Fortinet FortiWeb: Web Application Firewall Overview and Analysis

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

See our complete list of Top Web Application Firewall Vendors

Bottom line

If you’re looking for performance and value, Fortinet should be on your list. It is rated highly by NSS Labs, users and Gartner. For enterprise and data center users, FortiWeb is a top candidate for web application vulnerability protection, dynamic application patching, and Microsoft Application publishing.

Product Description

FortiWeb is a web application firewall (WAF) that protects hosted web-based applications from attacks that target exploits. It integrates into the Fortinet Security Fabric, and shares bidirectional threat intelligence with FortiGate enterprise firewalls, FortiSandbox sandboxing solutions, and automation of security workflows and processes. FortiWeb uses various layers of security, including IP reputation, DDoS prevention, protocol validation, and known attack signatures. It also provides built-in antivirus scanning.

Fortinet WAF Features Rated

Security: Very good. NSS labs scored it equal with three other leaders on security effectiveness. It came in third on block rate at 98%, a point behind Citrix and Radware.

Performance: Very good. NSS Labs gave it second place in its rankings. Its fastest advertised protected WAF throughput is 20 Gbps, though models start at 25 Mbps. NSS labs graded its maximum HTTP connections per second (CPS) at 50,010 and its transactions per second (TPS) at 96,360.

Value: Very Good. NSS Labs scored it in fifth place on 3-year TCO at a cost of $443,981, but in second place on TCO per CPS at $2.56.

One IT manager summed it up thusly: “Other firewalls are just as good, but this product is at a much better price point.”

Implementation: Good. Gartner said customers indicate FortiWeb is limited in its ease of deployment and the availability of quality third-party resources (integrators or service providers) with sufficient skill to deploy and operate FortiWeb. According to Fortinet, when it is deployed inline in front of web application servers, it takes 2-4 hours to install and configure.

“Deployment was pretty straight forward,” said a network data services manager in the services industry.

Management: Fair. Gartner surveys found that, “Clients indicate that FortiWeb should improve its user interface. Clients would like to see features such as better version control and a rollback mechanism. Existing FortiGate clients report frustration with the FortiWeb management console not being as mature as what they get with the FortiGate management console.”

Support: Very good. Customers rate it highly.

“Good support from the partners and manufacturer,” said an IT specialist in government.

Cloud features: Good. Fortinet does not offer a cloud-based WAF service. Its WAF is available for deployment as a virtual appliance on AWS and Azure IaaS platforms.

Fortinet WAF

Security Qualifications

Common Criteria, ICSA Labs certification.


It is scalable and uses artificial intelligence-based machine learning to address zero-day attacks and known vulnerabilities, helping to eliminate false positives.


Hardware, virtual, public cloud and hosted options.


Although the company does not release pricing information, NSS Labs scored it in fifth place on 3-year TCO at a cost of $443,981, but in second place on TCO per CPS at $2.56. AWS provides some pricing info.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Drew Robb Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis