We primarily used the solution as a POC to see how effective it is and so far we're happy with it.
We used it for protecting our web servers and the use of some web applications within a financial institution.
FortiWeb is a web application firewall (WAF) that protects hosted web applications from attacks that target known and unknown exploits. Using multi-layered and correlated detection methods, FortiWeb defends applications from known vulnerabilities and from zero-day threats.
Download the Fortinet FortiWeb Buyer's Guide including reviews and more. Updated: October 2021
Lush, Barnabas Health, Options, Riverside Healthcare, Hillsbourough County Schools, Columbia Public Schools, Schiller AG
We primarily used the solution as a POC to see how effective it is and so far we're happy with it.
We used it for protecting our web servers and the use of some web applications within a financial institution.
They have a very good graphical user interface.
The initial setup is pretty straightforward.
The solution is stable.
The scalability is pretty good.
We have found the pricing to be pretty reasonable.
During the POC we did encounter problems. For example, the integration with the HSM for storing keys was not ideal.
The downside is on the security side and is the firewall. When you look at the firewall, it doesn't do decryption and you have to depend on other third-party tools to do that. Or you would have to use another FortiGate product which makes things a little complicated. Today, people look for simplicity in terms of design. That's one downside to Fortinet's Firewall. The downside to FortiWeb is it had issues integrating with HSM. They fixed the issue, however, it took a long time to fix and it wasn't pleasant. I had to work with deadlines and I could not make the deadlines due to the slow timeline on their side.
For the firewall, when you deploy IPS, the IPS doesn't have visibility into encrypted traffic and 70% of traffic these days is encrypted, and that's the conservative figure of the actual percentage. If your IPS doesn't have that visibility, then it is not really doing the job that it has to do. In comparison, Palo Alto is the best firewall in terms of performance and has the technical specifications that we need.
The support side of things can be improved. They need to quickly tend to issues and resolve them as soon as possible. Those are the expectations.
We've only used FortiWeb for a POC.
The stability of the product has been good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. When you look at the specs and if you do what they say in the specs, in terms of ensuring that you're not overlooking anything, it's a good product.
The solution can scale. That's not a problem at all.
Technical support could be more responsive. They need to address issues faster. I'm not completely happy with the level of support we receive.
Generally, the solution is easy to set up. It's not overly complex.
The pricing is pretty good if you look at other top options in this space. They are reasonable.
I've also looked at Palo Alto, and it has the specifications that we need, however, the pricing is quite high.
Our company is a Fortinet partner.
I'd rate the solution at a seven out of ten.
In terms of functionality, it does a perfect job, however, when you have to integrate with third-party tools, that's where you might have issues. Going forward, maybe what Fortinet needs to do is to ensure that they don't have integration issues with the other big vendors that are common in terms of what's deployed out there. Someone might want FortiWeb, however, for example in my case where a bank needed to integrate that with Jamalt or HSM for description, they have to do their homework.
When you're dealing with financial clients, they need to have seamless integration and not to have these challenges where it would take time to fix as an issue. That should be figured out pre-deployment. Companies in banking can't wait for clients to point out that this is an issue. They have to attend to it beforehand and resolve issues to meet expectations.
Normally I deal with on-premises installations. The firewalls are always on-prem for government departments. In a recent case, I was looking at a cloud solution because it was what the client preferred. So it was the Fortinet rules applied to an AWS solution. I was looking at the architecture around becoming an IRAP (Information Security Registered Assessors Program) certified program and I was looking at the AWS firewalls around how it would be able to comply with the ISM (International Safety Management) standards.
For me personally, the most valuable thing is that I like the fact that it is standardized so both internal firewall management and the cloud can be managed by the same company. Communication between the two works well and it can be a benefit. We can keep a single console to manage both.
User administrative controls could be a little bit better. I guess that would be the main thing. The usability within Fortinet could be a little bit easier on the users. But it is what it is.
The thing that was more difficult was not the tool itself but dealing with the logistics of the compliance issues. I was applying a standard set of rules to an AWS firewall. It served a purpose. The complex part of the solution was more of a compliance issue.
We have been using Fortinet FortiWeb probably for over a year-and-a-half. Closer to two years.
At this point in time, scalability seems to be fine. I mean, we are talking processing requests from all over Australia. It seems to be keeping up quite well. My impression of it at this stage is that it is very scalable. It is quite well suited for data management.
