Fortinet FortiWeb Reviews

We are a payment processor with infrastructure deployed across various environments, including AWS, on-prem, and various other environments. We are PCI Level One certified, and one of our requirements is WAF. FortiWeb is a tool we use to secure access to our public-facing applications and services.

Our environment is primarily cloud-based, and all of our services are AWS. We were in the process of migrating to the cloud when we implemented FortiWeb, but we still needed to maintain some on-premise infrastructure to serve different regions. We were happy with the solution after deploying it in the cloud, so we discussed the possibility of also using it with our on-premise applications based on the initial results. Many of those services are now moving to the cloud, so we won't deploy them on-premise anymore. 

We are using FortiWeb across multiple locations in London and Singapore, so we have WAF services sitting in front of applications across both sites. Our applications include various payment processing platforms, fraud prevention tools, and other related customer-facing services based in various locations within the AWS cloud.

A ten-person network team is responsible for administering FortiWeb. It's difficult to say precisely how many end-users there are because we provide this solution to third parties, but around 160 clients connect to the applications behind these services. Our clients are typically small or medium-sized enterprises.

FortiWeb provides an additional layer of security that we didn't have previously. We have a next-generation firewall deployed in our cloud infrastructure, but the WAF is the most external-facing piece. The WAF passes traffic to our internal next-generation firewalls.

We have also benefited from FortiWeb's load-balancing capabilities. FortiWeb enables us to load-balance without the need to take on an additional service. In most cases, we've been able to use load balancing provided by the AWS gateway. We have two servers with services deployed across multiple availability zones behind there. In addition to security, WAF allows us to load balance traffic across those servers in various availability zones without adding more load balancers.

FortiWeb streamlines tasks because we've eliminated other functions like load balancing. The API is also excellent. Someone on my team created an application that integrates with the API to quickly add new IP addresses without changing the templates. We've found it's helped us streamline some of our usual BAU tasks.

We already had a low false positive rate, but FortiWeb has lowered it further. Detections in our report tend to be accurate. We still get occasional false positives, but some of that probably relates to our custom-built applications. FortiWeb decreased our false positives by around 30 percent. 

We used to get a lot of alerts from our traditional firewall, but the number has declined significantly since deploying FortiWeb. It was a reduction of about 70 to 80 percent. The alerts coming from FortiWeb are helpful. They inform us of things that require action. We previously got many alerts from our public-facing services. We didn't have an efficient means of getting alerts. The same threat provided multiple alerts. That would keep going and could be overwhelming at times.

FortiWeb's ease of deployment is what we liked the most about it. Implementing FortiWeb was extremely fast and easy, which was a significant advantage. It comes with several preconfigured rule sets and templates. 

FortiWeb effectively addressed unknown threats. We get regular reports that we check. So far, we've had no issues at all. Around 99 percent of our public-facing infrastructure is restricted by source IP to our partners' networks, so our attack surface is restricted. WAF picked up and blocked any attacks before they can impact us. 

FortiWeb is effortless to use and manage. The documentation is excellent, which is another huge advantage. The layout is logical and intuitive. You can create templates and reapply them to new applications, so we don't need to do a fresh configuration for each application. We have a template that represents our security benchmark. There are a few exceptions that we need to add for each application, but we can redeploy the security benchmark template for each new application that we create.

One area that needs improvement is using IP addresses within templates. If you allow an IP address to access an application, you should be able to leave a description of that. For example, we allow clients to access these services, and some are restricted to the IP address. When you add an IP, there's no way within the product to say what the IP address is. 

We need to maintain a separate external list because we need to remove any IP address associated with a client if they stop using our services. In many other products, you can create an object specifying that this IP address is for a client of this name or this service. You don't have this ability within FortiWeb. 

Another area for improvement is logging. When troubleshooting, the logs sometimes take a while to update. We've had people report that some things aren't logged if they're successful. It's a bit hit-and-miss. For example, sometimes people access one of our services, and it's successful, but we don't see that in the logs. 

I've been using FortiWeb for around 18 months. 

FortiWeb is highly stable. I can't recall an instance when we've had any issues. Our services are used constantly. For example, we have a fraud prevention tool that various banks and FinTech companies access, and FortiWeb is deployed behind it. We've never had a problem with availability due to FortiWeb. The solution is 100 percent stable and available. 

I'm satisfied with FortiWeb's scalability. It's always met the needs of our applications. We can deploy it in any application that we want to deploy behind. 

