Fortinet FortiWeb Reviews

Our company uses the solution to protect websites from SQL injection and excessive attacks on Layer 7. 

We have 500 users throughout our company. 

The solution is very easy to use with little instruction. 

The anti-defacement feature is very useful because it looks for web changes over time to protect pages. 

A better load balancer is needed when multiple servers are used for the same website. 

A dynamic routing protocol needs to be included with the next release. 

The solution does not handle batch migration as well as F5 Advanced WAF. 

I have been using the solution for five years and serve as an instructor.

The version we use is stable and reliable with no issues. 

It has been reported that the latest version has some stability issues. 

The solution is scalable. 

Scalability always depends on usability. For example, using the solution for an industrial company that has an internal product is very different than using the solution for a bank that has 10,000 internal users and 1 million customers. 

I score scalability an eight for the solution, a nine for F5 Advanced WAF, and a ten for Avi Networks. 

Technical support has been great and has a vast knowledge base with quick response times. 

The initial setup is very easy. 

Initial configurations take a maximum of four hours. 

The solution was implemented in-house. 

The solution is very inexpensive when compared to F5 Advanced WAF and Avi Networks but offers the same benefits. 

Our one-year license is $24,000 Canadian and includes all users. We are very satisfied with the solution's licensing strategy. 

F5 Advanced WAF includes more features and scalability than the solution but is very expensive. With an unlimited budget, F5 is the better choice.

The solution includes many of F5's features but is inexpensive. 

It is important as part of your regular process to update any tools including the solution. Versions are built in other countries so it is a good idea to ensure you are using the latest, gold-standard version for your area. For example, check for direct internet access, review active directory authentications, and configure users, servers, and certificates. 

The solution is super easy to use, is inexpensive, and includes great technical support. 

FortiWeb is used for web application protection. It protects a web application against attacks targeting their web applications, such as cross-site scripting, SQL injection, and other common application-specific attacks.

FortiWeb allows the organization to operate efficiently without any downtime or serious security breach.

FortiWeb has a very extensive library of known attack signatures, which makes the product fit for any environment, regardless if the customer uses Windows-specific or non-Windows-specific applications. It also has a very low rate of false positives and incorporates other FortiGuard capabilities, such as detection of botnet traffic.

For users not familiar with Fortinet, it could be beneficial to provide more user-friendly analytics and reporting. The product could offer better capabilities and analytics to pinpoint threat landscapes more efficiently.

I have been working with FortiWeb for approximately four years, maybe more.

FortiWeb has proven to be very stable and does not introduce latency in the network.

The product can scale according to the organization's traffic and architecture. It is available as a virtual appliance and a hardware appliance.

Fortinet provides very good support, which I would rate as eight out of ten.

Positive

At the moment, we are only working with Fortinet and not with other web application firewalls.

Someone without prior experience with the product might find it challenging to deploy. However, Fortinet provides good online training to assist administrators.

The total cost of ownership should be calculated based on the actual protection it offers to the application. Deploying FortiWeb can save 20% to 30% of resources within the organization.

FortiWeb uses a subscription-based license, but there is also an option for a perpetual license. It's not the cheapest solution. That said, it is worth the investment.

I have experience with other web application products.

I'd rate the solution nine out of ten.

I use the solution for some of my company's clients who want to protect their websites from malware and adware attacks.

From a benefit perspective, FortiWeb Web Application Firewall (WAF) protects the customers’ websites, which are used to communicate with the audience or clients.

I am not sure about what I like in the solution because I think most of the customers ask for the product whenever they want a WAF tool for any of their projects. After our company had a discussion with one of our local teams, we sold it by providing the features of the FortiWeb Web Application Firewall (WAF) that our customers like, as we mostly follow the customer requirements. Our company sells FortiWeb Web Application Firewall (WAF) if it meets our customers' requirements.

To deal with zero-day attacks, FortiWeb Web Application Firewall (WAF) needs to expand and update its database since it is one of the areas where the tool currently lacks. In short, FortiWeb Web Application Firewall (WAF) needs to update its attack prevention database.

In FortiWeb Web Application Firewall (WAF), there is a substantial amount of improvement required in the scalability area.

I have been using FortiWeb Web Application Firewall (WAF) for less than a year.

Stability-wise, I rate the solution a seven out of ten.

Scalability-wise, I rate the solution a five out of ten.

My company only has two customers who use FortiWeb Web Application Firewall (WAF). My company wants to sell the tool to medium and large-sized businesses with 500 or more users.

