We have not been using it for a very long time. It has only been eight months, and so far, there have been two main benefits. The first benefit is that if I have an on-prem solution, I can buy their hardware and deploy it, but the configuration is the same. If I have a cloud, I can use FortiWeb as a service or as a virtual machine. It depends on requirements, but the configuration remains the same. The configuration doesn't change. We have a lot of global parts and a lot of teams are working on it, so it gets easy to communicate and verify the configuration and create a baseline.

Costing is another benefit. The cost is based on the traffic. If an application is used, we pay for it, but if it's not used, we don't have to pay for it. With other solutions, we have to buy the solution, and then we have to purchase or take licenses. If they aren't used, we are just burning money without any use.

We are using anomaly detection and bot mitigation. In terms of anomaly detection, it is able to find the behavior. We have some applications where normal users are logging from India, and if the behavior changes, it gives us an alert, but in terms of bot mitigation, I haven't found much.

It's easy to use. I don't have to do any changes in my environment. For example, if I use Azure WAF, I have to use a traffic gateway, load balancer, or something similar, whereas, with FortiWeb, I don't have to change any architecture. I just have to change my DNS entry. That's it. If I'm able to change my DNS entry, FortiWeb works.

Adding new applications is also quite easy. You just add the application and change the DNS settings, and you are good to go. Whether you want to block or unblock, or you want the learning mode or protection mode, you can enable or disable it with just one click, and you are good to go. Most of the settings are already there if you want to tweak them. It has a GUI. You must have to click here and there. The documentation is also good. If I don't know something, their documentation is quite helpful. A lot of people are using Fortinet, so YouTube videos and articles are also available.

The configuration part is easy. The configuration and implementation process is streamlined. We don't have to change anything. We don't have to follow 10 processes. It's a single process with which everybody is familiar. Manpower and manhours are saved because a lot of discussions are avoided. It also helps us in creating a baseline. We now have a baseline of what we need. So, from an instant response point of view, it's easy for us because we are getting the same results out of it.

It has reduced false positives. As compared to my old solution, there is at least a 17% to 18% reduction.

It has reduced the number of alerts that our organization receives. There is a 50% to 60% reduction in alerts.

It has saved us time. We were spending around three to four days setting up our old solution, whereas now, we are spending a maximum of four hours.

FortiWeb provides an additional layer of security that we didn't have previously. We have a next-generation firewall deployed in our cloud infrastructure, but the WAF is the most external-facing piece. The WAF passes traffic to our internal next-generation firewalls.

We have also benefited from FortiWeb's load-balancing capabilities. FortiWeb enables us to load-balance without the need to take on an additional service. In most cases, we've been able to use load balancing provided by the AWS gateway. We have two servers with services deployed across multiple availability zones behind there. In addition to security, WAF allows us to load balance traffic across those servers in various availability zones without adding more load balancers.

FortiWeb streamlines tasks because we've eliminated other functions like load balancing. The API is also excellent. Someone on my team created an application that integrates with the API to quickly add new IP addresses without changing the templates. We've found it's helped us streamline some of our usual BAU tasks.

We already had a low false positive rate, but FortiWeb has lowered it further. Detections in our report tend to be accurate. We still get occasional false positives, but some of that probably relates to our custom-built applications. FortiWeb decreased our false positives by around 30 percent. 

We used to get a lot of alerts from our traditional firewall, but the number has declined significantly since deploying FortiWeb. It was a reduction of about 70 to 80 percent. The alerts coming from FortiWeb are helpful. They inform us of things that require action. We previously got many alerts from our public-facing services. We didn't have an efficient means of getting alerts. The same threat provided multiple alerts. That would keep going and could be overwhelming at times.

FortiWeb provides the level of security we need at an excellent price point. It's easy to deploy and operationally efficient. FortiWeb enables us to streamline tasks. It's a robust solution that's effortless to configure. The AI and machine learning features help us block unknown threats. 

We can bring our web applications online faster because FortiWeb shortens the time needed to bring any application into production. Compared to other application firewalls, FortiWeb has a smoother process for bringing applications online. 

FortiWeb has few false positives. It's more accurate than other solutions, so we also see fewer alerts. FortiWeb has helped free up IT staff for other projects. You don't need to spend much time getting applications ready for the web, so IT staff can use this time to manage other things. 

We currently are using Azure's WAF solution, but it is a little bit expensive for a startup project. The Azure firewall has limited configuration options that aren't helpful in our use case. FortiWeb is easier to configure and has pay-as-you-go pricing based on traffic, which is ideal for a startup company. Once our product starts having steadier traffic, switching to something with fixed pricing might make more sense. Currently, it's a risk for the company. 

It's too soon to say what other benefits we'll see from FortiWeb because we're still in the testing phase. We've watched some training presentations, and we're still working on a strategy for how we'll use the tool. Once we have a clear plan, we'll put it into development, configure the template, and deploy it into production when it's ready. 

it isn't in production. If the developers say a setting isn't working, we adjust the firewall rule, the goal is complete the template before going into production. 

