Fortinet FortiWeb Reviews

The solution's integration with other products is easy. Its most valuable feature is the antivirus engine.  The tool helps us comply with GDPR and KVKK standards. 

FortiWeb WAF's tuning causes trouble. It's complicated. The solution needs to improve the signature feature as well. 

I have been working with the product for five years. 

I rate the solution's pricing a ten out of ten. 

My company has 50 users. 

The solution's support is very good. 

I use Palo Alto and Symantec products simultaneously. We chose FortiWeb WAF because of its pricing and easy implementation. 

The solution's deployment is easy and takes ten days to complete. We have two resources involved in its maintenance. 

The solution is cost-effective since it is cheaper than other alternatives. Also, the false positive rates are low. 

I rate the tool's pricing an eight out of ten. 

I rate the overall product a nine out of ten. 

We use the solution as a web access firewall (WAF) to secure our applications and use URL mapping to ensure only traffic filtered through the WAF is allowed. 

The environment the product is used in is one project in our GCP, and we're located in the Western USA. Two members of the infrastructure team operate FortiWeb within our organization.

FortiWeb filters a lot of unwanted traffic, which is good for our organization, as it would negatively impact our reputation if this traffic weren't screened.

The solution helps us to streamline tasks as it features a user-friendly console, and we can apply the WAF to all the URLs required for our publicly available applications. The templates offer either advanced or extended protection for those URLs, and we can see insights for specific URLs, such as total hits and how many requests are being blocked and allowed.  

The FortiWeb Cloud also saved our organization time through machine learning, which analyses traffic based on IP origin and geographic region. This is one of the solution's better features and saved us significant time. 

We have seen time to value with the product. After implementation, we let the solution run for a month, then reconfigured a few policies and templates. Within three months, we were getting the desired results.  

The policies and the filtering are the most valuable features, especially traffic, URL, and application filtering. The solution is excellent at detecting vulnerabilities. 

The product is great for blocking unknown threats and attacks. We've had excellent results over the past two years, and the way it detects and filters traffic is outstanding.  

The FortiWeb Cloud is straightforward to use; with a basic overview of how to apply policies, create NAT rules, etc., it's easy. The console is user-friendly enough that anyone can create and apply policies. 

The solution also helped reduce our false positives by 20-25%. 

Our organization receives fewer alerts thanks to the solution, and we don't have to think about the security of the URLs for applications. We put the whole domain behind the WAF, and if it's configured correctly from the beginning, we spend minimal time making changes and get the precise results we need. Our alerts have been reduced by approximately 5%.  

We want to see more detailed logging, such as audit logging, as this would significantly enhance the solution's reporting. We currently get some information from logs, but more would be better.

We've been using the solution for nearly two years. 

The solution is very stable. 

The product is scalable; we can easily scale up and down as required. 

I did the initial setup, which was very straightforward; the process includes putting an instance in the cloud and then adding the URLs of the domains to the template. The initial deployment took under two hours, but we needed to spend time reconfiguring the template later to reduce the number of false positives. One staff member can complete the setup, and it only requires basic knowledge.

Outside of updates and the initial reconfiguration, the solution requires minimal maintenance. 

The pricing is average; the product is neither particularly expensive nor affordable. 

Regarding the price-performance ratio, the solution is definitely worth the money.

I rate the tool nine out of ten. 

I advise anyone evaluating the solution to carry out a POC and recommend it overall.

We use the templates available in the Fortinet Web Cloud or WAF, which is sufficient to provide extended protection, traffic filtering, request blocking, and virus detection. 

Fortinet is our only WAF application because we've had excellent experiences with it. If any project requires security checks, we go with the solution.

Our company uses the solution to protect websites from SQL injection and excessive attacks on Layer 7. 

We have 500 users throughout our company. 

The solution is very easy to use with little instruction. 

The anti-defacement feature is very useful because it looks for web changes over time to protect pages. 

A better load balancer is needed when multiple servers are used for the same website. 

A dynamic routing protocol needs to be included with the next release. 

The solution does not handle batch migration as well as F5 Advanced WAF. 

I have been using the solution for five years and serve as an instructor.

The version we use is stable and reliable with no issues. 

It has been reported that the latest version has some stability issues. 