The solution is deployed on an on-premises model.

Sometimes, the product's deployment takes over one or two days because customers need to check their requirements and then may want some features. In general, it takes a minimum of two or three days to deploy the product.

Compared to the other products in the market, FortiWeb Web Application Firewall (WAF) is a reasonably priced product, but sometimes people may consider it a bit expensive. I rate the product price a four on a scale of one to ten, where one is a high price, and ten is a low price.

The product is easy to configure.

I have a separate team of three engineers in the company to manage FortiWeb Web Application Firewall (WAF).

Based on my experience and the comments from our company's customers who use the solution, I can say that FortiWeb Web Application Firewall (WAF) is a good product. Our company's customers who use the solution like it since they have been using it for about a year without any bad opinions or comments about it.

Feature-wise, FortiWeb Web Application Firewall (WAF) needs to add more functionalities. Some of the customers who use it want it to have more features, but we cannot find any in the tool presently. I can say what kind of features are required right now in the product. One customer who may want 20 features in the tool may get only 15 features that comply with the customer's requirements.

I rate the overall tool a six out of ten.

My main use case is for security and routing.

It is good for web tracking applications.  

There is room for improvement in pricing, and actually, the price is a bit higher because on the same terms I purchased, the support subscription is so high.

I've been using it for a long time. It has been more than three years now. 

Stability is guaranteed stability. I'm okay with stability. I would rate the stability an eight out of ten.

I would rate the scalability an eight out of ten. 

I am okay with the support. The support's subscription is high. 

Positive

pfSense is open-source and free, while FortiWeb is subscription-based. Both are manageable, but FortiWeb's features scale up connections per second, depending on the payment plan. 

I would rate my experience with the initial setup a nine out of ten, where one is difficult, and ten is easy.

It took us two days to set up.

I deployed it myself.  I just got a reference from the old system, and I configured it.

I would rate the pricing a seven out of ten, where one is cheap and ten is expensive. 

Overall, I would rate it a solid eight out of ten.  

The product has some unique features. The machine learning feature reduces the false positives. The tool detects zero-day attacks. It has an in-built antivirus, which most WAF tools do not have.

Advanced configurations require high skill. FortiWeb team should work on making it easier. The documentation is poor. The tool must provide advanced and robust DDoS protection.

I have been using the solution for almost six years.

The technical support is fine. The support team gives delayed responses if there is a complex issue.

Neutral

I have worked with F5 Advanced WAF. It is a robust product and is suitable for complex environments. It is flexible. However, it depends on other solutions for inbuilt security and packet inspection.

The initial setup is easy. It requires less intervention.

I recommend the product to others. Overall, I rate the solution an eight out of ten.

We sell a SaaS product deployed on the Azure cloud platform using Kubernetes. We offer a bundle of cloud-based services. The Azure firewall solution is too expensive, so we need to find an alternative solution. 

We are currently testing FortiWeb in a QA environment and plan to deploy it on top of our SaaS product. We are about 95 percent covered now, but we still need to work out some technical details. I believe we will be ready to deploy it into production in the next few months. 

We currently are using Azure's WAF solution, but it is a little bit expensive for a startup project. The Azure firewall has limited configuration options that aren't helpful in our use case. FortiWeb is easier to configure and has pay-as-you-go pricing based on traffic, which is ideal for a startup company. Once our product starts having steadier traffic, switching to something with fixed pricing might make more sense. Currently, it's a risk for the company. 

It's too soon to say what other benefits we'll see from FortiWeb because we're still in the testing phase. We've watched some training presentations, and we're still working on a strategy for how we'll use the tool. Once we have a clear plan, we'll put it into development, configure the template, and deploy it into production when it's ready. 

it isn't in production. If the developers say a setting isn't working, we adjust the firewall rule, the goal is complete the template before going into production. 

I like FortiWeb's usability and ease of configuration. It's simple to configure rules and exceptions inside the attack log. We block everything by default. If something isn't working, we ask the system admin to adjust the template and add exceptions. I'm interested in the AI attack pattern-matching feature, but we haven't tested it yet. 

API is another feature that we haven't used in production, but I'm generally pleased that FortiWeb has this ability, and we can customize our application how we want. 

We use Kubernetes, so I would like to have a plugin to configure FortiWeb Cloud automatically using Kubernetes Ingress. That would reduce the complexity of setting up an Ingress object in Kubernetes. Some competing solutions help you configure Ingress and Kubernetes automatically. 

