The dashboards are not that configurable. Application-specific dashboards can be improved. If we have 50 applications, there should be something to see what's happening with these 50 applications. There could be a graph or a consolidated alert page where all alerts are inbuilt. They have other products that I can use, but this feature should be built into FortiWeb.

Reporting could also be better. There should be inbuilt reports that we can use to present on how it is benefiting and other things. We should be able to get reports in PDF or other common formats.

One area that needs improvement is using IP addresses within templates. If you allow an IP address to access an application, you should be able to leave a description of that. For example, we allow clients to access these services, and some are restricted to the IP address. When you add an IP, there's no way within the product to say what the IP address is. 

We need to maintain a separate external list because we need to remove any IP address associated with a client if they stop using our services. In many other products, you can create an object specifying that this IP address is for a client of this name or this service. You don't have this ability within FortiWeb. 

Another area for improvement is logging. When troubleshooting, the logs sometimes take a while to update. We've had people report that some things aren't logged if they're successful. It's a bit hit-and-miss. For example, sometimes people access one of our services, and it's successful, but we don't see that in the logs. 

A better load balancer is needed when multiple servers are used for the same website. 

A dynamic routing protocol needs to be included with the next release. 

The solution does not handle batch migration as well as F5 Advanced WAF. 

I think customers have the impression that FortiWeb is primarily for SMEs, but FortiWeb should work to expand its market share and adjust its branding. F5 and some other firewalls are easier to customize. FortiWeb could be more flexible and customizable. The documentation could also be improved because many of the advanced features aren't fully documented. 

We use Kubernetes, so I would like to have a plugin to configure FortiWeb Cloud automatically using Kubernetes Ingress. That would reduce the complexity of setting up an Ingress object in Kubernetes. Some competing solutions help you configure Ingress and Kubernetes automatically. 

We want to see more detailed logging, such as audit logging, as this would significantly enhance the solution's reporting. We currently get some information from logs, but more would be better.

At the moment, it's very easy to see if an attack has come in, and what they've done. What I would like to see is that they turn on all logging so that we can even see legitimate traffic. But still, that's a very minimal issue.

It would also be helpful if they could introduce easier reporting. It's good to have those reports that go to C-level management, and Fortinet does provide some graphs, but if they went into some more detail, that would be great. Then I wouldn't have to do it myself.

The product needs to be more stable. 

We have issues between primary and secondary IP. Secondary IP addresses cannot be on the same subnet as any primary or secondary subnet. You need to follow up between the primary and secondary. If you don't, there will be a problem. When your public applications are not working properly, the single point of communication from the public domain is an issue. If I want to resolve the situation, a quick solution is I need to fail over the primary to the secondary, and it will just start working. However, that is not a permanent solution. I don't know what the problem is exactly, and how we can permanently address the issue. 

If the price was lower, it would be a bit more attractive, as an option, to the customers. 

You do need to ensure you do the configurations carefully. Otherwise, you may have issues. 

The solution could improve by being able to handle different use cases.

It can be better with web application firewalls. 

It is already close to the best in class. This product is up to the mark right now. 

A user interface or dashboard for troubleshooting is needed so technicians without knowledge of the network or common hardware can visualize the environment. 

Accounts should be set up in the user's name, not the company's name. 

Their documentation is fairly complete, but it's sometimes a little bit difficult to search for exactly what you're looking for to resolve an issue. There have been times when we've gone to try to search for areas that we needed to get information on, and it has not always been extremely clear exactly how a particular thing needs to be set up. It sometimes takes a little bit of research to dig into figuring out exactly what it is. More examples would be helpful on what they have. The information sometimes doesn't relate directly to the state of the product at the time, so examples would be helpful.

The solution currently lacks a VM demo to enable testing prior to purchasing. It would make things easier for our clients to choose this product if they had that ability. We are based in Tunisia and the lack of multilingual technical support is problematic at times. 

We had some trouble using some features. Maybe we understood it the wrong way when reading the manual. We had to implement some workarounds to help this problem.

The GUI could be better. It's limited. 

I know that we have run into some issues with an SSL certificate and how it functions. Sometimes this breaks connectivity or just limits certain websites that are whitelisted. 

Sometimes, even if you follow the documentation, it doesn't work as expected. 

The solution can be a bit pricey.