I rate Fortinet support an eight out of ten. The technical support has gotten better. There were a few difficulties when we first raised some calls. It was a new product, and we weren't getting clarity on whether some of the actions we asked about were possible. Initially, the response was also a bit slow. We chalked that up to the fact that we were early adopters of the product. The support has improved since then, and we're happy with it today. 

Positive

We didn't have a WAF solution, but we used Palo Alto Networks Next-Generation Firewalls. While these firewalls had many WAF capabilities, they weren't considered WAF products. 

Our main reason for deploying a WAF solution was to satisfy regulatory requirements. To get a PCI Level One certification, we need a WAF on some of these public-facing services. FortiWeb Cloud ticked all the boxes and met our requirements.

I initially deployed a lot of the applications. It was so quick and easy. FortiWeb took about a week to deploy, including assessment and testing. We had to create a new environment. Much of our on-premise infrastructure was closed off in the past, so we required no WAF for regulatory compliance. 

To create this new environment, we onboarded some new services that were classified within the scope of PCI. They were deployed in the old way with firewalls. However, our QSA said we needed to have services behind the WAF, and we were being assessed in a week. We had to find and deploy a WAF before we were audited. 

I have a team, but I and one other engineer were involved in the deployment. After the setup, FortiWeb requires minimal maintenance, which is one aspect we like about it. We've occasionally had to open a support ticket for the odd bug that's come up. There's typically no maintenance on our end. I can't think of a time when we've had issues with availability from FortiWeb. 

It's hard to calculate an ROI monetarily.  Some of the services we provide based on FortiWeb are charged to the clients. I can't say much about it from that perspective. However, we've seen benefits from a time and resource perspective. Also, having a cloud-based WAF means we don't need to maintain the infrastructure, and we can quickly deploy new applications. We derive a massive value from the reusable templates. 

We also save money and resources because we don't need to deploy more EC2 instances or use additional products for load balancing and other functions. That's potentially an 80 percent reduction in those costs.  

FortiWeb is transparent about how much each application costs. When you create an application, it will tell you the estimated cost. The licensing is clear, so we can see that we're getting a good value. 

We're satisfied with the price. Our organization sometimes questions if we're getting our money's worth, but we get a decent value from FortiWeb for the price. Everyone on our team and within the infrastructure area is happy with it.

I'm the network team lead, so I assessed and deployed FortiWeb. I looked at several options. I knew the Fortinet brand but was unfamiliar with FortiWeb WAF. After researching it, I recognized that it was potentially a product that we could use. I did a demo and found that it ticked all the boxes.

I rate Fortinet FortiWeb a nine out of ten. I would definitely recommend the solution. FortiWeb is rich in security features and additional features like load balancing. It's one of the best products we use. 

It's easy and quick to deploy. The documentation is excellent. We are pleased with the product and see it as an integral part of deploying new applications in the cloud or on-premises efficiently.

We have multiple environments. Some applications are in Oracle Cloud, some are in Azure, some are in GCP, and some are on-prem. We wanted a single solution for web applications, and that's why we chose FortiWeb. In the case of the cloud, we don't even have to manage it. It's a managed service from Fortinet.

We have not been using it for a very long time. It has only been eight months, and so far, there have been two main benefits. The first benefit is that if I have an on-prem solution, I can buy their hardware and deploy it, but the configuration is the same. If I have a cloud, I can use FortiWeb as a service or as a virtual machine. It depends on requirements, but the configuration remains the same. The configuration doesn't change. We have a lot of global parts and a lot of teams are working on it, so it gets easy to communicate and verify the configuration and create a baseline.

Costing is another benefit. The cost is based on the traffic. If an application is used, we pay for it, but if it's not used, we don't have to pay for it. With other solutions, we have to buy the solution, and then we have to purchase or take licenses. If they aren't used, we are just burning money without any use.

We are using anomaly detection and bot mitigation. In terms of anomaly detection, it is able to find the behavior. We have some applications where normal users are logging from India, and if the behavior changes, it gives us an alert, but in terms of bot mitigation, I haven't found much.

It's easy to use. I don't have to do any changes in my environment. For example, if I use Azure WAF, I have to use a traffic gateway, load balancer, or something similar, whereas, with FortiWeb, I don't have to change any architecture. I just have to change my DNS entry. That's it. If I'm able to change my DNS entry, FortiWeb works.

Adding new applications is also quite easy. You just add the application and change the DNS settings, and you are good to go. Whether you want to block or unblock, or you want the learning mode or protection mode, you can enable or disable it with just one click, and you are good to go. Most of the settings are already there if you want to tweak them. It has a GUI. You must have to click here and there. The documentation is also good. If I don't know something, their documentation is quite helpful. A lot of people are using Fortinet, so YouTube videos and articles are also available.

