Fortinet FortiWeb Reviews

• Firewall
• Load balancing

It makes our web site system work nice and smooth.

The UI is a little complicated for new users.

I have been using it for over a year.

I have not yet encountered any stability issues.

I have not yet encountered any scalability issues.

I have even contacted technical support once.

My web site used MS NLB service for load balancing and IPS firewall at first, but when our site's connection grew bigger, we discovered that we needed another solution. We chose FortiWeb after a little research into the market.

Initial setup was straightforward.

The pricing is a little high.

We use them for VPN, standard layer 4, web filtering, anti-malware and DLP – they are used as our perimeter firewall solution.

I would not say it has improved how we function because I think that other leading vendors firewalls are as good. However, I do think that FortiGate can do it at a much better price point than, for example, Cisco ASA or Palo Alto.

The CLI could be improved by removing all default syntax from the config. The debugging of crypto VPN is not as informative as other vendors’ firewalls. The GUI is also not as good as some vendors, but overall as a package and considering price, it still provides value for money.

I first used the Fortinet solutions in 2005 when it was version 2 & 3; since then, it has matured a lot and is much better. I would definitely recommend it, primarily on value for money. For the newer versions, I have been using 1000C and 300D, with FortiGate VM01 firewalls running a mix of software versions 5.4 and 5.2 for almost two years.

I did not encounter any stability issues.

FortiManager is required for scalable managing of multiple devices, but we do not have enough to need that. I think that the logging could be better but for that, FortiAnalyzer is recommended, which we do not have.

We have not needed to use Fortinet TAC.

This solution replaced some old Juniper ISG firewalls that were EoL; nobody in the company had Juniper SRX experience and the choice was made for Fortinet before I started at the company.

Initial setup for what we need to use it is very straightforward. There are certain features (such as TACACS) where you need to use CLI, but most things can be done with the GUI.

Very competitive; Fortinet would always be an option for a perimeter firewall for me if I were needing new kit. I would always include it in any quotes and options, although depending on the requirements, I might decide to choose something else.

I have used firewalls that I find easier to manage, configure and troubleshoot. However, the Fortinet firewalls are pretty good, and in terms of value for money, they are outstanding.

Pros: Cost for performance, very feature rich, GUI is pretty good.

Cons: Debugging is not as good as I find Cisco ASA. CLI is overly complicated by all syntax showing in the configuration. The GUI is not as nice as CheckPoint or Palo Alto.

Evaluate the product first and compare it to what you are used to and what you want. It provides very good value for money, but if the budget were there, I would probably choose another vendor in certain circumstances.

I use Fortinet products for security projects. When it comes to middle-sized enterprises, SD-WAN firewalls are the appropriate solution, FortiGate products being more geared towards larger, enterprise organizations. This is not for a data center, for which Check Point and Palo Alto are better suited. Fortinet FortiWeb is best suited for medium and enterprise data center environments. 

My experience with the solution has been very positive. Fortinet is a great SD-WAN player when it comes to security capabilities. Also, it offers many models for a host of environments. I like the solution's SD-WAN features.

The memory use in each of the appliances is problematic. 

I believe that I have been working with FortiGate products for five years. 

As I am a Fortinet partner, I make use of many of its products. 

I like the FortiWeb products. 

I rate Fortinet FortiWeb as a nine out of ten. 

Our primary use case is to protect an integral application against vulnerabilities. It's a WAF. It protects against vulnerabilities. We have run tests against it. We also use it for two-factor authentication before authorizing anybody to access the critical application.

We required security to access critical applications. We otherwise would not have been able to use the end notifications. We wanted to use the application and it's critical to us, Fortiweb enabled us to have that ability. 

We are able to have an application layer different from the application itself that is protected by the FortiWeb Portal authentication feature. 

Describing security rules should be improved. It's tricky to define new feature tools when you want to describe an attack pattern and want to block it. 

It's very stable. I've never had any issues. 

The scalability is quite good. It's a virtual machine so we know the exact resource so if we would have to increase it would be easily scalable. 

We have around 15 users in our company. The users are end-users and technicians. 

Fortinet support is very good. 

The initial setup was quite straightforward. The GUI is user-friendly and it's easy to understand how to manage it. We used an expert to finalize the last 10% of the configuration because we wanted specific settings regarding the security. We knew what we wanted to block and we needed an expert for the specific rules. Otherwise, 90% of the setup was done in-house. 

The deployment only took two to three days. We only needed one employee to install it. 

The costs are standard. We pay around $1,600 yearly. 

We also looked at Software CTM. It was impossible to use compared to FortiWeb. 

Be sure that the security is correctly configured and all the attack patterns are covered. Make sure to do an independent assessment of the security. 

I would rate it a nine out of ten. We are very satisfied with it. 

