Fortinet FortiWeb Reviews

We use FortiWeb to connect external APIs to our on-prem data center solutions.

We use FortiWeb for extended protection profiles to mitigate SQL injection and other web application threats. It is effective against web application threats and helps with our API protection and load balancing. 

Additionally, it is cost-effective compared to other solutions.

They could integrate some kind of machine learning and AI facilities to automate workflows. We need to update regular patches frequently, and it requires regular installation and testing of these patches.

We have been working with FortiWeb for almost five years.

It is stable for us, showing good performance in handling web security.

I would rate its scalability at six because we have to increase our CPU and memory capacities, as it is confined to CPU and memories.

I would rate the customer service and technical support between eight and nine out of ten.

The setup is easy to manage.

It helps us save costs, about 20% to 30%.

In comparison to other solutions, the price is reasonable.

FortiWeb is suitable for medium-scale companies. I recommend using this solution.

I'd rate the solution nine out of ten.

Fortinet FortiWeb's use case is associated with WAF or web application firewall. Before a platform faces the internet, Fortinet FortiWeb inspects the traffic.

Fortinet FortiWeb is much cheaper compared to other solutions like the ones from F5 Networks, which have more capabilities. I think Fortinet FortiWeb is not as capable as F5 Networks, but it is cheaper. The key point for Fortinet FortiWeb is that when I give it to the customers, I see it is cheaper than F5 Networks.

All the players in the market are already using AI. In the AI area, I don't find any specific feature for Fortinet FortiWeb that is special compared to the other products in the market.

Fortinet FortiWeb's ML features are good, but they do not make the tool any special because all the products in the market, like F5 Networks, already use AI features. The AI feature does not make Fortinet FortiWeb any special.

The tool's WAF or web application firewall area has certain aspects that can be improved. I cannot find what features superficially can be improved in the WAF area of the tool.

Fortinet FortiWeb can be applicable for small or big networks. In my opinion, Fortinet FortiWeb can manage or improve its log management capabilities. As far as I know, FortiGate has a limit, which means it can be used for logging for seven days, and maybe it is because Fortinet wants to speed up the selling of another product called FortiAnalyzer. FortiAnalyzer is a device dedicated to logging analytic solutions. Fortinet may limit the capability of logging in Fortinet devices so that customers buy FortiAnalyzer for log analytics.

I have been using Fortinet FortiWeb for three years. My company is a reseller of the solution.

I don't know about the tool's scalability.

I rate the technical support a nine out of ten.

Positive

I also use FortiAuthenticator.

The product's initial setup phase can be somewhat complex depending on what software needs to be protected by Fortinet FortiWeb. If the web application is simple, the configuration can be made simple. If there is any specific need to protect the area in the web application, it is more tricky to configure Fortinet FortiWeb. It depends on what kind of web application needs to be protected by Fortinet FortiWeb. Overall, the tool's configuration is neither easy nor difficult.

If one is cheap and ten is expensive, I rate the tool an eight.

The product's document says that Forinet FortiWeb can detect zero-day attacks, but it needs more devices like FortiSandbox for help. Fortinet FortiWeb needs to be integrated with FortiSandbox. I think it is Fortinet's strategy to upsell other tools because Fortinet doesn't want to put the solution in one box or one device. If you want another feature, Fortinet wants you to buy another box.

I rate the tool an eight out of ten.

I use the solution in my company to make web applications more secure because we have a special portal or web interface that we have to make secure for cybersecurity and different accesses. We found that FortiWeb Web Application Firewall (WAF) works fine for such use cases.

The tool's most valuable feature is the web access it offers. We control every access, like who goes in and what they do.

The tool's price and performance are areas of concern where improvements are required.

I have been using FortiWeb Web Application Firewall (WAF) for three years.

It is a 100 percent stable solution. Stability-wise, I rate the solution a ten out of ten.

My company has three customers using the tool. One of the customers has 1,00,000 users.