The configuration part is easy. The configuration and implementation process is streamlined. We don't have to change anything. We don't have to follow 10 processes. It's a single process with which everybody is familiar. Manpower and manhours are saved because a lot of discussions are avoided. It also helps us in creating a baseline. We now have a baseline of what we need. So, from an instant response point of view, it's easy for us because we are getting the same results out of it.

It has reduced false positives. As compared to my old solution, there is at least a 17% to 18% reduction.

It has reduced the number of alerts that our organization receives. There is a 50% to 60% reduction in alerts.

It has saved us time. We were spending around three to four days setting up our old solution, whereas now, we are spending a maximum of four hours.

The ease of configuration is valuable. We have Azure WAF, we have OCI WAF, and we also have Cloud Armor for GCP, but their configuration isn't very easy. It's pretty simple in FortiWeb, and we can enable or configure whatever we want.

Its cost is also good. If I'm using an application for 15 days, I pay only for 15 days.

FortiWeb is good for blocking unknown threats and attacks. I've done a PoC with Azure WAF and OCI WAF, and in comparison, FortiWeb is quite good.

The dashboards are not that configurable. Application-specific dashboards can be improved. If we have 50 applications, there should be something to see what's happening with these 50 applications. There could be a graph or a consolidated alert page where all alerts are inbuilt. They have other products that I can use, but this feature should be built into FortiWeb.

Reporting could also be better. There should be inbuilt reports that we can use to present on how it is benefiting and other things. We should be able to get reports in PDF or other common formats.

It has been around eight months.

Its stability is good. Stability-wise, there aren't any major differences among Azure WAF, OCI WAF, Google Cloud Armor, and Fortinet FortiWeb.

If I'm using FortiWeb as a service, I don't have to care about scaling because everything is taken care of by Fortinet. From a scaling point of view, I don't have to do anything. If it's on-premises, we already know how many users are going to use it, and we can decide on the model accordingly. So far, we haven't had to scale it up for any project.

I've not contacted them for FortiWeb. We are also using Fortinet firewalls for which I've taken their help.

We had our own solution. We called it SecOps. It had something from RedHat and something from OPNsense. We built it that way. We were using that. We switched to FortiWeb because of two reasons. The first reason was the cost, and the second thing was that we wanted a single solution that can be implemented everywhere. We are from R&D. We decide on a solution, and then our product team implements it. When we have multiple tools, operations and maintenance become quite a headache because every tool has its own learning curve. All tools are not the same.

We have on-premises as well as public cloud environments. We have Azure, OCI, and GCP. 

Its initial setup is straightforward. It takes a little bit more time the first time because we have to set up the subscription, etc. Next time, it takes only around four hours.

We implemented it in-house. We are a global team, so a lot of people were involved. From the R&D side, at least five to six people were involved.

In terms of maintenance, when it's on-prem, some sort of maintenance is required in terms of firmware upgrades. We also follow ISO standards, so we have to do maintenance. We have a requirement to check everything once a month, but FortiWeb doesn't take much time.

We have been using it only for eight months, so I need more time to see its price-performance ratio, but it's worth the money. I'm getting what I'm paying for.

There are time savings. Previously, we were spending four to five days setting up our SecOps solution, whereas now, we are spending only four hours.

When I use any other firewall, I have to take a license. It could be a perpetual license or subscription-based. In both cases, we have to pay some amount in advance, whereas in the case of FortiWeb, when using it as a service, I am paying half a dollar only for the domain name, and then I am paying based on the traffic or the number of requests. In every organization, there are some applications that are heavily used, and there are some applications that are not heavily used. So, why go with a yearly, three-yearly, or five-yearly plan when you can just pay based on the traffic that WAF is processing? Previously, for each project, the cost was $800 to $1,000 per application. Now, it's $100 to $120. For some of the applications, there is a 90% reduction, and for some of the applications, there is a 50% reduction. We're paying only $500 to $600.

We checked OCI WAF, Microsoft Azure WAF, Google Cloud Armor, and Fortinet FortiWeb. We also checked other WAF solutions such as Akamai and CloudFlare but didn't do a PoC with them. We did a PoC with OCI WAF, Microsoft Azure WAF, Google Cloud Armor, and Fortinet FortiWeb.

We went for Fortinet FortiWeb because we wanted a single solution that can be implemented anywhere. If we use Azure WAF, it would be hard to use in GCP. We have to create a connection between both, whereas we can implement Fortinet FortiWeb on any cloud. If we have on-prem applications, we can implement FortiWeb hardware as a solution. In some places, we have strict requirements. If it's a VMware data center, they also have the FortiWeb VM solution. If we want to use Docker images, they also provide Docker images. We can just use a single tool. We are not dependent on multiple tools.