We have an issue when the underlying web protected generates a logout and we want the authentication portal to recognize that the application has been logged out. When the underlying application generates a logout, the portal does not recognize the logout. I would like a way for the FortiWeb portal to easily recognize the portal. 

In my opinion, the following features of FortiWeb 4000E are the most valuable & were appreciated during all my previous engagements:

• 20 Gbps appliance throughput makes it useful for large enterprise deployment and also meets future requirements.
• Easy integration with various Fortinet products such as FortiSandbox for APT detection.
• ASIC (Application Specific Integrated Circuit) provides quick SSL offloading and doesn’t choke the user requests.

• Operations overhead (administration and escalation management) has been brought down, as Fortinet provides flexible and customizable reporting options with the FortiAnalyzer appliance for logging and reporting.
• Rule creation and fine tuning are easy, as compared to its competitors.
• Product has provided adequate assurance to organization’s PCI DSS program.

Product support is a major concern; if FortiWeb wants to become a market leader, then it must provide better after-sales services.

The automatic policy learning feature also needs some improvement, as using this feature leads to more false positives.

Integration with other cloud-based DDoS protection services such as CloudFlare, Arbor, Akamai, etc., is also a limitation.

It’s been almost one year since we started using this solution.

The FortiWeb 4000E appliance comes with 20 Gbps throughput, 2X2 TB HDD and unlimited licensing. (Yes, you got it correct.) This adds value to the organization and meets its current and future requirements.

As I wrote in my previous comments, FortiWeb needs to invest and improve its tech support services due to limited skills in market. Critical- and high-severity issues usually take more time for resolution.

We were using Imperva as our WAF solution, which is also a market leader (as per Gartner Magic Quadrant) and provides lots of flexibility and cloud integration options. However, due to high cost, the organization decided to switch to Fortinet Fortiweb.

Selecting the appropriate deployment topology is a major task. Initial configuration settings are little difficult to implement but overall management is easy.

FortiWeb provides a wide variety of deployment options such as

• Reverse proxy
• Inline transparent
• True transparent proxy
• Offline sniffing
• WCCP (Web Cache Communication Protocol)

Pricing and licensing are USP of this solution; deploying an appliance provides in-house control and flexibility. A dedicated 4000E appliance is appropriate for large enterprises, while Fortinet also provides a VM-based solution, which is perfect for small and medium enterprises.

We did PoCs for other WAF products such as Citrix, F5 and Barracuda before finalizing on FortiWeb for our enterprise, which satisfied enterprise requirements.

Thorough review of architecture is required. It’s recommended to get it deployed by authorized FortiWeb vendors. Attention to the rules is a must. Otherwise, it might lead to lots of false positives.

Fortinet WAF can also be integrated with SIEM, which could be beneficial for centralized monitoring.

We mainly use it for protection. OS scanning and load balancing are two of its main use cases.

My team is most probably working with its latest version. In terms of the deployment, lately, it has been on the cloud because the end-user-facing web applications are usually live on the cloud.

Banks have to be compliant with PCI and other things, and FortiWeb is absolutely amazing in terms of providing these reports. Otherwise, they will have to spend a lot of time on them.

The compliance piece is the best feature. Load balancing is also valuable, which is something that all web application firewalls do. Another valuable feature is high availability. You can scale it very well. Load balancing and high availability are the two reasons why we picked it for a couple of banks.

From the feature perspective, it is pretty rich. The automation piece can be improved. Although they say it can be automated very well, there is still manual work. Its usability should be improved in terms of automation because we want to build an infrastructure with code, but you can't do that easily with this solution. If they can give us APIs in the firewalls that we can tap into, it would be perfect. 

I would also like it to scale automatically based on the traffic.

I have been using this solution for about six years.

I've never seen any issues, but when you turn on all the features or every single scanning, that's when it slows down a bit.

It is scalable, but it is a roundabout way of automated scaling. It is not truly automated scaling. In general, when the size is okay, scaling is not a problem. I would like it to scale automatically based on the traffic, but that doesn't happen because automation is not there.

I haven't seen any big issues with performance. We ran 20,000 connections through it, and it was okay. When you deploy it in the cloud, you can increase the size of the VM, and with extra licensing, it is fine performance-wise.

It is suitable for medium and large customers. My team has deployed at least 500 of these in the last few years. In general, it's okay. We don't have any issue with it.

They have been pretty good, honest, and upfront. It all comes down to expectations when you buy these things.

I know the country manager very well. He is my friend for Fortinet. They are very good in terms of support. 

When you buy these things from a marketplace like Amazon or AWS, the support is not as good as it can be because the first line of support is the cloud provider, and then there is the vendor. So, our preference usually is to go directly to the vendor because they know more about it.

One of the best things about Azure Firewall is the automation. There is a huge difference. The second thing is pricing. 