My company manages the technical support with around four people, so it is not a complex process for us to handle. In general, the tool's support team is friendly.

The product's initial setup phase was easy.

The solution's deployment needs a bit of time because we have to discuss it with the deployment team, which consists of software. The project keeps growing and changing daily, so if the people involved in the deployment make new software, we have to change something. It is an easy process and can be managed in around two weeks by one person.

The tool is really expensive. In our company, we could do a lot more, but the price is always a point covering areas like why we need one, whether it is important to discuss, why it is so expensive and so on.

Speaking about the licensing model, people need to opt for a subscription-based model. My company likes to have a subscription for at least three or five years because, otherwise, you have to renew the license. Managing the licensing part for one person can also be very complex.

The solution helps protect our company's web applications against common threats up to 99 percent. We feel very safe with the tool.

Speaking about how the tool has effectively mitigated web security threats for an application, I would say that it is an application behind the web portal, so there are about a hundred or thousand people who can access a website. If it is a sensitive application, and we have to watch every access to it to make it really safe, that is the reason why we need WAF on the application.

My company doesn't use AI with the tool.

I recommend the product to others. I would say that others need to have it if they have a shopping website or something similar. I know it is hard to sell because we find it quite hard whenever my company tries to do so.

The solution offers 100 percent integration with other Fortinet security products.

The ease of policy configuration in the tool is okay.

I rate the tool a nine to ten out of ten.

The primary use case involves using FortiWeb to protect web servers from various malicious activities by integrating it into a firewall with features like URL filtering and application control. Additionally, it was deployed to meet the requirements of PCI DSS.

FortiWeb has been helpful in securing our web servers effectively. Fortinet FortiWeb is reliable, providing seamless protection and peace of mind regarding the security of our web applications.

FortiWeb has antivirus, web filtering, and application control features. Being part of the next-generation firewall, it's highly effective in ensuring security. The capability to protect from malicious activities is significant, alongside other features like application control.

I cannot provide feedback on what needs improvement as I haven't used other solutions to compare it against and therefore cannot identify any areas lacking in FortiWeb. Overall, FortiWeb is reliable.

It's been a year since I last used FortiWeb, while I previously configured and used it actively.

FortiWeb is reliable in terms of stability. There haven't been specific downtimes or technical issues with FortiWeb.

We haven’t encountered issues necessitating contact with customer service for FortiWeb, implying stable support from Fortinet.

Neutral

I have no experience with other solutions.

The initial setup depends on familiarity with the product. It's manageable with the right expertise. In cases of a simple application, setting up could be achieved in as little as one day.

I can't determine the exact cost of licensing as it was part of a bundle that offered multiple features and licenses.

I have no experience with other solutions.

I must emphasize the reliability.

I'd rate the solution seven out of ten.

Our company provides data center and cloud services as infrastructure providers. When customers need infrastructure like VMs or server allocation, we provide them with the vendor and offer services to operate, manage, implement, and integrate these security components.

The most valuable feature is the tool's integration with load-balancing applications, similar to FortiADC. Its importance depends on customer requirements, such as whether they prioritize application load balancing or layer seven protection.

Regarding areas for improvement, the documentation needs work. We had issues with a customer because the documentation didn't clearly show which devices can connect with FortiWeb WAF, leading to misconfiguration and difficult meetings. We also need deeper technical support - finding who's responsible for technical aspects is challenging. Hungary has a good Fortinet office with strong sales and pre-sales employees.

I have been using the product for four to five years. 

I rate the tool's stability a nine out of ten. 

It's not good with normal perpetual licensing, but we can solve the problem using flex licensing. That's why I'd rate it nine out of ten. We're satisfied with it. Many of our customers, including small, medium, and enterprise businesses, use FortiWeb WAF.

I rate the tool's deployment ease as seven out of ten. We have spent about 600 working hours to implement it. 