Every team has different requirements, but if you need an easy solution that can be deployed in a very short time, FortiWeb is the right one. It doesn't need too much expertise when you're initially configuring it, and even if you're testing it, the cost is quite low. It's good even for small projects.

It has the API gateway functionality, but we aren't using that. We are also not using API discovery and API security. I've enabled machine learning, but we have not used it a lot. We are in the exploring phase.

Overall, I'd rate Fortinet FortiWeb an eight out of ten.

We use it in front of AWS Web Application Firewalls for our web-based management console, as well as for all of our API services for our Windows agents.

Being a data protection company, we have to meet a lot of specific requirements for customers. When people would say, "Our standard practice is to do a pen test against your outward-facing servers," there was always a little bit of worry in the back of my mind: "Oh, man, is there something that I've forgotten about?" But nowadays, I don't have that at all. I know that it's all configured and running well. I know that people can run a pen test whenever they like and we'll pass with flying colors.

It can take a little bit of time if you want to be very particular about the traffic that you allow. FortiWeb is very configurable and that can take a little bit of time if you do want to be that particular. But apart from that, we don't really touch it much these days except if we get an email to say there's been a node attack. In that case, we might just want to check on things. But in general, once it has been configured, we can forget about that side of things and just get on with all of our other normal tasks.

Machine learning could be a little bit of a buzzword, but that's the whole advantage of using a cloud-based platform. You get the benefits of another site seeing an attack and Fortinet works out if traffic should be filtered or not. It's great all around.

Before this, we had our AWS Web Application Firewalls. The process would be to look at our web servers and see if there was any suspicious-looking traffic that had gotten to those web servers through the AWS firewalls, and then we would adjust the AWS firewalls accordingly to filter that out. We might even have had to write new code to stop things at the server level. FortiWeb has saved us hundreds of hours.

I'm quite particular about what I allow into our network. There were some false positives as we were configuring everything the way that I wanted it, but I can't even remember the last time someone had an issue with a false positive because we had it set too securely. With the machine learning and getting the benefit of traffic that is going to many different sites, Fortinet is able to know which traffic is legit and which isn't. As a result, we get fewer false positives.

Although the number of alerts is not that relevant for us, FortiWeb has definitely reduced the overall stress levels, especially at the management level. It's good to be able to present a report to C-level executives saying, "This is the amount of traffic that we've had coming in, and this is what has been blocked by Fortinet." We're able to show them that it is benefiting the business.

In addition, it has helped free up our infrastructure team, as they don't have to look after the AWS Web Application Firewalls.

When it comes to blocking unknown threats and attacks, I would give it the highest score possible. We first started using AWS and its Web Application Firewalls. That was okay, but it was quite a manual process to keep it up to date, whereas Fortinet is always up to date, and the default rules or the modules that you can turn on are very easy to use.

Overall, the solution is extremely easy to use. It's all very step-by-step. We just tell it what DNS records to approve and it sets up an SSL certificate. And then, all traffic just starts flowing through Fortinet and then straight over to us. Our network is quite secure, so we have allowed individual IPs that are listed by Fortinet so that we're not just blanket-accepting everything. It's enabling our web servers to be more secure by only allowing Fortinet, instead of the whole world, like we used to.

Also, if you want to diagnose something, rather than outright blocking it, you can just log it so you can see what's happening.

You can go through the audit trail as well. There might be a situation where it will prompt you to block everyone's traffic from a specific IP.

In terms of FortiWeb's advanced modules, we have two main, different Fortinet applications. One is for our web-based stuff and the other is for our Windows agents, which is all API traffic. We use different sets of the modules, or the advanced features, but across both, we use pretty much everything.

At the moment, it's very easy to see if an attack has come in, and what they've done. What I would like to see is that they turn on all logging so that we can even see legitimate traffic. But still, that's a very minimal issue.

It would also be helpful if they could introduce easier reporting. It's good to have those reports that go to C-level management, and Fortinet does provide some graphs, but if they went into some more detail, that would be great. Then I wouldn't have to do it myself.

I have been using FortiWeb for two to three years.

The stability is a 10 out of 10. We haven't had any issues.

We have thousands of customers that use our platform around the world. All of them go through Fortinet. We also have a few thousand Windows agents that all go through Fortinet. With the load balancing inside Fortinet, we're able to scale up our servers and Fortinet can always handle the traffic.

I haven't had to contact support much. These days, people don't really like contacting support. I have needed to do it on one or two occasions and they have been very helpful. It was by email and I got the answers that I needed straight away.

