What needs improvement with Fortinet FortiWeb?

Fortinet's technical support is pretty slow, especially when you have quick questions. The support kind of delays itself and sometimes takes more time. That's the only thing that I can think of at the moment.

One area that needs improvement is the handling of SaaS downtime. When there is downtime at their data center, it becomes a transit point issue for us, causing downtime in our environment as well. Although measures like built-in redundancy and manual switching between data centers exist, there is room for improvement in making these transitions automatic without impacting the customer. Automating the migration without manual intervention would significantly enhance user experience during downtime. Additionally, being able to read non-flagged traffic for operational purposes could also be an area to improve.

The solution could improve its ease of use and add more advanced WAF features in future releases.

The tool's WAF or web application firewall area has certain aspects that can be improved. I cannot find what features superficially can be improved in the WAF area of the tool. Fortinet FortiWeb can be applicable for small or big networks. In my opinion, Fortinet FortiWeb can manage or improve its log management capabilities. As far as I know, FortiGate has a limit, which means it can be used for logging for seven days, and maybe it is because Fortinet wants to speed up the selling of another product called FortiAnalyzer. FortiAnalyzer is a device dedicated to logging analytic solutions. Fortinet may limit the capability of logging in Fortinet devices so that customers buy FortiAnalyzer for log analytics.

Though the reporting is a nice aspect associated with the tool, I feel that it has certain shortcomings and can be made better. The reporting part can provide more information and be more specific. Fortinet FortiWeb's admin guide could offer more, like, examples or features on how to implement the tool. It can provide information on how a user can make use of it in different usages, and that can help a lot. The admin guide is satisfactory, and it meets our company's needs. Actually, my company would like it if the product could implement scanning attachments for exchange for assets or exchange needs. The aforementioned area consists of the feature that my company wants to apply, but it is not supported in Fortinet yet. My company needs the product to support us in the aforementioned area, and it can help us a lot by providing a layer of security that can check files and attachments in emails and other stuff, which would be great.

Maybe the load balancing options could be enhanced. FortiWeb provides very good protection for web applications, web servers, and mobile apps, but the load-balancing capabilities and mechanisms are not as well-developed as those of other products like F5. Currently, we need to purchase another solution, like FortiADC, for load balancing. It would be better if the load balancing features were more integrated and advanced within FortiWeb itself so it could handle both load balancing and web application firewall functions.

I'd like more customization. I'm not sure if everyone would agree, as it might add complexity. But for advanced users, it would be really useful to have access and the ability to manipulate packets. If we can access and manipulate the contents of packets, even encrypted packets... that would be powerful. Since we're looking at packets arriving at our network, we would have the private key to access those packets and their information. For example, I have an encrypted packet, and I have the private key for the certificate provided in that client. If I could tell FortiWeb, "After the packet is decrypted, if you see this thing, do that thing," that would be beneficial for advanced users. It would open up the possibilities for load balancing and specialized protection that we need but might be outside of the standard feature set. Maybe we need to manipulate a variable with a specific name that's only relevant to our security needs. That customization would be very beneficial.

The software's support services could be better compared to Sophos.

The product’s stability could be improved.

I think customers have the impression that FortiWeb is primarily for SMEs, but FortiWeb should work to expand its market share and adjust its branding. F5 and some other firewalls are easier to customize. FortiWeb could be more flexible and customizable. The documentation could also be improved because many of the advanced features aren't fully documented.

One area that needs improvement is using IP addresses within templates. If you allow an IP address to access an application, you should be able to leave a description of that. For example, we allow clients to access these services, and some are restricted to the IP address. When you add an IP, there's no way within the product to say what the IP address is. We need to maintain a separate external list because we need to remove any IP address associated with a client if they stop using our services. In many other products, you can create an object specifying that this IP address is for a client of this name or this service. You don't have this ability within FortiWeb. Another area for improvement is logging. When troubleshooting, the logs sometimes take a while to update. We've had people report that some things aren't logged if they're successful. It's a bit hit-and-miss. For example, sometimes people access one of our services, and it's successful, but we don't see that in the logs.