The product provides very good prices to customers. The price is set well and offers great value for money.

I rate the overall solution an eight out of ten. I advise others looking to use FortiWeb WAF to create deeper policy rules.

My company is a Fortinet partner and specializes in FortiWeb. We often compete against cloud-native solutions like Azure Application Gateway WAF. We typically conduct proof-of-concept tests for potential clients. They are usually looking for API protection and bot mitigation, which FortiWeb excels at. We take responsibility for implementing and supporting the solution for our customers.

We also conduct simulation tests and review feedback from colleagues and customers. Customers often seek solutions for bottlenecks, especially regarding machine learning. We can do a detailed review of the WAF services and provide a report for the customer.

If a customer has a website, a firewall alone is not enough. While a firewall can act as an application firewall, it may not be sufficient. If we have a firewall at layer four and layer seven, and the customer needs protection against OWASP Top 10 vulnerabilities or requires IT audits, a web application firewall becomes crucial. 

Additionally, if DDoS protection is a concern, it often comes integrated with WAF. For networking, some WAFs can even provide load-balancing functionality.

In my experience, we put my customer's website in monitor mode, not protect mode. So, we initially set up FortiWeb in monitor mode to avoid disruptions to the customer's website.

While in monitor mode, machine learning observed the web application. Once machine learning had enough data to analyze, we discussed unusual traffic patterns with the customer. 

FortiWeb identified potential DDoS attacks and suspicious domain activity, showcasing the value of its machine-learning capabilities.

The price could be close to Imperva; Imperva is the number one firewall.

FortiWeb cannot do some kind of ADC solution, like load balancing. I hope they improve that.

I'm looking for the ADC solution, the load balancing solution. Because application firewalls with multiple line solutions do come with it. So, I think it should be integrated within FortiWeb WAF.

I used it for two years. I started working with it when a client company moved their web application to the cloud (Azure or AWS) and needed protection. We implemented a FortiWeb solution as their WAF.

I have used Check Point for email security. 

For security products, from my experience, customers will compare costs if they have been attacked. They may consider insurance. If you provide more protection, the return on investment is the compromise to use the application.

This product offers two pricing options: a standard package and an advanced package. The advanced package includes credential stuffing protection, while the standard package includes automatic application learning, bot mitigation, and web application protection. 

If you simply need to protect your website, the standard package is sufficient. However, if you need credential stuffing protection, the advanced package is necessary. This is the key difference between the two packages.

Overall, I would rate the solution an eight out of ten. 

The tool is a valuable web application that protects our internal mobile money application. It enforces policies, ensuring secure access for users connecting to the application. It complies with PCI DSS, safeguarding financial transactions and contributing to our revenue. The solution effectively addresses malware threats.

The tool secures our critical applications, especially the mobile money application, which is often targeted by attacks. The solution provides rapid protection and has proven reliable against various threats. It blocks malicious traffic, including dormant and DDoS attacks, and offers integrated Web Application Firewall features to safeguard against compromises.

You can set it up for customer-facing web applications because customers don't necessarily know all the IP addresses. It uses a source-based approach where any source accessing the application is defined by its IP. When accessing the application, it checks if they are using HTTP or HTTPS and blocks them if necessary.

The tool's performance and security reporting capabilities contribute positively to IT security management. Consolidating management within the solution makes it easier for IT to handle the solutions. All functionalities managed on a single box reduce the number of boxes needed for management.

We have encountered issues with webhooks and management of FortiWeb Web Application Firewall's on-premise version. 

I have been using the product for three years. 

You may encounter problems if you don't have FortiAnalyzer. 

My company has 11,000 users. 

We've encountered several issues before, like the web and firmware's lack of responsiveness for 50 minutes. The Firewall, FortiWeb Manager firmware, and firmware updates must sync properly. We've addressed this, and our partners have helped resolve these issues.

I tried to work with Cisco, but it wasn't working well. 