With FortiWeb, when you want to buy HA, you need to start designing high availability across different regions. With Azure, it comes by default.

It depends on the customer and the use case. Usually, it's straightforward, but as you add more applications, it can become more and more complex.

The deployment duration varies. Usually, designing, building, and putting in production take about four weeks, but it also depends on the application type.

It requires maintenance all the time. Everything requires maintenance. Usually, we build it and operationalize it, and we then hand it over to the customer.

It keeps changing, but it's based on the size of the VM you buy and also the traffic throughput you want from it, whereas what we have on Azure is just the traffic throughput. You can also pay on a monthly basis from Azure. During each part of the project, it's okay to get Azure-based licensing or AWS-based licensing for FortiWeb, but over time, you would want to go with the perpetual license. You should go to Fortinet and buy the license from them. So, there is a two-step process there.

I would advise getting the right engineer. You need someone who is a specialist, and that's very important.

I would rate it an eight out of 10. 

It is a stable product. 

Fortinet WAF came out recently, and there is not much feedback about customer experience. For each project, customers ask about the scenarios and references of the customers who have implemented this solution, which we don't have. They need to simplify the customer experience and provide more information so that we can propose Fortinet Fortiweb as a WAF solution to customers and convince them.

They need to improve their service and training. We need good training to implement and use it properly and know more about it. We still don't know much about Fortinet WAF. We didn't get any proper training sessions. Other vendors like Cisco, Palo Alto, Check Point, and Barracuda provide such sessions. Whenever we receive a request from a customer for this solution, we just give the price. We don't propose this solution because we don't know much about it. We propose whatever we are familiar with and what is supported.

We have been using Fortinet FortiWeb for four years. 

Its stability is fine wherever we have implemented it.

Its support is a bit difficult to get. They need to improve the service. 

It is straightforward, but we still need good training.

It is fine now. We had to earlier negotiate the price.

We are a solution provider and system integrator company. We work for DCC countries. We deal with Fortinet, Meraki, Sophos, Check Point, Barracuda, and Juniper SRX solutions.

Fortinet FortiWeb is comparable to Barracuda. We don't have many customers for Fortinet WAF, and we couldn't get that much good feedback. We mostly use Barracuda WAF. We use it even in the cloud environment. 

Fortinet is fine on the firewall side. We haven't sold many Barracuda firewalls, but for WAF, we mostly use Barracuda. We prefer Barracuda because they provide good training, and they always follow up. Customers also prefer Barracuda or any other WAF service. Customers receive good support from Barracuda. Fortinet WAF is rare. 

I would recommend this product only based on customer requirements. At the end of the day, how you install, configure, and meet customer requirements are more valuable. I never place a product ahead of a customer. Fortinet WAF might not be suitable for certain customers. Similarly, Barracuda WAF might not be suitable for certain customers. I always get customer requirements and then supply the product according to their requirements.

I would rate Fortinet Fortiweb a five out of ten. It is neither good nor bad.

Fortinet FortiWeb is known for its web application firewalls. We are using it for preventing and detecting layer 7 attacks such as SQL injection.

We have several web applications in our organization and we use this solution to protect them against attacks.

It's stable and works efficiently against OWASP Top 10 attacks.

It's good at checking IP reputation and it's capable of detecting Layer 7 DDoS attacks.

Overall, it has many features.

The Layer 7 DDoS attacks need improvement, it could be better. When you compare it with the F5 solution, FortiWeb is weak in detecting the Layer 7 DDoS attacks. At times, it generates several false positives and there should be fewer.

In the next release, I would like to see better DDoS protection. It's an essential feature that should be included.

I have been using Fortinet FortiWeb for more than five years.

We are using the 4000D model.

It's a stable solution and we run it 24/7. In the past five years, we have had four cases where there were some inconsistencies with the firmware. There are times where we experience crashes because of issues with the firmware.

It's not easy to scale this solution. It has a determined throughput and if your throughput is more than it should be then you have to use another solution or purchase another FortiWeb model.

We have less than 10 people using this solution on a daily basis.

We are not able to use international support because of US sanctions. We use a consultant to help us troubleshoot.

Previously with another company, we used ModSecurity, which is an open-source solution. FortiWeb is better.

If I compare with F5 solutions, I would suggest F5.

The initial setup was not easy but not exactly complex.

We maintain the system ourselves.

We completed the initial setup ourselves and we had a consultant help us with some of the features. It was a hybrid implementation.

It's an expensive solution, although there are no additional costs.

In my opinion, F5 is the best solution in the world, whereas Fortinet FortiWeb would be second.

I have heard that Barracuda is a good solution, but I have not worked with it. In my experience, F5 is the better solution.

I would rate Fortinet FortiWeb a seven out of ten.