Their documentation is fairly complete, but it's sometimes a little bit difficult to search for exactly what you're looking for to resolve an issue. There have been times when we've gone to try to search for areas that we needed to get information on, and it has not always been extremely clear exactly how a particular thing needs to be set up. It sometimes takes a little bit of research to dig into figuring out exactly what it is. More examples would be helpful on what they have. The information sometimes doesn't relate directly to the state of the product at the time, so examples would be helpful.

At the moment, it's very easy to see if an attack has come in, and what they've done. What I would like to see is that they turn on all logging so that we can even see legitimate traffic. But still, that's a very minimal issue. It would also be helpful if they could introduce easier reporting. It's good to have those reports that go to C-level management, and Fortinet does provide some graphs, but if they went into some more detail, that would be great. Then I wouldn't have to do it myself.

I know that we have run into some issues with an SSL certificate and how it functions. Sometimes this breaks connectivity or just limits certain websites that are whitelisted.

The initial setup could be simplified.

It can be better with web application firewalls. It is already close to the best in class. This product is up to the mark right now.

A better load balancer is needed when multiple servers are used for the same website. A dynamic routing protocol needs to be included with the next release. The solution does not handle batch migration as well as F5 Advanced WAF.

Fortinet FortiWeb could improve data integration.

We had some trouble using some features. Maybe we understood it the wrong way when reading the manual. We had to implement some workarounds to help this problem. The GUI could be better. It's limited.

The initial setup process could be improved.

In my experience, Fortinet FortiWeb could improve the intelligent features to acknowledge whether any threat or incident that's running happened. Then give us the ability to escalate it to layer 2 or layer 3 in the network operations.

From the feature perspective, it is pretty rich. The automation piece can be improved. Although they say it can be automated very well, there is still manual work. Its usability should be improved in terms of automation because we want to build an infrastructure with code, but you can't do that easily with this solution. If they can give us APIs in the firewalls that we can tap into, it would be perfect. I would also like it to scale automatically based on the traffic.

The machine learning feature of the solution could be improved. No solution is 100% secure and the security could always be worked on.

The F5 solution has more features than Fortinet FortiWeb, such as multiple load balancing.

The memory use in each of the appliances is problematic.

The solution could improve by being able to handle different use cases.

During the POC we did encounter problems. For example, the integration with the HSM for storing keys was not ideal. The downside is on the security side and is the firewall. When you look at the firewall, it doesn't do decryption and you have to depend on other third-party tools to do that. Or you would have to use another FortiGate product which makes things a little complicated. Today, people look for simplicity in terms of design. That's one downside to Fortinet's Firewall. The downside to FortiWeb is it had issues integrating with HSM. They fixed the issue, however, it took a long time to fix and it wasn't pleasant. I had to work with deadlines and I could not make the deadlines due to the slow timeline on their side. For the firewall, when you deploy IPS, the IPS doesn't have visibility into encrypted traffic and 70% of traffic these days is encrypted, and that's the conservative figure of the actual percentage. If your IPS doesn't have that visibility, then it is not really doing the job that it has to do. In comparison, Palo Alto is the best firewall in terms of performance and has the technical specifications that we need. The support side of things can be improved. They need to quickly tend to issues and resolve them as soon as possible. Those are the expectations.

FortiGate could be improved on the security end because we've had some incidents with the customer. Otherwise, there is no problem.

The dashboard evaluating the performance of each application connected to the web app's firewall is quite helpful, but the tool is only available in application performance management. So I think if Fortinet could better integrate that particular feature, it would add a lot of value to the product.

The solution could offer more integration opportunities.

We have had problems with deployments where we've had to contact technical support to resolve them.

When we look at the incident reports in the dashboard, they are available for a maximum duration of 24 hours. They should provide more time for the analysis and increase the duration of the availability of these reports. Currently, it gives the options for 5 minutes, 1 hour, and 24 hours. It would be excellent if there are more options for a longer time period. It may be configurable, but I don't know how to do it.

The initial setup in our data center was somewhat complex.

They can introduce a scaled-down version for the SMB market. It would be very competitive in the environment.

I would like to see the Application Delivery Control (ADC) and Web Application Firewall (WAF) combined in one device. For example, if I have one device that costs $2,600 USD then it can have two licenses, where it can operate as a load balancer as well as a WAF.

Troubleshooting features could be incorporated with this solution. The reporting could be optimized.