FortiWeb filters a lot of unwanted traffic, which is good for our organization, as it would negatively impact our reputation if this traffic weren't screened.

The solution helps us to streamline tasks as it features a user-friendly console, and we can apply the WAF to all the URLs required for our publicly available applications. The templates offer either advanced or extended protection for those URLs, and we can see insights for specific URLs, such as total hits and how many requests are being blocked and allowed.  

The FortiWeb Cloud also saved our organization time through machine learning, which analyses traffic based on IP origin and geographic region. This is one of the solution's better features and saved us significant time. 

We have seen time to value with the product. After implementation, we let the solution run for a month, then reconfigured a few policies and templates. Within three months, we were getting the desired results.  

Being a data protection company, we have to meet a lot of specific requirements for customers. When people would say, "Our standard practice is to do a pen test against your outward-facing servers," there was always a little bit of worry in the back of my mind: "Oh, man, is there something that I've forgotten about?" But nowadays, I don't have that at all. I know that it's all configured and running well. I know that people can run a pen test whenever they like and we'll pass with flying colors.

It can take a little bit of time if you want to be very particular about the traffic that you allow. FortiWeb is very configurable and that can take a little bit of time if you do want to be that particular. But apart from that, we don't really touch it much these days except if we get an email to say there's been a node attack. In that case, we might just want to check on things. But in general, once it has been configured, we can forget about that side of things and just get on with all of our other normal tasks.

Machine learning could be a little bit of a buzzword, but that's the whole advantage of using a cloud-based platform. You get the benefits of another site seeing an attack and Fortinet works out if traffic should be filtered or not. It's great all around.

Before this, we had our AWS Web Application Firewalls. The process would be to look at our web servers and see if there was any suspicious-looking traffic that had gotten to those web servers through the AWS firewalls, and then we would adjust the AWS firewalls accordingly to filter that out. We might even have had to write new code to stop things at the server level. FortiWeb has saved us hundreds of hours.

I'm quite particular about what I allow into our network. There were some false positives as we were configuring everything the way that I wanted it, but I can't even remember the last time someone had an issue with a false positive because we had it set too securely. With the machine learning and getting the benefit of traffic that is going to many different sites, Fortinet is able to know which traffic is legit and which isn't. As a result, we get fewer false positives.

Although the number of alerts is not that relevant for us, FortiWeb has definitely reduced the overall stress levels, especially at the management level. It's good to be able to present a report to C-level executives saying, "This is the amount of traffic that we've had coming in, and this is what has been blocked by Fortinet." We're able to show them that it is benefiting the business.

In addition, it has helped free up our infrastructure team, as they don't have to look after the AWS Web Application Firewalls.

We do not use this solution for our organization but for clients' organizations. For example, one customer uses the solution for the protection of all their different applications. Additionally, the solution has protected the servers that are in the DMC, such as services for people in other countries that have to have access.

With the feat of cyber attack, the most important thing we can do is protect the web application. We can protect it from attacks like DDoS. It's helping to maintain our cyber security posture.

Fortinet FortiWeb has given us a more cost-effective security solution. Because it's a software-as-a-service or infrastructure type of platform, we've been able to replace our dedicated hardware platforms. It has given us more flexibility to be able to utilize it as a service.

It has minimized the number of technical resources and the amount of time that we've had to dedicate to setting up and managing the front-end firewall capability. From that standpoint, it has saved us time. I don't know exactly how machine learning is attached to that, but if that had anything to do with the simplification and the ability to give us the information we need reporting-wise, then it has helped us with that.

It has allowed us to not spend as many resources on trying to manage the setups that we used to have to do in the past on the security side. It has taken care of that, so at a higher level, we can manage and configure that. It has reduced some of the time that the staff spent on that, but it's hard to measure the time saved.

The WAF profiles has been most effective at mitigating web-based threats – probably something standardized, but again, we haven't tested it on heavily used websites. The websites that we use it for so far are just average websites. It can likely protect from some requests like bots and stuff like that.  

The AI/ML-based detection in FortiWeb has enhanced our web security posture to some extent. It's good with general stuff. Again, it's not specialized. So, standard WAF threats, like bots, it can detect those faster. It's good for the average website, average requests, and the average security setup. But we have other malicious requests that are probably outside the typical OWASP threats – they're specialized for our organization.

For example, if you have the FIX protocol, the financial protocol... if attackers can get into it with a targeted client ID... these threats aren't in the standard OWASP list because they're not general attacks that everybody faces. They're very specific. Now, many companies use the FIX protocol on private circuits, so they're protected outside of breach attempts. But, believe it or not, we have FIX open on the public internet for some websites, and those need protection. They need something outside the WAF that FortiWeb doesn't have. You can try to apply the WAF, and it might catch a threat if it originated from a bot. But if somebody is malicious enough to go under the bot detection radar, they could still process it.

