulnerabilities while connected to the server.

I would like to see support for throughput up to 10 gbps and WAN support. Depending on your device’s design, I’d like to see throughput support up to 2 mbps for SSL, 3 mbps for IPS, and 1.5 mbps for applications. This might already be offered with newer versions.

I haven't used the latest release of device. From my current device perspective, reporting is good, but I want to see, in the future releases if they haven't done yet, is the total traffic alert (highest peak) that could receive on mobile or email. This is very helpful if you could set in required interval to monitor the total traffic that could feel the traffic in your hands.

I have used it for five years.

No issues encountered.

No issues encountered.

I rate the level of technical support 9/10.

It was straightforward for minimal configuration and requirements, CLI for complex configuration.

Pricing and licensing is good and it depends on what the business solution requires.

FortiNet shows me the health of the entire network. Evaluate how you would use FortiNet UTM. Look for the solution which fits your business infrastructure requirements such as VPNs, firewalls, application and web filtering, throughput, and most of all, which device which gives you the best performance.

It is a stable product. 

Fortinet WAF came out recently, and there is not much feedback about customer experience. For each project, customers ask about the scenarios and references of the customers who have implemented this solution, which we don't have. They need to simplify the customer experience and provide more information so that we can propose Fortinet Fortiweb as a WAF solution to customers and convince them.

They need to improve their service and training. We need good training to implement and use it properly and know more about it. We still don't know much about Fortinet WAF. We didn't get any proper training sessions. Other vendors like Cisco, Palo Alto, Check Point, and Barracuda provide such sessions. Whenever we receive a request from a customer for this solution, we just give the price. We don't propose this solution because we don't know much about it. We propose whatever we are familiar with and what is supported.

We have been using Fortinet FortiWeb for four years. 

Its stability is fine wherever we have implemented it.

Its support is a bit difficult to get. They need to improve the service. 

It is straightforward, but we still need good training.

It is fine now. We had to earlier negotiate the price.

We are a solution provider and system integrator company. We work for DCC countries. We deal with Fortinet, Meraki, Sophos, Check Point, Barracuda, and Juniper SRX solutions.

Fortinet FortiWeb is comparable to Barracuda. We don't have many customers for Fortinet WAF, and we couldn't get that much good feedback. We mostly use Barracuda WAF. We use it even in the cloud environment. 

Fortinet is fine on the firewall side. We haven't sold many Barracuda firewalls, but for WAF, we mostly use Barracuda. We prefer Barracuda because they provide good training, and they always follow up. Customers also prefer Barracuda or any other WAF service. Customers receive good support from Barracuda. Fortinet WAF is rare. 

I would recommend this product only based on customer requirements. At the end of the day, how you install, configure, and meet customer requirements are more valuable. I never place a product ahead of a customer. Fortinet WAF might not be suitable for certain customers. Similarly, Barracuda WAF might not be suitable for certain customers. I always get customer requirements and then supply the product according to their requirements.

I would rate Fortinet Fortiweb a five out of ten. It is neither good nor bad.

We mainly use it for protection. OS scanning and load balancing are two of its main use cases.

My team is most probably working with its latest version. In terms of the deployment, lately, it has been on the cloud because the end-user-facing web applications are usually live on the cloud.

Banks have to be compliant with PCI and other things, and FortiWeb is absolutely amazing in terms of providing these reports. Otherwise, they will have to spend a lot of time on them.

The compliance piece is the best feature. Load balancing is also valuable, which is something that all web application firewalls do. Another valuable feature is high availability. You can scale it very well. Load balancing and high availability are the two reasons why we picked it for a couple of banks.

From the feature perspective, it is pretty rich. The automation piece can be improved. Although they say it can be automated very well, there is still manual work. Its usability should be improved in terms of automation because we want to build an infrastructure with code, but you can't do that easily with this solution. If they can give us APIs in the firewalls that we can tap into, it would be perfect. 

I would also like it to scale automatically based on the traffic.

I have been using this solution for about six years.

I've never seen any issues, but when you turn on all the features or every single scanning, that's when it slows down a bit.

It is scalable, but it is a roundabout way of automated scaling. It is not truly automated scaling. In general, when the size is okay, scaling is not a problem. I would like it to scale automatically based on the traffic, but that doesn't happen because automation is not there.