FortiWeb Web Application Firewall's deployment is not complex. The setup involves connecting the switch and the firewall. Our main task is to redirect all traffic from the application to the website. The overall process can be completed in two weeks. Maintaining it isn't challenging, but the issue arises when the firmware becomes outdated; you must check and update it.

FortiWeb Web Application Firewall helped us with the deployment. 

I rate the overall solution a nine out of ten. 

We have multiple environments. Some applications are in Oracle Cloud, some are in Azure, some are in GCP, and some are on-prem. We wanted a single solution for web applications, and that's why we chose FortiWeb. In the case of the cloud, we don't even have to manage it. It's a managed service from Fortinet.

We have not been using it for a very long time. It has only been eight months, and so far, there have been two main benefits. The first benefit is that if I have an on-prem solution, I can buy their hardware and deploy it, but the configuration is the same. If I have a cloud, I can use FortiWeb as a service or as a virtual machine. It depends on requirements, but the configuration remains the same. The configuration doesn't change. We have a lot of global parts and a lot of teams are working on it, so it gets easy to communicate and verify the configuration and create a baseline.

Costing is another benefit. The cost is based on the traffic. If an application is used, we pay for it, but if it's not used, we don't have to pay for it. With other solutions, we have to buy the solution, and then we have to purchase or take licenses. If they aren't used, we are just burning money without any use.

We are using anomaly detection and bot mitigation. In terms of anomaly detection, it is able to find the behavior. We have some applications where normal users are logging from India, and if the behavior changes, it gives us an alert, but in terms of bot mitigation, I haven't found much.

It's easy to use. I don't have to do any changes in my environment. For example, if I use Azure WAF, I have to use a traffic gateway, load balancer, or something similar, whereas, with FortiWeb, I don't have to change any architecture. I just have to change my DNS entry. That's it. If I'm able to change my DNS entry, FortiWeb works.

Adding new applications is also quite easy. You just add the application and change the DNS settings, and you are good to go. Whether you want to block or unblock, or you want the learning mode or protection mode, you can enable or disable it with just one click, and you are good to go. Most of the settings are already there if you want to tweak them. It has a GUI. You must have to click here and there. The documentation is also good. If I don't know something, their documentation is quite helpful. A lot of people are using Fortinet, so YouTube videos and articles are also available.

The configuration part is easy. The configuration and implementation process is streamlined. We don't have to change anything. We don't have to follow 10 processes. It's a single process with which everybody is familiar. Manpower and manhours are saved because a lot of discussions are avoided. It also helps us in creating a baseline. We now have a baseline of what we need. So, from an instant response point of view, it's easy for us because we are getting the same results out of it.

It has reduced false positives. As compared to my old solution, there is at least a 17% to 18% reduction.

It has reduced the number of alerts that our organization receives. There is a 50% to 60% reduction in alerts.

It has saved us time. We were spending around three to four days setting up our old solution, whereas now, we are spending a maximum of four hours.

The ease of configuration is valuable. We have Azure WAF, we have OCI WAF, and we also have Cloud Armor for GCP, but their configuration isn't very easy. It's pretty simple in FortiWeb, and we can enable or configure whatever we want.

Its cost is also good. If I'm using an application for 15 days, I pay only for 15 days.

FortiWeb is good for blocking unknown threats and attacks. I've done a PoC with Azure WAF and OCI WAF, and in comparison, FortiWeb is quite good.

The dashboards are not that configurable. Application-specific dashboards can be improved. If we have 50 applications, there should be something to see what's happening with these 50 applications. There could be a graph or a consolidated alert page where all alerts are inbuilt. They have other products that I can use, but this feature should be built into FortiWeb.

Reporting could also be better. There should be inbuilt reports that we can use to present on how it is benefiting and other things. We should be able to get reports in PDF or other common formats.

It has been around eight months.

