FortiWeb: Web Application Firewall (WAF)

Comprehensive, High-Performance Web Application Security

Gartner 2018 Magic Quadrant for Web Application Firewalls
Available in:
  • Appliance
  • Virtual Machine
  • Hosted
  • Cloud
  • Container

FortiWeb Overview

Gartner peer insights customer's choiceUnprotected web applications are the easiest point of entry for hackers and vulnerable to a number of attack types. FortiWeb’s AI-enhanced and multi-layered approach protects your web apps from the OWASP Top 10 and more. When combined with our Web Application Security Service from FortiGuard Labs you’re protected from the latest application vulnerabilities, bots, and suspicious URLs, and with dual machine learning detection engines your applications are safe from sophisticated threats such as SQL injection, cross-site scripting, buffer overflows, cookie poisoning, malicious sources, and DoS attacks.


FortiWeb News

12/18/18: Fortinet named a 2018 Gartner Peer Insights Customers’ Choice for Web Application Firewalls for FortiWeb based on the ranking of vendors by verified end-user professionals.


10/17/18: FortiWeb VMs add support for Oracle Cloud. FortiWeb continues to expand its availability on leading cloud platforms with bring-your-own-license support for Oracle Cloud.


9/10/18: Choosing a WAF Solution? Third-party evaluations can help. In today's new digital business model, consumers and employees both require immediate access to data and resources using a growing number of endpoint devices.


FortiWeb Videos

Fortinet Web Application Security

Dynamic patching of web-based applications to defend against threats that target known and unknown vulnerabilities.

Watch Now
FortiWeb 6.0 with AI-Base Machine Learning
Protecting Web Applications with FortiWeb

FortiWeb Product Details

Whether to simply meet compliance standards or to protect mission-critical hosted applications, FortiWeb's web application firewalls provide advanced features that defend web applications from known and zero-day threats. Using an advanced multi-layered and correlated approach, FortiWeb provides complete security for your external and internal web-based applications from the OWASP Top 10 and many other threats. At the heart of FortiWeb are its dual-layer AI-based detection engines that intelligently detect threats with nearly no false positive detections.



Features and Benefits

checkmark icon

Proven Web Application Protection

FortiWeb protects against all the OWASP Top-10 threats, DDoS attacks and many others to defend your mission critical web-based applications
icon artificial intelligent

AI-based Threat Detection

In addition to regular signature updates and many other layers of defenses, FortiWeb’s AI-based, dual-layer machine learning engines protect against zero-day attacks
Icon security fabric

Security Fabric Integration

Integration with FortiGate firewalls and FortiSandbox deliver protection from advanced persistent threats
analytics icon

Advanced Visual Analytics

FortiWeb’s visual reporting tools provide detailed analyses of attack sources, types and other elements that provide insights not available with other WAF solutions 
icon benefits tools

False Positive Mitigation Tools 

Advanced tools that minimize the day-to-day management of policies and exception lists to ensure only unwanted traffic is blocked
high performance icon

Hardware-based Acceleration

FortiWeb delivers industry-leading protected WAF throughputs and blazing fast secure traffic encryption/decryption

The GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

FortiWeb Models and Specifications

FortiWeb web application firewall is available in many different form factors with many different models to choose from to meet your needs ranging from entry-level hardware appliances to sophisticated VM options that be incorporated into latest cloud environments.

25 Mbps
4x GE RJ45
100 Mbps
4x GE RJ45, 4x GE SFP
250 Mbps
4x GE RJ45 (2x bypass), 4x GE SFP
1 Gbps
2x GE SFP, 6x GE RJ45 (includes 4x bypass)
1.3 Gbps
2x 10 GE SFP+, 2x GE RJ45, 4x GE RJ45 bypass, 4x GE SFP
2.5 Gbps
2x 10 GE SFP+, 4x GE RJ45 bypass, 4x GE SFP
5 Gbps
4x 10 GE SFP+, 8x GE RJ45 bypass, 4x GE SFP
20 Gbps
8x GE RJ45 bypass, 4x GE SFP, 2x 10G SFP+ bypass, 2x 10G SFP+
VMware, Microsoft Hyper-V, Citrix XenServer, Open Source Xen, KVM, Amazon Web Services (AWS) and Microsoft Azure. Please see FortiWeb VM Installation Guide for versions supported.

