Fortinet FortiWeb: Web Application Firewall Overview and Analysis

See our complete list of Top Web Application Firewall Vendors

Bottom line

If you’re looking for performance and value, Fortinet should be on your list. It is rated highly by NSS Labs, users and Gartner. For enterprise and data center users, FortiWeb is a top candidate for web application vulnerability protection, dynamic application patching, and Microsoft Application publishing.

Product Description

FortiWeb is a web application firewall (WAF) that protects hosted web-based applications from attacks that target exploits. It integrates into the Fortinet Security Fabric, and shares bidirectional threat intelligence with FortiGate enterprise firewalls, FortiSandbox sandboxing solutions, and automation of security workflows and processes. FortiWeb uses various layers of security, including IP reputation, DDoS prevention, protocol validation, and known attack signatures. It also provides built-in antivirus scanning.

Fortinet WAF Features Rated

Security: Very good. NSS labs scored it equal with three other leaders on security effectiveness. It came in third on block rate at 98%, a point behind Citrix and Radware.

Performance: Very good. NSS Labs gave it second place in its rankings. Its fastest advertised protected WAF throughput is 20 Gbps, though models start at 25 Mbps. NSS labs graded its maximum HTTP connections per second (CPS) at 50,010 and its transactions per second (TPS) at 96,360.

Value: Very Good. NSS Labs scored it in fifth place on 3-year TCO at a cost of $443,981, but in second place on TCO per CPS at $2.56.

One IT manager summed it up thusly: “Other firewalls are just as good, but this product is at a much better price point.”

Implementation: Good. Gartner said customers indicate FortiWeb is limited in its ease of deployment and the availability of quality third-party resources (integrators or service providers) with sufficient skill to deploy and operate FortiWeb. According to Fortinet, when it is deployed inline in front of web application servers, it takes 2-4 hours to install and configure.

“Deployment was pretty straight forward,” said a network data services manager in the services industry.

Management: Fair. Gartner surveys found that, “Clients indicate that FortiWeb should improve its user interface. Clients would like to see features such as better version control and a rollback mechanism. Existing FortiGate clients report frustration with the FortiWeb management console not being as mature as what they get with the FortiGate management console.”

Support: Very good. Customers rate it highly.

“Good support from the partners and manufacturer,” said an IT specialist in government.

Cloud features: Good. Fortinet does not offer a cloud-based WAF service. Its WAF is available for deployment as a virtual appliance on AWS and Azure IaaS platforms.

Fortinet WAF

Security Qualifications

Common Criteria, ICSA Labs certification.


It is scalable and uses artificial intelligence-based machine learning to address zero-day attacks and known vulnerabilities, helping to eliminate false positives.


Hardware, virtual, public cloud and hosted options.


Although the company does not release pricing information, NSS Labs scored it in fifth place on 3-year TCO at a cost of $443,981, but in second place on TCO per CPS at $2.56. AWS provides some pricing info.

Drew Robb
Drew Robb
Drew Robb has been a full-time professional writer and editor for more than twenty years. He currently works freelance for a number of IT publications, including ServerWatch and CIO Insight. He is also the editor-in-chief of an international engineering magazine.

Latest articles

Top Cybersecurity Companies

Related articles