The solution is scalable. 

Scalability always depends on usability. For example, using the solution for an industrial company that has an internal product is very different than using the solution for a bank that has 10,000 internal users and 1 million customers. 

I score scalability an eight for the solution, a nine for F5 Advanced WAF, and a ten for Avi Networks. 

Technical support has been great and has a vast knowledge base with quick response times. 

The initial setup is very easy. 

Initial configurations take a maximum of four hours. 

The solution was implemented in-house. 

The solution is very inexpensive when compared to F5 Advanced WAF and Avi Networks but offers the same benefits. 

Our one-year license is $24,000 Canadian and includes all users. We are very satisfied with the solution's licensing strategy. 

F5 Advanced WAF includes more features and scalability than the solution but is very expensive. With an unlimited budget, F5 is the better choice.

The solution includes many of F5's features but is inexpensive. 

It is important as part of your regular process to update any tools including the solution. Versions are built in other countries so it is a good idea to ensure you are using the latest, gold-standard version for your area. For example, check for direct internet access, review active directory authentications, and configure users, servers, and certificates. 

The solution is super easy to use, is inexpensive, and includes great technical support. 

FortiWeb is used for web application protection. It protects a web application against attacks targeting their web applications, such as cross-site scripting, SQL injection, and other common application-specific attacks.

FortiWeb allows the organization to operate efficiently without any downtime or serious security breach.

FortiWeb has a very extensive library of known attack signatures, which makes the product fit for any environment, regardless if the customer uses Windows-specific or non-Windows-specific applications. It also has a very low rate of false positives and incorporates other FortiGuard capabilities, such as detection of botnet traffic.

For users not familiar with Fortinet, it could be beneficial to provide more user-friendly analytics and reporting. The product could offer better capabilities and analytics to pinpoint threat landscapes more efficiently.

I have been working with FortiWeb for approximately four years, maybe more.

FortiWeb has proven to be very stable and does not introduce latency in the network.

The product can scale according to the organization's traffic and architecture. It is available as a virtual appliance and a hardware appliance.

Fortinet provides very good support, which I would rate as eight out of ten.

Positive

At the moment, we are only working with Fortinet and not with other web application firewalls.

Someone without prior experience with the product might find it challenging to deploy. However, Fortinet provides good online training to assist administrators.

The total cost of ownership should be calculated based on the actual protection it offers to the application. Deploying FortiWeb can save 20% to 30% of resources within the organization.

FortiWeb uses a subscription-based license, but there is also an option for a perpetual license. It's not the cheapest solution. That said, it is worth the investment.

I have experience with other web application products.

I'd rate the solution nine out of ten.

I use the solution for some of my company's clients who want to protect their websites from malware and adware attacks.

From a benefit perspective, FortiWeb Web Application Firewall (WAF) protects the customers’ websites, which are used to communicate with the audience or clients.

I am not sure about what I like in the solution because I think most of the customers ask for the product whenever they want a WAF tool for any of their projects. After our company had a discussion with one of our local teams, we sold it by providing the features of the FortiWeb Web Application Firewall (WAF) that our customers like, as we mostly follow the customer requirements. Our company sells FortiWeb Web Application Firewall (WAF) if it meets our customers' requirements.

To deal with zero-day attacks, FortiWeb Web Application Firewall (WAF) needs to expand and update its database since it is one of the areas where the tool currently lacks. In short, FortiWeb Web Application Firewall (WAF) needs to update its attack prevention database.

In FortiWeb Web Application Firewall (WAF), there is a substantial amount of improvement required in the scalability area.

I have been using FortiWeb Web Application Firewall (WAF) for less than a year.

Stability-wise, I rate the solution a seven out of ten.

Scalability-wise, I rate the solution a five out of ten.

My company only has two customers who use FortiWeb Web Application Firewall (WAF). My company wants to sell the tool to medium and large-sized businesses with 500 or more users.

The solution is deployed on an on-premises model.

Sometimes, the product's deployment takes over one or two days because customers need to check their requirements and then may want some features. In general, it takes a minimum of two or three days to deploy the product.

Compared to the other products in the market, FortiWeb Web Application Firewall (WAF) is a reasonably priced product, but sometimes people may consider it a bit expensive. I rate the product price a four on a scale of one to ten, where one is a high price, and ten is a low price.