I think judging our experience with technical support is a little bit unfair because I know all the local support people. I do go into the help desk when I have to, but I do know most of the teachers or technical support staff. I would rate them as being very responsive to customers. I have had no issues. If I need something I can get it answered within the hour. It is quite good.
It was quite easy to do the initial setup and apply basic rules. Administratively, keeping an AWS firewall and applying the Fortinet rules made it quite simple for the difficulty level of this particular requirement.
I think that ForiWeb is expensive for what they are offering. At the end of the day, when you sell a suite, compliance within the suite is easy to maintain. That is the good part. It is an expensive suite and it is an expensive solution, but it is a manageable one for an enterprise. It should just be cheaper for what they are offering in comparison to other tools on the market.
My advice to people would be to evaluate the marketplace against your requirements and choose appropriately. Fortinet does operate at the enterprise level. It is listed on the Australian standard and it does carry Australia's approval for common criteria. So it does address the requirements needed for security for the assessments. Not every product can.
On a scale from one to ten (where one is the worst and ten is the best), I would rate this Fortinet solution as a seven-out-of-ten because of user administrative controls, usability, and price.
We primarily use the solution for configuration and structuring policy.
The solution has a very simple deployment.
There are lots of great features within the product. Even though I don't personally use too many of them, it's nice to have them available.
It may be better if it were easier to create roles.
The interface could be a bit better.
Everything is pretty manual. We do need to improvise a bit. Automation might make it easier.
The pricing is a little bit high for us.
I've been using the solution for about one year.
The solution is stable. I don't recall dealing with bugs or glitches. It doesn't crash or freeze. It's pretty reliable.
The solution is scalable. We always check our information before we hit any limitations. I just need to assess my servers and the amount of traffic. I believe it to be scalable enough.
We have about five users on the solution currently. They're engineers. We have one box. Many users just need one box. If you want a firewall, or you want various applications on a firewall, you need another box.
We don't have direct experience with their technical support team. If we need technical support, we get it from the distributor. If we do reach out to them, it's typically for diagnostics. So far, we've been satisfied with the level of support we've received.
The initial setup isn't too complex. It's pretty straightforward. The product has a model deployment. You just need one port. After that, access is simple.
The deployment and installation took about one day. It is pretty fast because the setup is pretty easy to execute on.
For deployment, you just need two people. You don't need a bunch of staff to handle it.
We're an integrator. We just appraise the distributor behind us in order to help us in the deployment. It's a really simple deployment though. An organization most likely wouldn't need assistance. A solution like Cisco may require assistance as there would need to be adjustments done on it. It's a bit more complex.
The solution can be a bit expensive. It's not a product line. We use other devices as well as it's not a one-stop-shop. If you need a firewall, for example, you need to buy another product, like Fortinet. FortiWeb doesn't cover things like firewalls.
The license itself is also quite expensive.
We're using the latest version of the solution.
Usually, for our security programs, I'm using on-prem. For now, in my experience, the typical Indonesian customer is using on-prem, as they worry about using the cloud, as the data cannot be stored in HR and it's actually often stored in another country.
It's my understanding that we'll continue to use the solution for a while to come.
Overall, I would recommend the product. On a scale from one to ten, I'd rate it at an eight. If it had a better interface and/or better pricing, I might rate it a bit higher.
We are using this product to protect something similar to an online banking network.
We have had a lot of web application attacks and this product has protected us. Once it was implemented, most of our problems were solved. For example, we had a DDoS attack against the seventh layer and it protected us.
The most valuable feature is that this product represents a whole solution, including a WAF, and even anti-defacements. It is not just a single feature.
Anti-defacement has an amazing feature whereby if something bypasses the WAF then they can rollback the website.
The user experience is very good and it is simple to use.
They have AI and machine learning capabilities, so if you are using the WAF then you don't need extra features.
The initial setup in our data center was somewhat complex.
We have been using Fortinet FortiWeb since 2008.
FortiWeb is a stable product.
We have been working with this solution for more than 12 years and it has scaled with our requirements. We upgraded a lot of hardware and applications, and things change from time to time. There is not just a single point where we changed something that tested the scalability.
Technical support is amazing. We have 24x7 support and every time we have contacted them, it takes less than two hours before everything is solved. We are confident that if we have any issue then we can communicate with the vendor and they will help us to solve the problem.