Its stability is good. Stability-wise, there aren't any major differences among Azure WAF, OCI WAF, Google Cloud Armor, and Fortinet FortiWeb.

If I'm using FortiWeb as a service, I don't have to care about scaling because everything is taken care of by Fortinet. From a scaling point of view, I don't have to do anything. If it's on-premises, we already know how many users are going to use it, and we can decide on the model accordingly. So far, we haven't had to scale it up for any project.

I've not contacted them for FortiWeb. We are also using Fortinet firewalls for which I've taken their help.

We had our own solution. We called it SecOps. It had something from RedHat and something from OPNsense. We built it that way. We were using that. We switched to FortiWeb because of two reasons. The first reason was the cost, and the second thing was that we wanted a single solution that can be implemented everywhere. We are from R&D. We decide on a solution, and then our product team implements it. When we have multiple tools, operations and maintenance become quite a headache because every tool has its own learning curve. All tools are not the same.

We have on-premises as well as public cloud environments. We have Azure, OCI, and GCP. 

Its initial setup is straightforward. It takes a little bit more time the first time because we have to set up the subscription, etc. Next time, it takes only around four hours.

We implemented it in-house. We are a global team, so a lot of people were involved. From the R&D side, at least five to six people were involved.

In terms of maintenance, when it's on-prem, some sort of maintenance is required in terms of firmware upgrades. We also follow ISO standards, so we have to do maintenance. We have a requirement to check everything once a month, but FortiWeb doesn't take much time.

We have been using it only for eight months, so I need more time to see its price-performance ratio, but it's worth the money. I'm getting what I'm paying for.

There are time savings. Previously, we were spending four to five days setting up our SecOps solution, whereas now, we are spending only four hours.

When I use any other firewall, I have to take a license. It could be a perpetual license or subscription-based. In both cases, we have to pay some amount in advance, whereas in the case of FortiWeb, when using it as a service, I am paying half a dollar only for the domain name, and then I am paying based on the traffic or the number of requests. In every organization, there are some applications that are heavily used, and there are some applications that are not heavily used. So, why go with a yearly, three-yearly, or five-yearly plan when you can just pay based on the traffic that WAF is processing? Previously, for each project, the cost was $800 to $1,000 per application. Now, it's $100 to $120. For some of the applications, there is a 90% reduction, and for some of the applications, there is a 50% reduction. We're paying only $500 to $600.

We checked OCI WAF, Microsoft Azure WAF, Google Cloud Armor, and Fortinet FortiWeb. We also checked other WAF solutions such as Akamai and CloudFlare but didn't do a PoC with them. We did a PoC with OCI WAF, Microsoft Azure WAF, Google Cloud Armor, and Fortinet FortiWeb.

We went for Fortinet FortiWeb because we wanted a single solution that can be implemented anywhere. If we use Azure WAF, it would be hard to use in GCP. We have to create a connection between both, whereas we can implement Fortinet FortiWeb on any cloud. If we have on-prem applications, we can implement FortiWeb hardware as a solution. In some places, we have strict requirements. If it's a VMware data center, they also have the FortiWeb VM solution. If we want to use Docker images, they also provide Docker images. We can just use a single tool. We are not dependent on multiple tools.

Every team has different requirements, but if you need an easy solution that can be deployed in a very short time, FortiWeb is the right one. It doesn't need too much expertise when you're initially configuring it, and even if you're testing it, the cost is quite low. It's good even for small projects.

It has the API gateway functionality, but we aren't using that. We are also not using API discovery and API security. I've enabled machine learning, but we have not used it a lot. We are in the exploring phase.

Overall, I'd rate Fortinet FortiWeb an eight out of ten.

I use the solution in my company, as we mostly load some web applications at our data center and use it to ensure that the web pages are properly secured.

Actually, most of the features of the tool are really good, but I would like to emphasize the importance of its machine learning features, as it can be implemented smoothly in Fortinet FortiWeb, and it is very helpful for our company.