The initial setup process could be improved.

The product’s stability could be improved.

Fortinet FortiWeb could improve data integration.

Fortinet FortiWeb could improve in reference architecture for different deployment scenarios.

The software's support services could be better compared to Sophos.

They could improve their support a little bit for faster response time. 

FortiWeb needs to have support for the newest technology being used in web applications. For example, some companies have developed new features using the latest technology, but we are still waiting for Fortinet to support them.

The initial setup could be simplified.

It's not the most popular option. Many clients prefer instead Citrix or Proxy Blue Coat. It might be a bit difficult to configure. 

The upgrade process could be a bit smoother. 

Sometimes the integration doesn't work on the first or second try.

The solution is a bit expensive. 

The maintenance fee for this product could be improved and it needs to be easier to scale up. 

The solution could offer more integration opportunities. 

When we look at the incident reports in the dashboard, they are available for a maximum duration of 24 hours. They should provide more time for the analysis and increase the duration of the availability of these reports. Currently, it gives the options for 5 minutes, 1 hour, and 24 hours. It would be excellent if there are more options for a longer time period. It may be configurable, but I don't know how to do it.

I'd like more customization. I'm not sure if everyone would agree, as it might add complexity. But for advanced users, it would be really useful to have access and the ability to manipulate packets. 

If we can access and manipulate the contents of packets, even encrypted packets... that would be powerful. Since we're looking at packets arriving at our network, we would have the private key to access those packets and their information. 

For example, I have an encrypted packet, and I have the private key for the certificate provided in that client. If I could tell FortiWeb, "After the packet is decrypted, if you see this thing, do that thing," that would be beneficial for advanced users. 

It would open up the possibilities for load balancing and specialized protection that we need but might be outside of the standard feature set. 

Maybe we need to manipulate a variable with a specific name that's only relevant to our security needs. That customization would be very beneficial.

The dashboard evaluating the performance of each application connected to the web app's firewall is quite helpful, but the tool is only available in application performance management. So I think if Fortinet could better integrate that particular feature, it would add a lot of value to the product.

I would like to see the Application Delivery Control (ADC) and Web Application Firewall (WAF) combined in one device. For example, if I have one device that costs $2,600 USD then it can have two licenses, where it can operate as a load balancer as well as a WAF.

We would like the interface to be easier to use and more user-friendly. The interface needs to be enhanced. 

We had trouble understanding it at first, but we got used to using it after six months. Then, it was simple to use.

The documentation for the machine learning could be better. They do not provide proper documentation explaining how the solution works or how to configure it. A good, valid KB article would be helpful. 

It is difficult to configure the machine learning and get it up and running. We put in a week of learning mode and then place it in our production. The machine and data learning is a pain point. I work with different clients. The machine-learning algorithm doesn't learn all the URL patterns. 

It would be nice to see certain software changes in order to add some kind of betterment with machine learning.

User administrative controls could be a little bit better. I guess that would be the main thing. The usability within Fortinet could be a little bit easier on the users. But it is what it is.  

The thing that was more difficult was not the tool itself but dealing with the logistics of the compliance issues. I was applying a standard set of rules to an AWS firewall. It served a purpose. The complex part of the solution was more of a compliance issue.  

What I would like to see improved in Fortinet FortiWeb will probably be included in the next release. The legal feature needs better step-by-step use of the form. 

We use the FortiGate guidebook for step-by-step instructions. But the FortiWeb guidebook is only is a demonstration kit which is not enough for a new installation.

I would like to have an antivirus option. 

The solution could improve by providing more integration with solutions other than the Fortinet family.

Usually patches and version upgrades are really buggy, so we usually wait about one month for a stable release to upgrade. They need to improve the new version/patch delivery mechanism. For example, if a patch fixes one functionality for web services but also causes some other functionality failure.

We are considering an upgrade to our firewall because our current version is not compatible with our FortiAnalyzer. As there is an incompatibility, we have been advised by Fortinet that an upgrade is necessary to avoid issues.

We believe this product will become obsolete.

It needs to better integrate with other platforms.

In terms of performance, it needs to be more robust. During the lockdown, we are connecting to a VPN and the connection should be faster, there should be RAM or more hardware. Also, it should include security features.

The UI is a little complicated for new users.