25 Mbps
100 Mbps
500 Mbps
2 Gbps
Actual performance values may vary depending on the network traffic and system configuration. Performance metrics were observed using a Dell PowerEdge R710 server (2x Intel Xeon E5504 2.0 GHz 4 MB Cache) running VMware ESXi 5.5 with 4 GB of vRAM assigned to the 4 vCPU and 8 vCPU FortiWeb Virtual Appliance and 4 GB of vRAM assigned to the 2 vCPU FortiWeb Virtual Appliance.
Amazon Web Services (AWS) and Microsoft Azure supported for both BYOL (bring your own license) and On-demand (pay-as-you go). Please see the cloud Marketplace listings for more information:
FortiWeb Cloud is a convenient and easy-to-deploy WAF that’s always up-to-date. For organizations that need to quickly deploy a WAF and keep maintenance to a minimum, FortiWeb Cloud scales to meet traffic demands without the hassles of managing hardware and software. FortiWeb Cloud offers stackable bandwidth tiers from 5 to 500 Mbps, and allows you to choose the number of sites you need with stackable subscriptions ranging from 1 to 50 sites.
If you are an existing FortiWeb Cloud customer, please click here to access the service.
25 Mbps
100 Mbps
500 Mbps
2 Gbps

Throughputs and other metrics are maximum values permitted for each version. Actual performance values may vary depending on the network traffic and system configuration.

FortiGuard Security Services for FortiWeb

FortiWeb employs multiple FortiGuard security services to protect web applications from attack. These annual subscriptions can be purchased a la carte or as part of a bundle with your FortiWeb solution.

FG Web App

Web Application Security

FortiGuard Web Application Security uses information based on the latest application vulnerabilities, bots, suspicious URL patterns and data-type patterns, and specialized heuristic detection engines, to ensure your web applications remain safe from application-layer threats.

FG AntiBotnet

IP Reputation & Anti-botnet Security

The FortiGuard IP Reputation Service aggregates malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources. Near real-time intelligence from distributed network gateways combined with world-class research from FortiGuard Labs helps organizations stay safer and proactively block attacks.

FG Antivirus


FortiGuard Antivirus protects against the latest viruses, spyware, and other content-level threats. It uses industry-leading advanced detection engines to prevent both new and evolving threats from gaining a foothold inside your network and accessing its invaluable content.

Icon cloudsandbox

FortiSandbox Cloud

FortiSandbox Cloud Service is an advanced threat detection solution that performs dynamic analysis to identify previously unknown malware. Actionable intelligence generated by FortiCloud Sandbox is fed back into preventive controls within your network—disarming the threat.

Credential Stuffing Defense Icon

Credential Stuffing Defense

Fortinet’s Credential Stuffing Defense identifies login attempts using credentials that have been compromised using an always up-to-date feed of stolen credentials. Administrators can configure their supported devices to take various actions if a suspicious login is used including logging, alerts, and blocking.


Service Bundles


Protection that provides the core services for protecting your web-based applications that includes Web Application Security, IP Reputation & Anti-botnet, and Antivirus.


When you want the best in web application security protection, the Advanced bundle includes all the services in the Standard bundle, plus FortiCloud Sandbox and Credential Stuffing Defense.


Product Demo

product demo fortiweb

FortiWeb Demo

This full working demo lets you explore the many features of our FortiWeb Web Application Firewall (WAF). You’ll quickly see how FortiWeb easily displays system resource utilization and attack logs, and gives you everything you need in the easy-to-use attack console. Be sure to check out our comprehensive web protection profiles and in-depth reporting.

Access the demo

NSS Labs WAF Comparative Reports 2017 and SVM

The FortiWeb 3000E was put up against 5 leading WAF competitors. Please visit the link below to see how FortiWeb performed

Common Criteria

Fortinet products have received NDPP, EAL2+, and EAL4+ based Common Criteria certifications. Common Criteria evaluations involve formal rigorous analysis and testing to examine security aspects of a product or system. Extensive testing activities involve a comprehensive and formally repeatable process, confirming that the security product functions as claimed by the manufacturer. Security weaknesses and potential vulnerabilities are specifically examined during an evaluation. More information on the latest Fortinet Common Criteria Certifications are available below:

ICSA Labs Certified: Antivirus, Corporate Firewall, IPsec, NIPS, SSL-TLS, and Web Application Firewall

FortiGate and FortiWeb products are evaluated against ICSA criteria in 6 popular Certification programs. ICSA Labs manages and sponsors security consortia that provides a forum for intelligence sharing among the leading vendors of security products. In addition, ICSA Labs publishes surveys, security industry studies, and buyer's guides for computer security products.