The product is easy to configure.

I have a separate team of three engineers in the company to manage FortiWeb Web Application Firewall (WAF).

Based on my experience and the comments from our company's customers who use the solution, I can say that FortiWeb Web Application Firewall (WAF) is a good product. Our company's customers who use the solution like it since they have been using it for about a year without any bad opinions or comments about it.

Feature-wise, FortiWeb Web Application Firewall (WAF) needs to add more functionalities. Some of the customers who use it want it to have more features, but we cannot find any in the tool presently. I can say what kind of features are required right now in the product. One customer who may want 20 features in the tool may get only 15 features that comply with the customer's requirements.

I rate the overall tool a six out of ten.

My main use case is for security and routing.

It is good for web tracking applications.  

There is room for improvement in pricing, and actually, the price is a bit higher because on the same terms I purchased, the support subscription is so high.

I've been using it for a long time. It has been more than three years now. 

Stability is guaranteed stability. I'm okay with stability. I would rate the stability an eight out of ten.

I would rate the scalability an eight out of ten. 

I am okay with the support. The support's subscription is high. 

Positive

pfSense is open-source and free, while FortiWeb is subscription-based. Both are manageable, but FortiWeb's features scale up connections per second, depending on the payment plan. 

I would rate my experience with the initial setup a nine out of ten, where one is difficult, and ten is easy.

It took us two days to set up.

I deployed it myself.  I just got a reference from the old system, and I configured it.

I would rate the pricing a seven out of ten, where one is cheap and ten is expensive. 

Overall, I would rate it a solid eight out of ten.  

The product has some unique features. The machine learning feature reduces the false positives. The tool detects zero-day attacks. It has an in-built antivirus, which most WAF tools do not have.

Advanced configurations require high skill. FortiWeb team should work on making it easier. The documentation is poor. The tool must provide advanced and robust DDoS protection.

I have been using the solution for almost six years.

The technical support is fine. The support team gives delayed responses if there is a complex issue.

Neutral

I have worked with F5 Advanced WAF. It is a robust product and is suitable for complex environments. It is flexible. However, it depends on other solutions for inbuilt security and packet inspection.

The initial setup is easy. It requires less intervention.

I recommend the product to others. Overall, I rate the solution an eight out of ten.

We use it in front of AWS Web Application Firewalls for our web-based management console, as well as for all of our API services for our Windows agents.

Being a data protection company, we have to meet a lot of specific requirements for customers. When people would say, "Our standard practice is to do a pen test against your outward-facing servers," there was always a little bit of worry in the back of my mind: "Oh, man, is there something that I've forgotten about?" But nowadays, I don't have that at all. I know that it's all configured and running well. I know that people can run a pen test whenever they like and we'll pass with flying colors.

It can take a little bit of time if you want to be very particular about the traffic that you allow. FortiWeb is very configurable and that can take a little bit of time if you do want to be that particular. But apart from that, we don't really touch it much these days except if we get an email to say there's been a node attack. In that case, we might just want to check on things. But in general, once it has been configured, we can forget about that side of things and just get on with all of our other normal tasks.

Machine learning could be a little bit of a buzzword, but that's the whole advantage of using a cloud-based platform. You get the benefits of another site seeing an attack and Fortinet works out if traffic should be filtered or not. It's great all around.

Before this, we had our AWS Web Application Firewalls. The process would be to look at our web servers and see if there was any suspicious-looking traffic that had gotten to those web servers through the AWS firewalls, and then we would adjust the AWS firewalls accordingly to filter that out. We might even have had to write new code to stop things at the server level. FortiWeb has saved us hundreds of hours.

I'm quite particular about what I allow into our network. There were some false positives as we were configuring everything the way that I wanted it, but I can't even remember the last time someone had an issue with a false positive because we had it set too securely. With the machine learning and getting the benefit of traffic that is going to many different sites, Fortinet is able to know which traffic is legit and which isn't. As a result, we get fewer false positives.

Although the number of alerts is not that relevant for us, FortiWeb has definitely reduced the overall stress levels, especially at the management level. It's good to be able to present a report to C-level executives saying, "This is the amount of traffic that we've had coming in, and this is what has been blocked by Fortinet." We're able to show them that it is benefiting the business.