But the fact that I haven't had to contact support speaks to the ease of use of the system itself.

Positive

We just had web servers on the internet and the AWS Web Application Firewalls in front of them. I wasn't happy with those, so I added Fortinet in front of them. We still use AWS, but Fortinet is the first line.

We switched because I'm very paranoid. I'm big on security. Working in IT for many years, Fortinet was always a trusted name in routers, so I thought I'd give the FortiWeb web application firewalls a go and I haven't looked back.

The initial setup was a piece of cake, done step-by-step. We just had to add some DNS entries and that was about it. It tells you exactly what you need to do. I didn't need to contact support or ask for any help.

There were a lot of additional modules that I wanted to check out and that took a little bit of time. But getting a basic setup running was very quick.

There is no maintenance involved.

We haven't been hacked. I don't know what price tag you'd put on that.

I'm very security conscious, but at the same time, I can be somewhat cheap and I will only spend money if I think it's worthy or providing the value that it should. At no point have I thought of getting rid of Fortinet.

We saw value from it immediately. We were uncertain about how AWS Web Application Firewalls were protecting us. We weren't that confident, because we couldn't really see what was happening. Management was kind of uneasy as a result. As soon as we had this implemented, we could see the stats and a few graphs. Immediately, that peace of mind was had by all.

The pricing is pretty good. We do pass a lot of traffic through our API servers. Something like 100 gigs of web traffic is a fair amount for reduced JSON API calls, but the cost is $50. For that peace of mind, we have thousands and thousands of customers that are protected by that $50, so it's a no-brainer.

I had a look around, but I didn't test anything else. Fortinet was the first one that I did testing with and it met all my criteria, so I figured, "Why waste time looking at some others when this does the job?"

I recommend it to everyone. Because we're a data protection company, we have a lot of people who want to do pen testing against us, and I'm very confident that we're protected because of Fortinet.

If you're looking for a very comprehensive web application firewall, which is both simple to set up and also has a huge number of features to turn on, features that can give you some added protection for specific needs, give Fortinet a go. It's worth your time, and it won't take much time either.

We're using the Fortinet FortiWeb firewall to front-end the production and test applications we run on Azure. We're an Azure environment, and it front-ends those applications.

We currently aren't using any of the advanced features.

Fortinet FortiWeb has given us a more cost-effective security solution. Because it's a software-as-a-service or infrastructure type of platform, we've been able to replace our dedicated hardware platforms. It has given us more flexibility to be able to utilize it as a service.

It has minimized the number of technical resources and the amount of time that we've had to dedicate to setting up and managing the front-end firewall capability. From that standpoint, it has saved us time. I don't know exactly how machine learning is attached to that, but if that had anything to do with the simplification and the ability to give us the information we need reporting-wise, then it has helped us with that.

It has allowed us to not spend as many resources on trying to manage the setups that we used to have to do in the past on the security side. It has taken care of that, so at a higher level, we can manage and configure that. It has reduced some of the time that the staff spent on that, but it's hard to measure the time saved.

Some of the threat detection analytics and the filtering capabilities they give us for filtering a certain type of information that we don't want coming into the site are its valuable features. The analytics are pretty good in terms of being able to see what threats have been detected and mitigated, where they're coming from, and things like that. That has allowed us to do some additional filtering because by looking at threats, we can apply additional filters and try to minimize some of them.

Fortinet FortiWeb works well for what we do and what we use it for. It's fairly easy to use, easy to set up, and easy to monitor. It's easy to configure, monitor, and manage.

Their documentation is fairly complete, but it's sometimes a little bit difficult to search for exactly what you're looking for to resolve an issue. There have been times when we've gone to try to search for areas that we needed to get information on, and it has not always been extremely clear exactly how a particular thing needs to be set up. It sometimes takes a little bit of research to dig into figuring out exactly what it is. More examples would be helpful on what they have. The information sometimes doesn't relate directly to the state of the product at the time, so examples would be helpful.

We've been using this solution for a little over a year.

It has been very good. In the time we've had it, we've had only one issue when they had some sort of outage for themselves that affected us. That was the only one that I've encountered so far.

We haven't done a lot on scaling, but just from configuring the product and looking at it, it appears to be fairly good at scaling. It appears to be fairly or moderately simple to set up for scaling, but we haven't done a lot of scaling with it yet.

It's an in-house hosted web application environment that we utilize. We probably have around 500 to 1,000 people using it. We use it within our company environment. We've anywhere from 500 to 1,000 people depending on the customers that we have linked into it. 