Though the reporting is a nice aspect associated with the tool, I feel that it has certain shortcomings and can be made better. The reporting part can provide more information and be more specific.

Fortinet FortiWeb's admin guide could offer more, like, examples or features on how to implement the tool. It can provide information on how a user can make use of it in different usages, and that can help a lot. The admin guide is satisfactory, and it meets our company's needs.

Actually, my company would like it if the product could implement scanning attachments for exchange for assets or exchange needs. The aforementioned area consists of the feature that my company wants to apply, but it is not supported in Fortinet yet. My company needs the product to support us in the aforementioned area, and it can help us a lot by providing a layer of security that can check files and attachments in emails and other stuff, which would be great.

I have been using Fortinet FortiWeb for three years. I am an end user of the solution.

Stability-wise, I rate the solution an eight out of ten.

In terms of stability, it is a good solution that is easy to use and has many features and resources. The support offered by the product is good, especially since the support team responds on time, keeps you informed, and even follows up. Generally, it is a good solution to have and use.

My company has not experienced any downtime while using the product.

In our company, we have not implemented the product on a large scale.

Around 2,000 people per month use the product in our company.

Every single day, the tool is used to host web applications.

If our company needs to implement more hosted web servers, we will use Fortinet FortiWeb, but if not, then it will remain at the current number. Increasing the use of the tool is not my decision, and I just accommodate the needs of the organization.

The solution's technical support is good. When my company faced some problems with the product, I found the solution's support team to be very supportive and helpful. I rate the technical support a nine out of ten.

Positive

On a scale of one to ten, where one is difficult and ten is easy, I rate the product's initial setup phase as eight or nine.

The product's initial setup phase was straightforward, and since our company didn't have any problems with it, we didn't encounter many problems with the tool. Maybe our company encountered some problems with the product's setup because we used to use it to set up the servers or stuff, which took time, but now Fortinet FortiWeb handles everything smoothly and easily.

The solution is deployed on an on-premises version.

The solution can be deployed in a week.

If my company did not have Fortinet FortiWeb, then I believe that we would have had to host some of the services in an external data center with extra fees and there we would have had to pay for the web services, but we don't need that anymore because now, we have an on-prem web service that can promote us to be able to host as much as we need of web services.

On a scale of one to ten, where one is zero percent and ten is a hundred percent, I rate the ROI as an eight.

If one is very cheap and ten is very expensive, I rate the product price as three or four. The tool is cost-effective and offers value for money. I didn't mean it was very expensive. The price is fixed, but some features need an extra license.

My company was considering F5, but you actually went for Fortinet FortiWeb after considering the cost aspect.

My company doesn't specifically host e-commerce platforms since we offer mainly government services.

The security part has been satisfactory till now, and we haven't faced any problems yet.

FortiGate FortiWeb's features that have been most effective in mitigating web-based threats are possible because of the signatures. My company doesn't need to enforce a lot of policies or stuff. Fortinet FortiWeb has a lot of internal databases that can help you, and you can use whatever platform you are hosting your web applications through whichever software you use. it can build up a web protection profile that matches your needs, making it a very helpful tool.

Speaking about how machine learning features enhance our security posture, I would say that some aspects of the website are not normally clear for our company, and machine learning helps in such areas. It just traces the normal usage of the web applications along with the websites or links most users visit while also checking which URLs are mostly used, after which the tool differentiates between the normal usage and any abnormalities, based on which it builds the model that can be used to improve the security. Sometimes, a person cannot do things manually and is not sure about all the aspects of our web applications because many are not developers. Machine learning comes into the picture because one may not know all the stuff associated with the product.

A team of four or five people is enough to deploy the tool. Maintaining the tool is actually not a very big task and not many people are required for it.

The integration capabilities of the product with other security tools have benefited our company's security strategy as it sits smoothly in our network. The tool doesn't cause any problems with the integration part.