The CLI could be improved by removing all default syntax from the config. The debugging of crypto VPN is not as informative as other vendors’ firewalls. The GUI is also not as good as some vendors, but overall as a package and considering price, it still provides value for money.

The memory use in each of the appliances is problematic. 

Describing security rules should be improved. It's tricky to define new feature tools when you want to describe an attack pattern and want to block it. 

Product support is a major concern; if FortiWeb wants to become a market leader, then it must provide better after-sales services.

The automatic policy learning feature also needs some improvement, as using this feature leads to more false positives.

Integration with other cloud-based DDoS protection services such as CloudFlare, Arbor, Akamai, etc., is also a limitation.

From the feature perspective, it is pretty rich. The automation piece can be improved. Although they say it can be automated very well, there is still manual work. Its usability should be improved in terms of automation because we want to build an infrastructure with code, but you can't do that easily with this solution. If they can give us APIs in the firewalls that we can tap into, it would be perfect. 

I would also like it to scale automatically based on the traffic.

Fortinet WAF came out recently, and there is not much feedback about customer experience. For each project, customers ask about the scenarios and references of the customers who have implemented this solution, which we don't have. They need to simplify the customer experience and provide more information so that we can propose Fortinet Fortiweb as a WAF solution to customers and convince them.

They need to improve their service and training. We need good training to implement and use it properly and know more about it. We still don't know much about Fortinet WAF. We didn't get any proper training sessions. Other vendors like Cisco, Palo Alto, Check Point, and Barracuda provide such sessions. Whenever we receive a request from a customer for this solution, we just give the price. We don't propose this solution because we don't know much about it. We propose whatever we are familiar with and what is supported.

The Layer 7 DDoS attacks need improvement, it could be better. When you compare it with the F5 solution, FortiWeb is weak in detecting the Layer 7 DDoS attacks. At times, it generates several false positives and there should be fewer.

In the next release, I would like to see better DDoS protection. It's an essential feature that should be included.

The solution is rather complicated. If you know what to do, it's not bad, but it's complicated for a first time user to configure the solution. What I'd like to improve are the custom signatures. If you want a good security solution, you have to get in kicking high for things that are getting blocked and you have to whitelist some signatures to make things work. It's a time-consuming thing to do. It would be nice to whitelist private IP ranges and see which signatures are hit and whitelist them automatically - which I think is possible to do. 

It would also be nice to have some extra security in the solution. I just upgraded to 6.0 and there were some security additions, but it would be nice to have some more and be able to configure them in the right way. Specifically, an updated security policy would be nice.

There are specific functionalities that I'd like to see improve and that would basically bring it into line with what is being offered by solutions such as F5 and Imperva.

The initial setup in our data center was somewhat complex.

I think Fortinet must make an effort in terms of upgrade procedures. There were some troubles upgrading from 5.2.x to 5.3.x, and the problem appeared again upgrading from 5.3.x to 5.5.x:

• Upgrading from 5.2.x to 5.3.x. Fortinet provides a script, but it doesn't work (they do not say anything about it). In some cases:
  • If you are using the subnet 192.168.1.x in any interface, it assigns this network for management, which means it can't apply the configuration.
  • If you use LDAP authentication, the new field "realm" appears empty, the configuration doesn't work, and you have to manually change it.
• Upgrading from 5.3.x to 5.5.x:
  • Some changes are introduced, then it requires fully formatting the device and configuring it manually (copy/paste pieces of configuration).
  • Once again, if you are using the subnet 192.168.1.x in any interface, it assigns this network for management, which means it can't apply the configuration.

First of all, upgrade path should be introduced for scaling up or down VM deployment. Second, they need to include better wizards for publishing common applications like MS Exchange. 

.

New releases and old releases have some bugs, some features do not work as good as we want but every new release the Fortinet team fixes up problems. I don't have anything to say about what to do to improve this product. It's a great solution for us.

It would be great if FortiWeb could provide web forms like Microsoft TMG. (For example, OWA Exchange portal or SharePoint portal.) Many of our customers are looking forward to this functionality.

The machine learning feature of the solution could be improved.

No solution is 100% secure and the security could always be worked on.

I would like to see support for throughput up to 10 gbps and WAN support. Depending on your device’s design, I’d like to see throughput support up to 2 mbps for SSL, 3 mbps for IPS, and 1.5 mbps for applications. This might already be offered with newer versions.