I've contacted their tech support. For the times that I contacted them, they were very helpful. I'd rate them seven out of ten.

Neutral

We did have some specific hardware firewall solutions that were in place at data centers. When we went to the cloud for our applications, we wanted to move to a cloud-based front-end firewall infrastructure. We didn't want to be managing the hardware at locations. 

It was fairly straightforward. It was fairly easy to implement, but the documentation with some examples might have made it simpler. Overall, it was fairly easy to get the initial implementation in place and get things worked out.

We did it all in-house. We had probably three people for its implementation.

It requires minimal maintenance. We probably have two people involved in the maintenance.

We have seen an ROI. The previous hardware solutions we had were fairly expensive. They had a higher cost of maintenance and actual manual support because we had to support the infrastructure and we had to support the product itself. By FortiWeb providing us with a service solution that does that, we're not managing hardware. We're not investing in the hardware upfront, and we're not providing the labor to maintain and install that particular part of it. The only thing we focus on now is the setup and then the constant monitoring of what goes on and any actions we need to take as we move forward. It has helped us in that sense because we don't have the ongoing hardware licensing and hardware infrastructure that we have to mess with. So, it has definitely been a more cost-effective solution.

So far, I have been pretty pleased with the way it's priced and licensed. The way it's done makes it easy, especially for an organization like us, so I've been pleased with the way it's priced and licensed right now.

We didn't evaluate any cloud-based products. We've used Cisco products and Meraki products in the past, but they all were hardware products. When we were looking for a software solution, I had gotten a recommendation for the product from another person I worked with in the past. That person was using it and mentioned to me that I should give it a try. That's how I got into it. It was through a referral. Once I got it and tested it, it seemed like a pretty good product for what we needed, so that's how we went with it.

Fortinet FortiWeb seems to have worked well for blocking unknown threats and attacks. It hasn't necessarily helped us streamline anything, but it has simplified how we provide the front-end firewall capability.

It has reduced false positives to some degree. It tries to identify those to tell us what are the different threats, but it's hard to provide metrics without measuring what false positives might have been there. However, I do know that the reporting that it gives can identify that.

Similarly, I don't know if it has reduced the number of alerts. However, I do know that it has allowed us to categorize and understand what types of threats we get. From the threat alerts, we get to know whether they're alerts we should be concerned about or whether they're just alerts notifying us that those are things that have come in that it has taken care of. So, I don't know if it has really reduced them as much as it has helped us to understand what they are and be able to focus more on if there are alerts that we need to take action on and investigate, or whether they're alerts for things that have been taken care of and we don't necessarily have to spend any time on.

Overall, I'd rate Fortinet FortiWeb an eight out of ten for what it does.

We mainly use it for protection. OS scanning and load balancing are two of its main use cases.

My team is most probably working with its latest version. In terms of the deployment, lately, it has been on the cloud because the end-user-facing web applications are usually live on the cloud.

Banks have to be compliant with PCI and other things, and FortiWeb is absolutely amazing in terms of providing these reports. Otherwise, they will have to spend a lot of time on them.

The compliance piece is the best feature. Load balancing is also valuable, which is something that all web application firewalls do. Another valuable feature is high availability. You can scale it very well. Load balancing and high availability are the two reasons why we picked it for a couple of banks.

From the feature perspective, it is pretty rich. The automation piece can be improved. Although they say it can be automated very well, there is still manual work. Its usability should be improved in terms of automation because we want to build an infrastructure with code, but you can't do that easily with this solution. If they can give us APIs in the firewalls that we can tap into, it would be perfect. 

I would also like it to scale automatically based on the traffic.

I have been using this solution for about six years.

I've never seen any issues, but when you turn on all the features or every single scanning, that's when it slows down a bit.

It is scalable, but it is a roundabout way of automated scaling. It is not truly automated scaling. In general, when the size is okay, scaling is not a problem. I would like it to scale automatically based on the traffic, but that doesn't happen because automation is not there.

I haven't seen any big issues with performance. We ran 20,000 connections through it, and it was okay. When you deploy it in the cloud, you can increase the size of the VM, and with extra licensing, it is fine performance-wise.

It is suitable for medium and large customers. My team has deployed at least 500 of these in the last few years. In general, it's okay. We don't have any issue with it.

They have been pretty good, honest, and upfront. It all comes down to expectations when you buy these things.

I know the country manager very well. He is my friend for Fortinet. They are very good in terms of support. 

When you buy these things from a marketplace like Amazon or AWS, the support is not as good as it can be because the first line of support is the cloud provider, and then there is the vendor. So, our preference usually is to go directly to the vendor because they know more about it.

