What is our primary use case?
We have multiple environments. Some applications are in Oracle Cloud, some are in Azure, some are in GCP, and some are on-prem. We wanted a single solution for web applications, and that's why we chose FortiWeb. In the case of the cloud, we don't even have to manage it. It's a managed service from Fortinet.
How has it helped my organization?
We have not been using it for a very long time. It has only been eight months, and so far, there have been two main benefits. The first benefit is that if I have an on-prem solution, I can buy their hardware and deploy it, but the configuration is the same. If I have a cloud, I can use FortiWeb as a service or as a virtual machine. It depends on requirements, but the configuration remains the same. The configuration doesn't change. We have a lot of global parts and a lot of teams are working on it, so it gets easy to communicate and verify the configuration and create a baseline.
Costing is another benefit. The cost is based on the traffic. If an application is used, we pay for it, but if it's not used, we don't have to pay for it. With other solutions, we have to buy the solution, and then we have to purchase or take licenses. If they aren't used, we are just burning money without any use.
We are using anomaly detection and bot mitigation. In terms of anomaly detection, it is able to find the behavior. We have some applications where normal users are logging from India, and if the behavior changes, it gives us an alert, but in terms of bot mitigation, I haven't found much.
It's easy to use. I don't have to do any changes in my environment. For example, if I use Azure WAF, I have to use a traffic gateway, load balancer, or something similar, whereas, with FortiWeb, I don't have to change any architecture. I just have to change my DNS entry. That's it. If I'm able to change my DNS entry, FortiWeb works.
Adding new applications is also quite easy. You just add the application and change the DNS settings, and you are good to go. Whether you want to block or unblock, or you want the learning mode or protection mode, you can enable or disable it with just one click, and you are good to go. Most of the settings are already there if you want to tweak them. It has a GUI. You must have to click here and there. The documentation is also good. If I don't know something, their documentation is quite helpful. A lot of people are using Fortinet, so YouTube videos and articles are also available.
The configuration part is easy. The configuration and implementation process is streamlined. We don't have to change anything. We don't have to follow 10 processes. It's a single process with which everybody is familiar. Manpower and manhours are saved because a lot of discussions are avoided. It also helps us in creating a baseline. We now have a baseline of what we need. So, from an instant response point of view, it's easy for us because we are getting the same results out of it.
It has reduced false positives. As compared to my old solution, there is at least a 17% to 18% reduction.
It has reduced the number of alerts that our organization receives. There is a 50% to 60% reduction in alerts.
It has saved us time. We were spending around three to four days setting up our old solution, whereas now, we are spending a maximum of four hours.
What is most valuable?
The ease of configuration is valuable. We have Azure WAF, we have OCI WAF, and we also have Cloud Armor for GCP, but their configuration isn't very easy. It's pretty simple in FortiWeb, and we can enable or configure whatever we want.
Its cost is also good. If I'm using an application for 15 days, I pay only for 15 days.
FortiWeb is good for blocking unknown threats and attacks. I've done a PoC with Azure WAF and OCI WAF, and in comparison, FortiWeb is quite good.
What needs improvement?
The dashboards are not that configurable. Application-specific dashboards can be improved. If we have 50 applications, there should be something to see what's happening with these 50 applications. There could be a graph or a consolidated alert page where all alerts are inbuilt. They have other products that I can use, but this feature should be built into FortiWeb.
Reporting could also be better. There should be inbuilt reports that we can use to present on how it is benefiting and other things. We should be able to get reports in PDF or other common formats.
For how long have I used the solution?
It has been around eight months.
What do I think about the stability of the solution?
Its stability is good. Stability-wise, there aren't any major differences among Azure WAF, OCI WAF, Google Cloud Armor, and Fortinet FortiWeb.
What do I think about the scalability of the solution?
If I'm using FortiWeb as a service, I don't have to care about scaling because everything is taken care of by Fortinet. From a scaling point of view, I don't have to do anything. If it's on-premises, we already know how many users are going to use it, and we can decide on the model accordingly. So far, we haven't had to scale it up for any project.
How are customer service and support?
I've not contacted them for FortiWeb. We are also using Fortinet firewalls for which I've taken their help.
Which solution did I use previously and why did I switch?
We had our own solution. We called it SecOps. It had something from RedHat and something from OPNsense. We built it that way. We were using that. We switched to FortiWeb because of two reasons. The first reason was the cost, and the second thing was that we wanted a single solution that can be implemented everywhere. We are from R&D. We decide on a solution, and then our product team implements it. When we have multiple tools, operations and maintenance become quite a headache because every tool has its own learning curve. All tools are not the same.
How was the initial setup?
We have on-premises as well as public cloud environments. We have Azure, OCI, and GCP.
Its initial setup is straightforward. It takes a little bit more time the first time because we have to set up the subscription, etc. Next time, it takes only around four hours.
What about the implementation team?
We implemented it in-house. We are a global team, so a lot of people were involved. From the R&D side, at least five to six people were involved.
In terms of maintenance, when it's on-prem, some sort of maintenance is required in terms of firmware upgrades. We also follow ISO standards, so we have to do maintenance. We have a requirement to check everything once a month, but FortiWeb doesn't take much time.
What was our ROI?
We have been using it only for eight months, so I need more time to see its price-performance ratio, but it's worth the money. I'm getting what I'm paying for.
There are time savings. Previously, we were spending four to five days setting up our SecOps solution, whereas now, we are spending only four hours.
What's my experience with pricing, setup cost, and licensing?
When I use any other firewall, I have to take a license. It could be a perpetual license or subscription-based. In both cases, we have to pay some amount in advance, whereas in the case of FortiWeb, when using it as a service, I am paying half a dollar only for the domain name, and then I am paying based on the traffic or the number of requests. In every organization, there are some applications that are heavily used, and there are some applications that are not heavily used. So, why go with a yearly, three-yearly, or five-yearly plan when you can just pay based on the traffic that WAF is processing? Previously, for each project, the cost was $800 to $1,000 per application. Now, it's $100 to $120. For some of the applications, there is a 90% reduction, and for some of the applications, there is a 50% reduction. We're paying only $500 to $600.
Which other solutions did I evaluate?
We checked OCI WAF, Microsoft Azure WAF, Google Cloud Armor, and Fortinet FortiWeb. We also checked other WAF solutions such as Akamai and CloudFlare but didn't do a PoC with them. We did a PoC with OCI WAF, Microsoft Azure WAF, Google Cloud Armor, and Fortinet FortiWeb.
We went for Fortinet FortiWeb because we wanted a single solution that can be implemented anywhere. If we use Azure WAF, it would be hard to use in GCP. We have to create a connection between both, whereas we can implement Fortinet FortiWeb on any cloud. If we have on-prem applications, we can implement FortiWeb hardware as a solution. In some places, we have strict requirements. If it's a VMware data center, they also have the FortiWeb VM solution. If we want to use Docker images, they also provide Docker images. We can just use a single tool. We are not dependent on multiple tools.
What other advice do I have?
Every team has different requirements, but if you need an easy solution that can be deployed in a very short time, FortiWeb is the right one. It doesn't need too much expertise when you're initially configuring it, and even if you're testing it, the cost is quite low. It's good even for small projects.
It has the API gateway functionality, but we aren't using that. We are also not using API discovery and API security. I've enabled machine learning, but we have not used it a lot. We are in the exploring phase.
Overall, I'd rate Fortinet FortiWeb an eight out of ten.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.