NSS Labs WAF 2014 SVM

In its first-ever web application firewall testing, NSS Labs reported that the FortiWeb-1000D achieved an overall block rate of 99.85% at $2.77 TCO per protected connection per second that earned the WAF “Recommended” status in their Web Application Firewall Security Value Map.

FortiWeb Ecosystem

FortiWeb provides integration with many leading IT vendors as part of the Fortinet Security Fabric. Below is a list of current FortiWeb Alliance Partners:


Gemalto offers one of the most complete portfolios of enterprise security solutions in the world, enabling its customers to enjoy industry-leading protection of digital identities, transactions, payments, and data – from the edge to the core.

Solution brief

Hewlett Packard Enterprise
Hewlett Packard Enterprise

Hewlett Packard Enterprise is an industry-leading technology company that enables customers to go further, faster. With the industry’s most comprehensive portfolio, HPE's technology and services help customers around the world make IT more efficient, more productive, and more secure.


IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio enables organizations to effectively manage risk and defend against emerging threats.


Qualys, Inc. is a pioneer and leading provider of cloud-based security and compliance solutions with over 8,800 customers in more than 100 countries, including a majority of each of the Forbes Global 100 and Fortune 100.

Solution brief


Combining advanced technology with the expertise of its global Threat Research Center (TRC) team, WhiteHat delivers application security solutions that reduce risk, reduce cost, and accelerate the deployment of secure applications and websites.

Solution brief


Can’t an IPS or Firewall provide protection for hosted web-based applications?

Next Generation and Application Aware IPS firewalls extend and enhance protection and add additional functionality but the majority of the ‘application aware’ functionality is focused on securing/restricting internal clients when accessing the internet but not securing internal applications from external threats. Web Application Firewalls are different as they protect internal web applications from sophisticated application layer external attacks. They provide both a positive and negative security model and protect against the major threats to applications today (SQL Injection, Cross Site Scripting, URL Access, CSRF, Injection attacks and more).

Why is FortiWeb’s AI-based Machine Learning threat detection superior to other threat detection methods?

Other vendors use application learning using an observational method to automate profile creation for web-based application protection. Application learning is a good detection method, but it has many drawbacks. These include:

  • high false-positive detections
  • labor-intensive to fine tune
  • unobserved legitimate traffic creates anomalies
  • aggressive tuning lets attacks slip through more easily
  • changes to the application require substantial re-learning to prevent false-positive detections

FortiWeb’s behavioral detection uses two layers of AI-based machine learning and statistical probabilities to detect anomalies and threats separately. With machine learning FortiWeb is able to deliver near 100% application threat detection accuracy with virtually no resources required to manage it. AI-based machine learning for FortiWeb creates nearly a “set and forget” web application firewall that doesn’t sacrifice accuracy for ease of management.    

What size WAF do I need?

There are many factors that determine WAF sizing ranging from application throughput, numbers of users, and number of sites to be protected. We strongly recommend discussing your requirements with a Fortinet Partner to find the best option to meet your needs.

How does FortiWeb Cloud differ from an on-prem FortiWeb deployment?

FortiWeb Cloud is a ‘skinny’ WAF solution offering negative security model rules while the FortiWeb platform is a full blown WAF offering both positive and negative security models. Most customers using a Cloud WAF are looking for a set-it-and-forget type solution that they can quickly configure and use without having to manage daily. By offering a subset of what FortiWeb on-prem offers but with a simple, straightforward configuration and management FortiWeb Cloud addresses these requirements.

Do I need a WAF if I already have a Secure Web Gateway (SWG)?

Yes. A SWG protects users within the organization from accessing infected external websites or undesirable content hosted outside of the organization. A WAF protects hosted web-based applications from attacks that are initiated by external attackers. A simplified view is the SWGs protect users and WAFs protect applications.

FortiWeb WAF vs. WAF in an ADC

A dedicated WAF appliance will not decrease performance, plus an appliance like FortiWeb has the processing power to perform behavior-based detection of application attacks. Most WAF modules on ADCs offer only basic WAF protection for applications.

Can a FortiWeb permanently patch application vulnerabilities?

Yes it can. FortiWeb can provide temporary application patching until development teams are able deploy permanent patches for vulnerabilities, or it can permanently patch them. It is usually recommended to permanently fix a known vulnerability, however there are many situations where that isn’t possible or practical, such as inherited applications or older applications that are about to be retired.