We have been testing FortiWeb for the last four months. 

FortiWeb seems to be stable so far. 

FortiWeb features automatic scaling because it's in the cloud, so scaling up is easy. 

I rate Fortinet support an eight out of ten. We have only contacted them with a few questions, and they responded promptly. 

Positive

In recent years, we've spent money on various projects that required us to protect applications. We have the Azure firewall deployed, and we paid a third-party SOC company to monitor it for attacks. It didn't offer out-of-the-box complete protection easy to customize, so we configure it for watching threats and raised alerts, that's means additional effort. 

We feel that FortiWeb is a better way to go than Azure Web Firewall in our scenario because FortiWeb has some advantages in pricing and features. It's easier to configure and maintain. Also, FortiWeb uses templates. 

There was no initial setup because it's a SaaS solution. We only needed to configure it for our environment. The configuration was straightforward and only took a couple of hours. The only maintenance required is updating the templates. 

I would like to use the product based on our initial testing, so I think it's a sound investment. 

We still don't know what the real cost will be because the pricing is based on traffic, and the solution isn't in production. However, we expect it to be cheaper than the Azure Web Firewall.

I rate Fortinet FortiWeb an eight out of ten. 

We use it in front of AWS Web Application Firewalls for our web-based management console, as well as for all of our API services for our Windows agents.

Being a data protection company, we have to meet a lot of specific requirements for customers. When people would say, "Our standard practice is to do a pen test against your outward-facing servers," there was always a little bit of worry in the back of my mind: "Oh, man, is there something that I've forgotten about?" But nowadays, I don't have that at all. I know that it's all configured and running well. I know that people can run a pen test whenever they like and we'll pass with flying colors.

It can take a little bit of time if you want to be very particular about the traffic that you allow. FortiWeb is very configurable and that can take a little bit of time if you do want to be that particular. But apart from that, we don't really touch it much these days except if we get an email to say there's been a node attack. In that case, we might just want to check on things. But in general, once it has been configured, we can forget about that side of things and just get on with all of our other normal tasks.

Machine learning could be a little bit of a buzzword, but that's the whole advantage of using a cloud-based platform. You get the benefits of another site seeing an attack and Fortinet works out if traffic should be filtered or not. It's great all around.

Before this, we had our AWS Web Application Firewalls. The process would be to look at our web servers and see if there was any suspicious-looking traffic that had gotten to those web servers through the AWS firewalls, and then we would adjust the AWS firewalls accordingly to filter that out. We might even have had to write new code to stop things at the server level. FortiWeb has saved us hundreds of hours.

I'm quite particular about what I allow into our network. There were some false positives as we were configuring everything the way that I wanted it, but I can't even remember the last time someone had an issue with a false positive because we had it set too securely. With the machine learning and getting the benefit of traffic that is going to many different sites, Fortinet is able to know which traffic is legit and which isn't. As a result, we get fewer false positives.

Although the number of alerts is not that relevant for us, FortiWeb has definitely reduced the overall stress levels, especially at the management level. It's good to be able to present a report to C-level executives saying, "This is the amount of traffic that we've had coming in, and this is what has been blocked by Fortinet." We're able to show them that it is benefiting the business.

In addition, it has helped free up our infrastructure team, as they don't have to look after the AWS Web Application Firewalls.

When it comes to blocking unknown threats and attacks, I would give it the highest score possible. We first started using AWS and its Web Application Firewalls. That was okay, but it was quite a manual process to keep it up to date, whereas Fortinet is always up to date, and the default rules or the modules that you can turn on are very easy to use.

Overall, the solution is extremely easy to use. It's all very step-by-step. We just tell it what DNS records to approve and it sets up an SSL certificate. And then, all traffic just starts flowing through Fortinet and then straight over to us. Our network is quite secure, so we have allowed individual IPs that are listed by Fortinet so that we're not just blanket-accepting everything. It's enabling our web servers to be more secure by only allowing Fortinet, instead of the whole world, like we used to.

Also, if you want to diagnose something, rather than outright blocking it, you can just log it so you can see what's happening.

You can go through the audit trail as well. There might be a situation where it will prompt you to block everyone's traffic from a specific IP.

In terms of FortiWeb's advanced modules, we have two main, different Fortinet applications. One is for our web-based stuff and the other is for our Windows agents, which is all API traffic. We use different sets of the modules, or the advanced features, but across both, we use pretty much everything.

At the moment, it's very easy to see if an attack has come in, and what they've done. What I would like to see is that they turn on all logging so that we can even see legitimate traffic. But still, that's a very minimal issue.