One of the best things about Azure Firewall is the automation. There is a huge difference. The second thing is pricing. 

With FortiWeb, when you want to buy HA, you need to start designing high availability across different regions. With Azure, it comes by default.

It depends on the customer and the use case. Usually, it's straightforward, but as you add more applications, it can become more and more complex.

The deployment duration varies. Usually, designing, building, and putting in production take about four weeks, but it also depends on the application type.

It requires maintenance all the time. Everything requires maintenance. Usually, we build it and operationalize it, and we then hand it over to the customer.

It keeps changing, but it's based on the size of the VM you buy and also the traffic throughput you want from it, whereas what we have on Azure is just the traffic throughput. You can also pay on a monthly basis from Azure. During each part of the project, it's okay to get Azure-based licensing or AWS-based licensing for FortiWeb, but over time, you would want to go with the perpetual license. You should go to Fortinet and buy the license from them. So, there is a two-step process there.

I would advise getting the right engineer. You need someone who is a specialist, and that's very important.

I would rate it an eight out of 10. 

We sell a SaaS product deployed on the Azure cloud platform using Kubernetes. We offer a bundle of cloud-based services. The Azure firewall solution is too expensive, so we need to find an alternative solution. 

We are currently testing FortiWeb in a QA environment and plan to deploy it on top of our SaaS product. We are about 95 percent covered now, but we still need to work out some technical details. I believe we will be ready to deploy it into production in the next few months. 

We currently are using Azure's WAF solution, but it is a little bit expensive for a startup project. The Azure firewall has limited configuration options that aren't helpful in our use case. FortiWeb is easier to configure and has pay-as-you-go pricing based on traffic, which is ideal for a startup company. Once our product starts having steadier traffic, switching to something with fixed pricing might make more sense. Currently, it's a risk for the company. 

It's too soon to say what other benefits we'll see from FortiWeb because we're still in the testing phase. We've watched some training presentations, and we're still working on a strategy for how we'll use the tool. Once we have a clear plan, we'll put it into development, configure the template, and deploy it into production when it's ready. 

it isn't in production. If the developers say a setting isn't working, we adjust the firewall rule, the goal is complete the template before going into production. 

I like FortiWeb's usability and ease of configuration. It's simple to configure rules and exceptions inside the attack log. We block everything by default. If something isn't working, we ask the system admin to adjust the template and add exceptions. I'm interested in the AI attack pattern-matching feature, but we haven't tested it yet. 

API is another feature that we haven't used in production, but I'm generally pleased that FortiWeb has this ability, and we can customize our application how we want. 

We use Kubernetes, so I would like to have a plugin to configure FortiWeb Cloud automatically using Kubernetes Ingress. That would reduce the complexity of setting up an Ingress object in Kubernetes. Some competing solutions help you configure Ingress and Kubernetes automatically. 

We have been testing FortiWeb for the last four months. 

FortiWeb seems to be stable so far. 

FortiWeb features automatic scaling because it's in the cloud, so scaling up is easy. 

I rate Fortinet support an eight out of ten. We have only contacted them with a few questions, and they responded promptly. 

Positive

In recent years, we've spent money on various projects that required us to protect applications. We have the Azure firewall deployed, and we paid a third-party SOC company to monitor it for attacks. It didn't offer out-of-the-box complete protection easy to customize, so we configure it for watching threats and raised alerts, that's means additional effort. 

We feel that FortiWeb is a better way to go than Azure Web Firewall in our scenario because FortiWeb has some advantages in pricing and features. It's easier to configure and maintain. Also, FortiWeb uses templates. 

There was no initial setup because it's a SaaS solution. We only needed to configure it for our environment. The configuration was straightforward and only took a couple of hours. The only maintenance required is updating the templates. 

I would like to use the product based on our initial testing, so I think it's a sound investment. 

We still don't know what the real cost will be because the pricing is based on traffic, and the solution isn't in production. However, we expect it to be cheaper than the Azure Web Firewall.

I rate Fortinet FortiWeb an eight out of ten. 

Mostly we use FortiWeb for replacing reverse proxy from our systems and add some security features to it to protect the web portal we are providing to our customers.  We use it to rewrite URLs and redirect FQDNs, et cetera, et cetera. That's the normal part.

The main feature I like is the ability to redirect web traffic from a readable URL to a real URL. All the security features are good.

One main feature we are very happy about is file security and upload functionality. It will restrict the number of file types that can be uploaded to our portal and prevents any malware. It helps with security.

We had some trouble using some features. Maybe we understood it the wrong way when reading the manual. We had to implement some workarounds to help this problem.