In addition, it has helped free up our infrastructure team, as they don't have to look after the AWS Web Application Firewalls.

When it comes to blocking unknown threats and attacks, I would give it the highest score possible. We first started using AWS and its Web Application Firewalls. That was okay, but it was quite a manual process to keep it up to date, whereas Fortinet is always up to date, and the default rules or the modules that you can turn on are very easy to use.

Overall, the solution is extremely easy to use. It's all very step-by-step. We just tell it what DNS records to approve and it sets up an SSL certificate. And then, all traffic just starts flowing through Fortinet and then straight over to us. Our network is quite secure, so we have allowed individual IPs that are listed by Fortinet so that we're not just blanket-accepting everything. It's enabling our web servers to be more secure by only allowing Fortinet, instead of the whole world, like we used to.

Also, if you want to diagnose something, rather than outright blocking it, you can just log it so you can see what's happening.

You can go through the audit trail as well. There might be a situation where it will prompt you to block everyone's traffic from a specific IP.

In terms of FortiWeb's advanced modules, we have two main, different Fortinet applications. One is for our web-based stuff and the other is for our Windows agents, which is all API traffic. We use different sets of the modules, or the advanced features, but across both, we use pretty much everything.

At the moment, it's very easy to see if an attack has come in, and what they've done. What I would like to see is that they turn on all logging so that we can even see legitimate traffic. But still, that's a very minimal issue.

It would also be helpful if they could introduce easier reporting. It's good to have those reports that go to C-level management, and Fortinet does provide some graphs, but if they went into some more detail, that would be great. Then I wouldn't have to do it myself.

I have been using FortiWeb for two to three years.

The stability is a 10 out of 10. We haven't had any issues.

We have thousands of customers that use our platform around the world. All of them go through Fortinet. We also have a few thousand Windows agents that all go through Fortinet. With the load balancing inside Fortinet, we're able to scale up our servers and Fortinet can always handle the traffic.

I haven't had to contact support much. These days, people don't really like contacting support. I have needed to do it on one or two occasions and they have been very helpful. It was by email and I got the answers that I needed straight away.

But the fact that I haven't had to contact support speaks to the ease of use of the system itself.

Positive

We just had web servers on the internet and the AWS Web Application Firewalls in front of them. I wasn't happy with those, so I added Fortinet in front of them. We still use AWS, but Fortinet is the first line.

We switched because I'm very paranoid. I'm big on security. Working in IT for many years, Fortinet was always a trusted name in routers, so I thought I'd give the FortiWeb web application firewalls a go and I haven't looked back.

The initial setup was a piece of cake, done step-by-step. We just had to add some DNS entries and that was about it. It tells you exactly what you need to do. I didn't need to contact support or ask for any help.

There were a lot of additional modules that I wanted to check out and that took a little bit of time. But getting a basic setup running was very quick.

There is no maintenance involved.

We haven't been hacked. I don't know what price tag you'd put on that.

I'm very security conscious, but at the same time, I can be somewhat cheap and I will only spend money if I think it's worthy or providing the value that it should. At no point have I thought of getting rid of Fortinet.

We saw value from it immediately. We were uncertain about how AWS Web Application Firewalls were protecting us. We weren't that confident, because we couldn't really see what was happening. Management was kind of uneasy as a result. As soon as we had this implemented, we could see the stats and a few graphs. Immediately, that peace of mind was had by all.

The pricing is pretty good. We do pass a lot of traffic through our API servers. Something like 100 gigs of web traffic is a fair amount for reduced JSON API calls, but the cost is $50. For that peace of mind, we have thousands and thousands of customers that are protected by that $50, so it's a no-brainer.

I had a look around, but I didn't test anything else. Fortinet was the first one that I did testing with and it met all my criteria, so I figured, "Why waste time looking at some others when this does the job?"

I recommend it to everyone. Because we're a data protection company, we have a lot of people who want to do pen testing against us, and I'm very confident that we're protected because of Fortinet.

If you're looking for a very comprehensive web application firewall, which is both simple to set up and also has a huge number of features to turn on, features that can give you some added protection for specific needs, give Fortinet a go. It's worth your time, and it won't take much time either.