It would also be helpful if they could introduce easier reporting. It's good to have those reports that go to C-level management, and Fortinet does provide some graphs, but if they went into some more detail, that would be great. Then I wouldn't have to do it myself.

I have been using FortiWeb for two to three years.

The stability is a 10 out of 10. We haven't had any issues.

We have thousands of customers that use our platform around the world. All of them go through Fortinet. We also have a few thousand Windows agents that all go through Fortinet. With the load balancing inside Fortinet, we're able to scale up our servers and Fortinet can always handle the traffic.

I haven't had to contact support much. These days, people don't really like contacting support. I have needed to do it on one or two occasions and they have been very helpful. It was by email and I got the answers that I needed straight away.

But the fact that I haven't had to contact support speaks to the ease of use of the system itself.

Positive

We just had web servers on the internet and the AWS Web Application Firewalls in front of them. I wasn't happy with those, so I added Fortinet in front of them. We still use AWS, but Fortinet is the first line.

We switched because I'm very paranoid. I'm big on security. Working in IT for many years, Fortinet was always a trusted name in routers, so I thought I'd give the FortiWeb web application firewalls a go and I haven't looked back.

The initial setup was a piece of cake, done step-by-step. We just had to add some DNS entries and that was about it. It tells you exactly what you need to do. I didn't need to contact support or ask for any help.

There were a lot of additional modules that I wanted to check out and that took a little bit of time. But getting a basic setup running was very quick.

There is no maintenance involved.

We haven't been hacked. I don't know what price tag you'd put on that.

I'm very security conscious, but at the same time, I can be somewhat cheap and I will only spend money if I think it's worthy or providing the value that it should. At no point have I thought of getting rid of Fortinet.

We saw value from it immediately. We were uncertain about how AWS Web Application Firewalls were protecting us. We weren't that confident, because we couldn't really see what was happening. Management was kind of uneasy as a result. As soon as we had this implemented, we could see the stats and a few graphs. Immediately, that peace of mind was had by all.

The pricing is pretty good. We do pass a lot of traffic through our API servers. Something like 100 gigs of web traffic is a fair amount for reduced JSON API calls, but the cost is $50. For that peace of mind, we have thousands and thousands of customers that are protected by that $50, so it's a no-brainer.

I had a look around, but I didn't test anything else. Fortinet was the first one that I did testing with and it met all my criteria, so I figured, "Why waste time looking at some others when this does the job?"

I recommend it to everyone. Because we're a data protection company, we have a lot of people who want to do pen testing against us, and I'm very confident that we're protected because of Fortinet.

If you're looking for a very comprehensive web application firewall, which is both simple to set up and also has a huge number of features to turn on, features that can give you some added protection for specific needs, give Fortinet a go. It's worth your time, and it won't take much time either.

The solution offers good configurations and works well with other Fortinet products.

The solution is scalable. 

We found the implementation process to be simple. 

If you want to block domains, you can do so. You do have the power to control access.

The product needs to be more stable. 

We have issues between primary and secondary IP. Secondary IP addresses cannot be on the same subnet as any primary or secondary subnet. You need to follow up between the primary and secondary. If you don't, there will be a problem. When your public applications are not working properly, the single point of communication from the public domain is an issue. If I want to resolve the situation, a quick solution is I need to fail over the primary to the secondary, and it will just start working. However, that is not a permanent solution. I don't know what the problem is exactly, and how we can permanently address the issue. 

If the price was lower, it would be a bit more attractive, as an option, to the customers. 

You do need to ensure you do the configurations carefully. Otherwise, you may have issues. 

I've been using the solution for two years. 

We can scale the solution. We typically work with enterprises, so, larger-scale companies. In our customer's company, they have about 6,000 to 10,000 people on the solution. 

Technical support is very good. they are quite helpful and responsive. 

I also use F5. It's got better pricing and is quite stable as well. However, if you don't know how to configure it, it can be a disaster. 

The initial setup is easy. It's not overly complex or difficult. 

It can be deployed in about half an hour. It doesn't take long to have it up and running. 

I handle a lot of implementations and can handle the process. 

The pricing could be better. They charge a bit more. That's why F5 is everywhere right now. The customer can see that F5 is stable and everything is working well, and then they see the price, and it's very attractive to them. 

I'm just a customer and end-user. 

I'm a consultant. Our customers are working with Fortiweb in their companies.

I'd rate the solution eight out of ten.