In our data center and with the complexity of it, it takes one or two days to implement and fine-tune.
We deployed this product in-house. We started with the training and then we implemented the solution. In case we have any problem then we can communicate with the vendor.
We have three security specialists who work as a team for maintenance.
We renew our contract and license every three years. There are no costs in addition to the standard licensing fees. There is just one cost.
Prior to implementing FortiWeb, we tested Barracuda, F5, Citrix, and Sophos.
FortiWeb is a security product that I can recommend. My advice for anybody who is implementing this type of solution is not to simply believe the words of the vendors. Test the product in your environment and then you can select the best one for your needs. A lot of vendors nowadays will tell you that they are the best, but the best thing to do is test each of the products inside your network.
The roadmap that the vendor has for this product is good. They have a lot of extra features that they are developing for future releases. They have an amazing R&D team, they know the competition, and they know the market. In my department, we find that it is amazing and are not searching for additional functionality.
I would rate this solution a ten out of ten.
We use it mostly to secure our web platform for things like Internet banking, email, and SMTP. It is for anything that is external coming into our internal network.
We were having a lot of probe attacks coming through from our external networks. Now, the traffic has to come through our firewall, then FortiWeb. Basically, FortiWeb acts like a second firewall for all our applications.
We have been using all the features and everything is nice.
I have recently been looking at the SSL certificate features and the learning mode of the appliance. This appliance learns from the pattern of SSL attacks.
We would like the interface to be easier to use and more user-friendly. The interface needs to be enhanced.
We had trouble understanding it at first, but we got used to using it after six months. Then, it was simple to use.
We have been using it for five years (since 2015).
We haven't had any issues with it so far.
The scalability is okay. There hasn't been a need to upgrade. We have found something that can adapt to our environment and that we can use for a long period of time.
We plan to use the product for the next two years. There are no major upgrades planned anytime soon.
There are four users for the product (with two being from the security team).
We have needed minimal support for the solution. The support has been okay.
We did not have a solution that we previously used.
It is complex to set up in learning mode. It takes a lot of time to learn the pattern of the web application before we put in the rule. The rule itself is a bit complex. We had to go by trial and error because there is nothing standard on the device.
The deployment took almost six hours to get up and running.
We used a reseller. They helped us implement the device.
The reseller also does deployment and maintenance. For this, it takes about two of their staff and one or two of our staff internally. The staff will generally have experience in networking and firewalls with a background in security and port mapping.
All our Fortinet pricing is bundled together for different products, like FortiGate, FortiAnalyzer, and FortiWeb. FortiWeb, by itself, is probably around $2,500 to $3,500.
Since we were using FortiGate firewall, we decided to look at FortiWeb. We also looked into several solutions, like Check Point and Palo Alto.
The type of product you get depends on what you want to protect, how you want to protect it, and how many people will be accessing FortiWeb.
What we have now is working fine.
I would rate FortiWeb as an eight (out of 10).
We have been testing FortiWeb in our environment. We have it on virtual machines. We used it to block requests from some geographical locations or certain countries. It is very important for us because many attack attempts, logs, and events were generated from those geographical locations. Our country has some political difficulties in the region with other countries.
It is a good product. We have just blocked everything coming from some geographical locations or certain countries, and it has been working very efficiently when I look at logs, events, and incidents generated from the system. It is generating very good analytic reports about it. This is the most valuable thing about this solution.
It has load balancing and almost everything that a web application firewall needs. It is very flexible and easy to learn and configure. It can be easily learned and configured by using the information available on different channels such as YouTube.
When we look at the incident reports in the dashboard, they are available for a maximum duration of 24 hours. They should provide more time for the analysis and increase the duration of the availability of these reports. Currently, it gives the options for 5 minutes, 1 hour, and 24 hours. It would be excellent if there are more options for a longer time period. It may be configurable, but I don't know how to do it.
I have been using this solution for three months.
Based on what I know and see during the testing mode, it is stable. There has been no major incident. It has not stopped during this time.
It is flexible and scalable. We have about 400 employees, and all of them are using this solution.
We don't have any experience with international support. The local guys from our partner High Tech Solutions are so educated and professionals that we didn't have any need to use international support. They are doing well and are available all the time. They are always ready to help and support whether it is a working hour or not.