So, for known threats, like bots, the detection is good. For APIs, it's also good because it can detect anomalies with standard API attacks. Again, these are mostly average, non-targeted attacks.

If an attacker specifically targets your organization, understands your protocols and business model... the standard protection is good because it detects things that aren't coming from a browser – it recognizes that it's not normal user activity or anomalies on your website. That's beneficial.

Most bot-generated attacks don't come from a browser. I did notice that it can detect when the request is not coming from a browser – it recognizes that it's not normal user activity on your website. It can detect anomalies publicly, which is good.

So, what would be good is this: put FortiWeb in front as the first line of defense. It can take care of a lot of the average user traffic and filter it out. You can keep that for your average applications, but when you have specialized applications behind that, then we need specialized protection for those applications – whether it's F5 or something else.

It offers some feedback and suggestions that guide our system development while helping our vendors to update their applications and fix any issues or bugs.

We were having a lot of probe attacks coming through from our external networks. Now, the traffic has to come through our firewall, then FortiWeb. Basically, FortiWeb acts like a second firewall for all our applications.

With this product, you can secure all the Fortinet products together. I'm an entrepreneur. Most people fail in the publication of a firewall.

When we had Cisco we had around thirty thousand entries on our firewalls. Now we are down to three thousand. Fortinet has a mechanism to detect all of your entries which are not used, and it can clean it up.

Before FortiWeb deployment, we were using a combination of commercial and open-source products. It was a hassle for the administrators, due to which some areas were unintentionally overlooked and caused many problems. With FortiWeb, we got a one-box solution for internet and internet security, which reduced the time required of the administrators and improved visibility at the larger scale.

It makes our web site system work nice and smooth.

I would not say it has improved how we function because I think that other leading vendors firewalls are as good. However, I do think that FortiGate can do it at a much better price point than, for example, Cisco ASA or Palo Alto.

We required security to access critical applications. We otherwise would not have been able to use the end notifications. We wanted to use the application and it's critical to us, Fortiweb enabled us to have that ability. 

• Operations overhead (administration and escalation management) has been brought down, as Fortinet provides flexible and customizable reporting options with the FortiAnalyzer appliance for logging and reporting.
• Rule creation and fine tuning are easy, as compared to its competitors.
• Product has provided adequate assurance to organization’s PCI DSS program.

Banks have to be compliant with PCI and other things, and FortiWeb is absolutely amazing in terms of providing these reports. Otherwise, they will have to spend a lot of time on them.

We have had a lot of web application attacks and this product has protected us. Once it was implemented, most of our problems were solved. For example, we had a DDoS attack against the seventh layer and it protected us.

It helped us initially publish e-banking services, but after a few months, we discovered it was an easy way to deploy other internal websites, published in an intranet style.

Fortiweb improved way people work and access internal resources based on http/https communication. 

There's a high school with many branches in our country. I configured it for them and they are very happy with Fortinet. Fortinet's performance is very good. 

If a customer has a web portal that frequently experiences attacks, FortiWeb blocks all negative traffic.

Fortinet FortiWeb has helped our organization by protecting the web application from any attack, known and unknown. The unknown protection is done by effective machine learning that is working on many unknown attacks. It operates on the probability of attacks.

We have minimized our expenses for internet security/antivirus in host-side products such as FortiClient installation, which has antimalware/web security/antivirus and protects the host from vulnerabilities while connected to the server.

Security.

This product allows our organization to manage each user’s bandwidth limitation for internet service and overall.

The portal has a lot of vulnerabilities, which are not easy to solve quickly. The device has helped us to prevent exploitation of them while we are working on the code.

Other than the additional security with exploit protection, we have simpler certificate handling, as we can keep internal servers using internal certificates continuously distributed and updated by Active Directory Group Policy, while the public certificates become updated only in a single place, FortiWeb itself.

It’s an all-in-one solution that lowers the cost of having multiple solutions. It gave us more Wi-Fi control capability.

Mitigation of attacks and thefts in an online banking platform.

Fortinet FortiWeb has improved my organization by protecting our customers' web infrastructure environment.

The device is very handy and it helps us to protect our web and database servers from being penetrated from outside the office.

We were able to protect our web servers from outside attacks. It has really helped us with publishing servers which were published on Microsoft Forefront TMG.

With other vendors you need to go through a learning period. With FortiWeb you can just apply a high-security profile and move on. It's very easy to reduce false positives.

It provides good security visibility.

It has provided stability to applications.

A customer said to us that before FortiWeb they regularly had to back up their whole website folder to prevent defacement and ransomware. Now, with the FortiWeb Anti-defacement feature, this process is handled more intelligently, as FortiWeb does it for them.