I haven't used the latest release of device. From my current device perspective, reporting is good, but I want to see, in the future releases if they haven't done yet, is the total traffic alert (highest peak) that could receive on mobile or email. This is very helpful if you could set in required interval to monitor the total traffic that could feel the traffic in your hands.

In my experience, Fortinet FortiWeb could improve the intelligent features to acknowledge whether any threat or incident that's running happened. Then give us the ability to escalate it to layer 2 or layer 3 in the network operations.

FortiGate could be improved on the security end because we've had some incidents with the customer. Otherwise, there is no problem. 

HA Architecture. I would improve it by working on AP HA.

The user interface and update/support is not quite user-friendly.

Obviously nowadays these are just normal features, but we are looking for QoS, application visibility, web filtering and mostly threat detection/malware protection/IPS for security side/etc.

The signatures are very basic and prone to firing false positives. For example, FortiWeb detects this string as an attack because it detects "perl" in it:

User-Agent: Mozilla/5.0 (compatible; PaperLiBot/2.1; https://support.paper.li/entries/20023257-what-is-paper-li)

This is a false positive. If the signature was more complex, that would not occur.

The integration with other products should be improved.

This product does not come with bare metal protection, so we need more network features. We don't want to be as dependent on a separate next-generation firewall.

The pricing could be made more competitive.

• Centralized management of multiple devices, and GUI improvement, could reduce the learning curve. 
• The interface could have the interdependent elements arranged sequentially and wizards that go through most common deployment actions. 
• Centralized configuration using FortiManager – like what exists for NGFW FortiGate appliances - would improve the configuration.

The F5 solution has more features than Fortinet FortiWeb, such as multiple load balancing.

They can introduce a scaled-down version for the SMB market. It would be very competitive in the environment.

Troubleshooting features could be incorporated with this solution.

The reporting could be optimized.

- Logging

During the POC we did encounter problems. For example, the integration with the HSM for storing keys was not ideal.

The downside is on the security side and is the firewall. When you look at the firewall, it doesn't do decryption and you have to depend on other third-party tools to do that. Or you would have to use another FortiGate product which makes things a little complicated. Today, people look for simplicity in terms of design. That's one downside to Fortinet's Firewall. The downside to FortiWeb is it had issues integrating with HSM. They fixed the issue, however, it took a long time to fix and it wasn't pleasant. I had to work with deadlines and I could not make the deadlines due to the slow timeline on their side.

For the firewall, when you deploy IPS, the IPS doesn't have visibility into encrypted traffic and 70% of traffic these days is encrypted, and that's the conservative figure of the actual percentage. If your IPS doesn't have that visibility, then it is not really doing the job that it has to do. In comparison, Palo Alto is the best firewall in terms of performance and has the technical specifications that we need. 

The support side of things can be improved. They need to quickly tend to issues and resolve them as soon as possible. Those are the expectations.

Integration and learning about attacks. I would improve these areas by making FortiWeb integrate with other network technologies and feedback from multiple platforms.

We would like to know more about the integration with the hardware or security products, such as Gemalto, because we need to move to that point. But, from what I understand, we haven't looked at the market to see how this can be done yet.

More templates should be made available for reporting.

I would like to see more improvements with respect to threat intelligence.

Their support needs improvement.

The solution could have more customization.

The antivirus and the IPS can be improved in the future.

We started with FortiWeb400C, then we did an upgrade to FortiWeb 400D. I had some small problems when I was upgrading firmware. After the upgrade, some of my certificates were deleted.

The false positives are also annoying.

• Internet
• Servers

A BYOD feature is missing; this could be a good add-on.

It may be better if it were easier to create roles.

The interface could be a bit better.

Everything is pretty manual. We do need to improvise a bit. Automation might make it easier.

The pricing is a little bit high for us.

The hardware does not measure up. Fortinet does not have sturdy hardware.

FortiWeb does not exist in a cloud-based form. Its only available for deployment as a virtual appliance on AWS and Azure IaaS platforms. Because of the trend to WAF environments, it would be good to have it as a SaaS. Also, FortiWeb would be more competitive if it combined WAF and DDoS protection.

We have had problems with deployments where we've had to contact technical support to resolve them.