I would recommend that users use the tool's high availability. With the tool, one box is not enough, so there is a need to have a cluster of two boxes. Users need to measure their needs regarding the logging process and everything else, including processing. Even before starting to use it, we have to set up everything, or you would be confused about how to use the tool in the future, and it would be difficult to figure out how much retention log retention we would need in our company. It is important to set up everything related to the users' needs so that they don't need to change a lot of settings in the future.

I rate the tool an eight out of ten.

We are a payment processor with infrastructure deployed across various environments, including AWS, on-prem, and various other environments. We are PCI Level One certified, and one of our requirements is WAF. FortiWeb is a tool we use to secure access to our public-facing applications and services.

Our environment is primarily cloud-based, and all of our services are AWS. We were in the process of migrating to the cloud when we implemented FortiWeb, but we still needed to maintain some on-premise infrastructure to serve different regions. We were happy with the solution after deploying it in the cloud, so we discussed the possibility of also using it with our on-premise applications based on the initial results. Many of those services are now moving to the cloud, so we won't deploy them on-premise anymore. 

We are using FortiWeb across multiple locations in London and Singapore, so we have WAF services sitting in front of applications across both sites. Our applications include various payment processing platforms, fraud prevention tools, and other related customer-facing services based in various locations within the AWS cloud.

A ten-person network team is responsible for administering FortiWeb. It's difficult to say precisely how many end-users there are because we provide this solution to third parties, but around 160 clients connect to the applications behind these services. Our clients are typically small or medium-sized enterprises.

FortiWeb provides an additional layer of security that we didn't have previously. We have a next-generation firewall deployed in our cloud infrastructure, but the WAF is the most external-facing piece. The WAF passes traffic to our internal next-generation firewalls.

We have also benefited from FortiWeb's load-balancing capabilities. FortiWeb enables us to load-balance without the need to take on an additional service. In most cases, we've been able to use load balancing provided by the AWS gateway. We have two servers with services deployed across multiple availability zones behind there. In addition to security, WAF allows us to load balance traffic across those servers in various availability zones without adding more load balancers.

FortiWeb streamlines tasks because we've eliminated other functions like load balancing. The API is also excellent. Someone on my team created an application that integrates with the API to quickly add new IP addresses without changing the templates. We've found it's helped us streamline some of our usual BAU tasks.

We already had a low false positive rate, but FortiWeb has lowered it further. Detections in our report tend to be accurate. We still get occasional false positives, but some of that probably relates to our custom-built applications. FortiWeb decreased our false positives by around 30 percent. 

We used to get a lot of alerts from our traditional firewall, but the number has declined significantly since deploying FortiWeb. It was a reduction of about 70 to 80 percent. The alerts coming from FortiWeb are helpful. They inform us of things that require action. We previously got many alerts from our public-facing services. We didn't have an efficient means of getting alerts. The same threat provided multiple alerts. That would keep going and could be overwhelming at times.

FortiWeb's ease of deployment is what we liked the most about it. Implementing FortiWeb was extremely fast and easy, which was a significant advantage. It comes with several preconfigured rule sets and templates. 

FortiWeb effectively addressed unknown threats. We get regular reports that we check. So far, we've had no issues at all. Around 99 percent of our public-facing infrastructure is restricted by source IP to our partners' networks, so our attack surface is restricted. WAF picked up and blocked any attacks before they can impact us. 

FortiWeb is effortless to use and manage. The documentation is excellent, which is another huge advantage. The layout is logical and intuitive. You can create templates and reapply them to new applications, so we don't need to do a fresh configuration for each application. We have a template that represents our security benchmark. There are a few exceptions that we need to add for each application, but we can redeploy the security benchmark template for each new application that we create.

One area that needs improvement is using IP addresses within templates. If you allow an IP address to access an application, you should be able to leave a description of that. For example, we allow clients to access these services, and some are restricted to the IP address. When you add an IP, there's no way within the product to say what the IP address is. 