We have one System Admin who works on the configuration and an InfoSec officer who looks into events, incidents, and logs and analyzes them. So, we have two people. We also have our head of the department, and we are responsible and accountable to him.
We have also tested other products such as Imperva and F5, and the most number of likes were for F5 and FortiWeb.
We like the product, but we haven't yet decided to purchase it because we don't have the budget for now. We will express our preferences towards FortiWeb to our top management, and it will be decided by them. We will suggest to them that it is a good product.
I would rate Fortinet FortiWeb a nine out of ten.
We have deployed a couple of projects for our customers to protect their online e-commerce systems. They have web-based applications for online ordering, for example, for online ordering from a hypermarket. It seems to be a very good solution. We have replaced the existing Barracuda devices of a customer. We deal with the latest version of Fortinet FortiWeb.
The customers are very happy with this solution because of two things. First, the IPS integration with a web application is very tightly done on Fortinet. Second, the ease of use is there. The management interface or the GUI interface is very easy to use, configure, and manage. These are the two main valuable features.
It supports integration with other Fortinet products. It also integrates very well with the firewall and sandboxing technology. They already have enough integration with different technologies. They have got a complete tech intelligence view of the whole product.
They could improve their support a little bit for faster response time.
I have been using Fortinet FortiWeb for two years.
It is very stable.
It is very scalable. The web application firewall is protecting the web servers in an organization from outside to inside. It probably has more than 1,000 users.
Their technical support needs a little bit of improvement in terms of faster response time.
The initial setup is very straightforward. It took about 30 to 40 minutes for one web application for default settings. If you want to go with complex settings, then it would probably take three to four days to understand the application backend and everything else.
We used a system integrator. One Admin is more than enough to deploy and maintain it. It is very stable and easy to configure and deploy.
Its subscription prices are cheaper, and it is not very expensive. From a price perspective, Fortinet is a very well-known security vendor.
Subscriptions are very simple. They have a couple of licenses on an appliance, and that's it. The cost is not that big. One license is 40K, which they give with all the products. Another one includes the subscriptions for threat prevention, IPS, sandboxing, etc, which is more than enough.
Fortinet FortiWeb is rated as one of the top WAF devices in many of the independent research reports. Our customers find Fortinet FortiWeb much better than other solutions.
We plan to continue using this solution if an opportunity is there. It depends on the customer's requirements. If a customer is going for an online e-commerce website, we would always recommend going with Fortinet FortiWeb.
I would rate Fortinet FortiWeb an eight out of ten.
Fortinet FortiWeb is known for its web application firewalls. We are using it for preventing and detecting layer 7 attacks such as SQL injection.
We have several web applications in our organization and we use this solution to protect them against attacks.
It's stable and works efficiently against OWASP Top 10 attacks.
It's good at checking IP reputation and it's capable of detecting Layer 7 DDoS attacks.
Overall, it has many features.
The Layer 7 DDoS attacks need improvement, it could be better. When you compare it with the F5 solution, FortiWeb is weak in detecting the Layer 7 DDoS attacks. At times, it generates several false positives and there should be fewer.
In the next release, I would like to see better DDoS protection. It's an essential feature that should be included.
I have been using Fortinet FortiWeb for more than five years.
We are using the 4000D model.
It's a stable solution and we run it 24/7. In the past five years, we have had four cases where there were some inconsistencies with the firmware. There are times where we experience crashes because of issues with the firmware.
It's not easy to scale this solution. It has a determined throughput and if your throughput is more than it should be then you have to use another solution or purchase another FortiWeb model.
We have less than 10 people using this solution on a daily basis.
We are not able to use international support because of US sanctions. We use a consultant to help us troubleshoot.
Previously with another company, we used ModSecurity, which is an open-source solution. FortiWeb is better.
If I compare with F5 solutions, I would suggest F5.
The initial setup was not easy but not exactly complex.
We maintain the system ourselves.
We completed the initial setup ourselves and we had a consultant help us with some of the features. It was a hybrid implementation.
It's an expensive solution, although there are no additional costs.
In my opinion, F5 is the best solution in the world, whereas Fortinet FortiWeb would be second.
I have heard that Barracuda is a good solution, but I have not worked with it. In my experience, F5 is the better solution.
I would rate Fortinet FortiWeb a seven out of ten.