The GUI could be better. It's limited. 

I've been using the solution for one year. 

There are no complaints on our side. The performance and stability are fine. We used to have a cluster of two appliances. Everything seems to be fine when we update the firmware. We haven't had any issues.

The scalability may be slightly limited. We use hardware appliances. We need to buy appliances which have enough performance. You need to think about the sizing before you buy it. Scalability is not really possible with hardware. 

We use it more and more. We are going to migrate all the connections which are directed to a proxy to the classification firewall.

Normally, technical support is very good. All the tickets I opened have been solved in an average time.

Positive

It was the very first time that we used a web application firewall. We never used anything before.

We had some difficulties at the beginning in terms of setting it up. It was a very new product for us. We never had web protection firewalls before. We had some support from our supplier, so we referred to the initial implementation to get it done with external support.

I'd rate the ease of implementation at a three out of five. 

From a technical perspective, the deployment does not take a long time. Our problem internally was the organization and the planning as well as the communication with the other teams. That's what took so long. We started maybe one and a half years ago with the implementation and productive status was reached at the end of 2021. That's a long time. That said, one would say the management is at fault, not the actual technical staff.

At a cluster, so single point of failure, all this stuff, it kind of took around 24 hours to get it up. The offline time was very difficult, however.

We have two good people on staff that can handle deployment and maintenance. We are looking for another employee in the market, however, it's been very difficult to find someone.

The implementation was done in-house with some help from our supplier.

We have not noted an ROI yet.

We actually expanded our subscription for the next three years. I don't remember the exact price. It should be somewhere about 36,000 Euros. That's the cost for three years. It's moderately priced. I'd rate the general cost at a three out of five. 

We thought about other options, however, since we had a very good experience with the FortiGate Firewall, I decided to buy FortiWeb. They operate well together. 

We are just customers and end-users.

Potential new users should compare different products from different vendors to make a decision on a web application firewall. It doesn't matter if it is FortiWeb, or F5, or something else, just take some time to compare. 

I'd rate the solution six out of ten.

We primarily used the solution as a POC to see how effective it is and so far we're happy with it. 

We used it for protecting our web servers and the use of some web applications within a financial institution.

They have a very good graphical user interface. 

The initial setup is pretty straightforward.

The solution is stable.

The scalability is pretty good.

We have found the pricing to be pretty reasonable. 

During the POC we did encounter problems. For example, the integration with the HSM for storing keys was not ideal.

The downside is on the security side and is the firewall. When you look at the firewall, it doesn't do decryption and you have to depend on other third-party tools to do that. Or you would have to use another FortiGate product which makes things a little complicated. Today, people look for simplicity in terms of design. That's one downside to Fortinet's Firewall. The downside to FortiWeb is it had issues integrating with HSM. They fixed the issue, however, it took a long time to fix and it wasn't pleasant. I had to work with deadlines and I could not make the deadlines due to the slow timeline on their side.

For the firewall, when you deploy IPS, the IPS doesn't have visibility into encrypted traffic and 70% of traffic these days is encrypted, and that's the conservative figure of the actual percentage. If your IPS doesn't have that visibility, then it is not really doing the job that it has to do. In comparison, Palo Alto is the best firewall in terms of performance and has the technical specifications that we need. 

The support side of things can be improved. They need to quickly tend to issues and resolve them as soon as possible. Those are the expectations.

We've only used FortiWeb for a POC. 

The stability of the product has been good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. When you look at the specs and if you do what they say in the specs, in terms of ensuring that you're not overlooking anything, it's a good product. 

The solution can scale. That's not a problem at all.

Technical support could be more responsive. They need to address issues faster. I'm not completely happy with the level of support we receive.

Generally, the solution is easy to set up. It's not overly complex. 

The pricing is pretty good if you look at other top options in this space. They are reasonable. 

I've also looked at Palo Alto, and it has the specifications that we need, however, the pricing is quite high.

Our company is a Fortinet partner.

I'd rate the solution at a seven out of ten.

In terms of functionality, it does a perfect job, however, when you have to integrate with third-party tools, that's where you might have issues. Going forward, maybe what Fortinet needs to do is to ensure that they don't have integration issues with the other big vendors that are common in terms of what's deployed out there. Someone might want FortiWeb, however, for example in my case where a bank needed to integrate that with Jamalt or HSM for description, they have to do their homework. 

When you're dealing with financial clients, they need to have seamless integration and not to have these challenges where it would take time to fix as an issue. That should be figured out pre-deployment. Companies in banking can't wait for clients to point out that this is an issue. They have to attend to it beforehand and resolve issues to meet expectations.