I haven't seen any big issues with performance. We ran 20,000 connections through it, and it was okay. When you deploy it in the cloud, you can increase the size of the VM, and with extra licensing, it is fine performance-wise.

It is suitable for medium and large customers. My team has deployed at least 500 of these in the last few years. In general, it's okay. We don't have any issue with it.

They have been pretty good, honest, and upfront. It all comes down to expectations when you buy these things.

I know the country manager very well. He is my friend for Fortinet. They are very good in terms of support. 

When you buy these things from a marketplace like Amazon or AWS, the support is not as good as it can be because the first line of support is the cloud provider, and then there is the vendor. So, our preference usually is to go directly to the vendor because they know more about it.

One of the best things about Azure Firewall is the automation. There is a huge difference. The second thing is pricing. 

With FortiWeb, when you want to buy HA, you need to start designing high availability across different regions. With Azure, it comes by default.

It depends on the customer and the use case. Usually, it's straightforward, but as you add more applications, it can become more and more complex.

The deployment duration varies. Usually, designing, building, and putting in production take about four weeks, but it also depends on the application type.

It requires maintenance all the time. Everything requires maintenance. Usually, we build it and operationalize it, and we then hand it over to the customer.

It keeps changing, but it's based on the size of the VM you buy and also the traffic throughput you want from it, whereas what we have on Azure is just the traffic throughput. You can also pay on a monthly basis from Azure. During each part of the project, it's okay to get Azure-based licensing or AWS-based licensing for FortiWeb, but over time, you would want to go with the perpetual license. You should go to Fortinet and buy the license from them. So, there is a two-step process there.

I would advise getting the right engineer. You need someone who is a specialist, and that's very important.

I would rate it an eight out of 10. 

• Firewall
• Load balancing

It makes our web site system work nice and smooth.

The UI is a little complicated for new users.

I have been using it for over a year.

I have not yet encountered any stability issues.

I have not yet encountered any scalability issues.

I have even contacted technical support once.

My web site used MS NLB service for load balancing and IPS firewall at first, but when our site's connection grew bigger, we discovered that we needed another solution. We chose FortiWeb after a little research into the market.

Initial setup was straightforward.

The pricing is a little high.

We use them for VPN, standard layer 4, web filtering, anti-malware and DLP – they are used as our perimeter firewall solution.

I would not say it has improved how we function because I think that other leading vendors firewalls are as good. However, I do think that FortiGate can do it at a much better price point than, for example, Cisco ASA or Palo Alto.

The CLI could be improved by removing all default syntax from the config. The debugging of crypto VPN is not as informative as other vendors’ firewalls. The GUI is also not as good as some vendors, but overall as a package and considering price, it still provides value for money.

I first used the Fortinet solutions in 2005 when it was version 2 & 3; since then, it has matured a lot and is much better. I would definitely recommend it, primarily on value for money. For the newer versions, I have been using 1000C and 300D, with FortiGate VM01 firewalls running a mix of software versions 5.4 and 5.2 for almost two years.

I did not encounter any stability issues.

FortiManager is required for scalable managing of multiple devices, but we do not have enough to need that. I think that the logging could be better but for that, FortiAnalyzer is recommended, which we do not have.

We have not needed to use Fortinet TAC.

This solution replaced some old Juniper ISG firewalls that were EoL; nobody in the company had Juniper SRX experience and the choice was made for Fortinet before I started at the company.

Initial setup for what we need to use it is very straightforward. There are certain features (such as TACACS) where you need to use CLI, but most things can be done with the GUI.

Very competitive; Fortinet would always be an option for a perimeter firewall for me if I were needing new kit. I would always include it in any quotes and options, although depending on the requirements, I might decide to choose something else.

I have used firewalls that I find easier to manage, configure and troubleshoot. However, the Fortinet firewalls are pretty good, and in terms of value for money, they are outstanding.

Pros: Cost for performance, very feature rich, GUI is pretty good.

Cons: Debugging is not as good as I find Cisco ASA. CLI is overly complicated by all syntax showing in the configuration. The GUI is not as nice as CheckPoint or Palo Alto.

Evaluate the product first and compare it to what you are used to and what you want. It provides very good value for money, but if the budget were there, I would probably choose another vendor in certain circumstances.