We need to maintain a separate external list because we need to remove any IP address associated with a client if they stop using our services. In many other products, you can create an object specifying that this IP address is for a client of this name or this service. You don't have this ability within FortiWeb. 

Another area for improvement is logging. When troubleshooting, the logs sometimes take a while to update. We've had people report that some things aren't logged if they're successful. It's a bit hit-and-miss. For example, sometimes people access one of our services, and it's successful, but we don't see that in the logs. 

I've been using FortiWeb for around 18 months. 

FortiWeb is highly stable. I can't recall an instance when we've had any issues. Our services are used constantly. For example, we have a fraud prevention tool that various banks and FinTech companies access, and FortiWeb is deployed behind it. We've never had a problem with availability due to FortiWeb. The solution is 100 percent stable and available. 

I'm satisfied with FortiWeb's scalability. It's always met the needs of our applications. We can deploy it in any application that we want to deploy behind. 

I rate Fortinet support an eight out of ten. The technical support has gotten better. There were a few difficulties when we first raised some calls. It was a new product, and we weren't getting clarity on whether some of the actions we asked about were possible. Initially, the response was also a bit slow. We chalked that up to the fact that we were early adopters of the product. The support has improved since then, and we're happy with it today. 

Positive

We didn't have a WAF solution, but we used Palo Alto Networks Next-Generation Firewalls. While these firewalls had many WAF capabilities, they weren't considered WAF products. 

Our main reason for deploying a WAF solution was to satisfy regulatory requirements. To get a PCI Level One certification, we need a WAF on some of these public-facing services. FortiWeb Cloud ticked all the boxes and met our requirements.

I initially deployed a lot of the applications. It was so quick and easy. FortiWeb took about a week to deploy, including assessment and testing. We had to create a new environment. Much of our on-premise infrastructure was closed off in the past, so we required no WAF for regulatory compliance. 

To create this new environment, we onboarded some new services that were classified within the scope of PCI. They were deployed in the old way with firewalls. However, our QSA said we needed to have services behind the WAF, and we were being assessed in a week. We had to find and deploy a WAF before we were audited. 

I have a team, but I and one other engineer were involved in the deployment. After the setup, FortiWeb requires minimal maintenance, which is one aspect we like about it. We've occasionally had to open a support ticket for the odd bug that's come up. There's typically no maintenance on our end. I can't think of a time when we've had issues with availability from FortiWeb. 

It's hard to calculate an ROI monetarily.  Some of the services we provide based on FortiWeb are charged to the clients. I can't say much about it from that perspective. However, we've seen benefits from a time and resource perspective. Also, having a cloud-based WAF means we don't need to maintain the infrastructure, and we can quickly deploy new applications. We derive a massive value from the reusable templates. 

We also save money and resources because we don't need to deploy more EC2 instances or use additional products for load balancing and other functions. That's potentially an 80 percent reduction in those costs.  

FortiWeb is transparent about how much each application costs. When you create an application, it will tell you the estimated cost. The licensing is clear, so we can see that we're getting a good value. 

We're satisfied with the price. Our organization sometimes questions if we're getting our money's worth, but we get a decent value from FortiWeb for the price. Everyone on our team and within the infrastructure area is happy with it.

I'm the network team lead, so I assessed and deployed FortiWeb. I looked at several options. I knew the Fortinet brand but was unfamiliar with FortiWeb WAF. After researching it, I recognized that it was potentially a product that we could use. I did a demo and found that it ticked all the boxes.

I rate Fortinet FortiWeb a nine out of ten. I would definitely recommend the solution. FortiWeb is rich in security features and additional features like load balancing. It's one of the best products we use. 

It's easy and quick to deploy. The documentation is excellent. We are pleased with the product and see it as an integral part of deploying new applications in the cloud or on-premises efficiently.