They could improve their support a little bit for faster response time.

It may be better if it were easier to create roles. The interface could be a bit better. Everything is pretty manual. We do need to improvise a bit. Automation might make it easier. The pricing is a little bit high for us.

User administrative controls could be a little bit better. I guess that would be the main thing. The usability within Fortinet could be a little bit easier on the users. But it is what it is. The thing that was more difficult was not the tool itself but dealing with the logistics of the compliance issues. I was applying a standard set of rules to an AWS firewall. It served a purpose. The complex part of the solution was more of a compliance issue.

Fortinet WAF came out recently, and there is not much feedback about customer experience. For each project, customers ask about the scenarios and references of the customers who have implemented this solution, which we don't have. They need to simplify the customer experience and provide more information so that we can propose Fortinet Fortiweb as a WAF solution to customers and convince them. They need to improve their service and training. We need good training to implement and use it properly and know more about it. We still don't know much about Fortinet WAF. We didn't get any proper training sessions. Other vendors like Cisco, Palo Alto, Check Point, and Barracuda provide such sessions. Whenever we receive a request from a customer for this solution, we just give the price. We don't propose this solution because we don't know much about it. We propose whatever we are familiar with and what is supported.

The Layer 7 DDoS attacks need improvement, it could be better. When you compare it with the F5 solution, FortiWeb is weak in detecting the Layer 7 DDoS attacks. At times, it generates several false positives and there should be fewer. In the next release, I would like to see better DDoS protection. It's an essential feature that should be included.

We are considering an upgrade to our firewall because our current version is not compatible with our FortiAnalyzer. As there is an incompatibility, we have been advised by Fortinet that an upgrade is necessary to avoid issues. We believe this product will become obsolete. It needs to better integrate with other platforms. In terms of performance, it needs to be more robust. During the lockdown, we are connecting to a VPN and the connection should be faster, there should be RAM or more hardware. Also, it should include security features.

FortiWeb needs to have support for the newest technology being used in web applications. For example, some companies have developed new features using the latest technology, but we are still waiting for Fortinet to support them.

The integration with other products should be improved. This product does not come with bare metal protection, so we need more network features. We don't want to be as dependent on a separate next-generation firewall. The pricing could be made more competitive.

We would like the interface to be easier to use and more user-friendly. The interface needs to be enhanced. We had trouble understanding it at first, but we got used to using it after six months. Then, it was simple to use.

Describing security rules should be improved. It's tricky to define new feature tools when you want to describe an attack pattern and want to block it.

More templates should be made available for reporting. I would like to see more improvements with respect to threat intelligence.

What I would like to see improved in Fortinet FortiWeb will probably be included in the next release. The legal feature needs better step-by-step use of the form. We use the FortiGate guidebook for step-by-step instructions. But the FortiWeb guidebook is only is a demonstration kit which is not enough for a new installation.

The solution is rather complicated. If you know what to do, it's not bad, but it's complicated for a first time user to configure the solution. What I'd like to improve are the custom signatures. If you want a good security solution, you have to get in kicking high for things that are getting blocked and you have to whitelist some signatures to make things work. It's a time-consuming thing to do. It would be nice to whitelist private IP ranges and see which signatures are hit and whitelist them automatically - which I think is possible to do. It would also be nice to have some extra security in the solution. I just upgraded to 6.0 and there were some security additions, but it would be nice to have some more and be able to configure them in the right way. Specifically, an updated security policy would be nice.

We would like to know more about the integration with the hardware or security products, such as Gemalto, because we need to move to that point. But, from what I understand, we haven't looked at the market to see how this can be done yet.

First of all, upgrade path should be introduced for scaling up or down VM deployment. Second, they need to include better wizards for publishing common applications like MS Exchange. .

New releases and old releases have some bugs, some features do not work as good as we want but every new release the Fortinet team fixes up problems. I don't have anything to say about what to do to improve this product. It's a great solution for us.

I would like to have an antivirus option.

FortiWeb does not exist in a cloud-based form. Its only available for deployment as a virtual appliance on AWS and Azure IaaS platforms. Because of the trend to WAF environments, it would be good to have it as a SaaS. Also, FortiWeb would be more competitive if it combined WAF and DDoS protection.