Sold by: Fortinet Inc.Â
Deployed on AWS
Free Trial
The FortiWeb web application firewall (WAF) defends web-based applications from known and zero-day threats. Its AI-based machine learning identifies threats with virtually no false positive detections.
4.2
Overview
Whether to simply meet compliance standards or to protect mission critical hosted applications, FortiWeb Web Application Firewalls (WAFs) provide advanced features and AI-based machine learning detection engines that defend web applications from known and zero-day threats.
Using a multi-layered and correlated approach, FortiWeb intelligently and accurately protects your web applications from the OWASP Top 10 threats. Combined with Fortinet Web Application Security Service from FortiGuard Labs, FortiWeb keeps your applications safe from vulnerability exploits, bots, malware uploads, DoS attacks, advanced persistent threats (APTs), and zero day attacks.
FortiWeb software editions offer the same features of the FortiWeb hardware-based appliances with the flexibility to deploy instances as needed to meet the demands of dynamic application hosting environments.
Highlights
- EFFECTIVE protection using multiple techniques including signatures, IP reputation, antivirus, and AI-based behavioral analysis and bot mitigation
- INTEGRATED with FortiGate, FortiSandbox, and leading third-party vulnerability scanners for enhanced zero-day threat protection and virtual application patching
- ACCURATE with intelligent tools that minimize false positive detections including user scoring, session tracking, and event correlation
Details
Sold by
Categories
Delivery method
Delivery option
64-bit (x86) Amazon Machine Image (AMI)
Latest version
Operating system
OtherLinux 8.0.2
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Free trial
Try this product free for 15 days according to the free trial terms set by the vendor. Usage-based pricing is in effect for usage beyond the free trial terms. Your free trial gets automatically converted to a paid subscription when the trial ends, but may be canceled any time before that.
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time. Alternatively, you can pay upfront for a contract, which typically covers your anticipated usage for the contract duration. Any usage beyond contract will incur additional usage-based costs.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/hour |
|---|---|
r5.xlarge Recommended | $2.51 |
m5.large | $1.04 |
m4.large | $1.04 |
m5.4xlarge | $8.00 |
r5.large | $1.04 |
m3.large | $1.04 |
t3.xlarge | $2.51 |
m3.medium | $0.96 |
c5.large | $1.04 |
c5.xlarge | $2.51 |
Vendor refund policy
You may terminate the instance at anytime to stop incurring charges.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA)Â .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Additional details
Usage instructions
After deploying the instance, click on 'Manage in AWS Console' to see the running instance and public DNS address to continue the configuration of the FortiWeb-VM. Connect to the secured Web UI via the public DNS address: https://Public DNS:8443. For any CLI configuration/settings, SSH is required to log into the CLI. Default login credentials are with a username of "admin" and the AWS Instance ID value as the password. The FortiWeb-VM Install and Configure guides is located at https://docs.fortinet.com/vm/aws/fortiweb . For the full FortiWeb Administrator Guide, please refer to Fortinet documentation: https://docs.fortinet.com/fortiweb/admin-guidesÂ
Resources
Support
Vendor support
Fortinet FortiCare Support Services give you global support on a per-product basis. All FortiCare Support Services include firmware upgrades, access to the support portal and associated technical resources.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Fortinet Inc.
By Check Point Software Technologies
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Threat Detection Mechanism
AI-based machine learning engine for identifying web application threats with high accuracy
Security Protection Layer
Multi-layered defense against OWASP Top 10 threats using signatures, IP reputation, antivirus, and behavioral analysis
Bot Mitigation
Advanced bot detection and prevention capabilities using intelligent behavioral analysis techniques
Vulnerability Protection
Integrated zero-day threat protection with virtual application patching and compatibility with third-party vulnerability scanners
Threat Correlation
Intelligent event correlation and user scoring techniques to minimize false positive security detections
Web Application Firewall
Advanced protection against OWASP Top 10 threats using machine learning and behavioral analytics
Bot Protection
Proactive defense using fingerprinting, challenge/response techniques, and behavioral analysis to block automated attacks
Threat Intelligence
IP Intelligence threat feed with regular updates to block malicious IP traffic and threat campaign signatures
Traffic Management
Load balancing functionality supporting 1 VIP and up to 3 virtual servers with per-app deployment model
Automation Integration
Supports integration with automation and CI/CD tools through Automation Toolchain, CloudFormation Templates, and Quick Start Guides
Threat Prevention
AI-driven zero-day threat detection and prevention using advanced contextual analysis
Web Application Protection
Comprehensive defense against OWASP Top 10 vulnerabilities with Intrusion Prevention System (IPS) covering over 2,800 Web CVEs
Traffic Control
Advanced rate limiting and bot prevention mechanisms with traffic flow management based on IP address, XFF, JWT, cookies, and headers
API Security
Automated API discovery, real-time traffic monitoring, and auto-generated Swagger schema validation for comprehensive API governance
Deep Packet Inspection
Snort 3.0 signature enforcement providing advanced packet-level security analysis
Standard contract
No
No
No
Customer reviews
Jovan Jovanovic
Integration with existing infrastructure has improved efficiency and centralized management
Reviewed on Nov 20, 2025
Review provided by PeerSpot
What is our primary use case?
The main use case for Fortinet FortiWeb is handling huge amounts of data from the customer side when they lack proper data structure. Customers request a solution that can manage large volumes of data and classify it, which is the primary reason they select Web Application Firewalls .
Additionally, they seek to protect and separate applications within their network between production and non-production environments, as well as define bandwidth allocation for approved applications and restrict forbidden ones.
What is most valuable?
Fortinet does not have the best Web Application Firewall in the world, but they do have interoperable systems. From the customer side, especially if they are already buying FortiGates, firewalls, mail, proxy, and other solutions, it becomes much easier for them to purchase Fortinet FortiWeb . This is because there is one technical support team and a single point of contact from the vendor side when they need technical expertise.
The main benefits provided to users who already have other Fortinet solutions include better economics and easier maintenance due to unified technical support and a convenient single point of contact. Updates are much easier because Fortinet has one operating system for all their products. If the customer buys a manager as the central console of the whole system, they can operate all systems from one console and deploy all updates, renewals, or other changes.
What needs improvement?
Fortinet can improve their technical support, especially the response time. There appears to be an issue with their SLA. When a customer opens a ticket, it is picked up within one or two hours. However, after the customer submits a specific question and requests troubleshooting help from Fortinet support, it takes at least three to five days to provide a proper answer. The response time from the support team is an area that requires improvement.
For how long have I used the solution?
We are a distributor and I continue to work with Fortinet solutions as a reseller distributor.
What do I think about the stability of the solution?
I have not received any complaints or reports of issues from our partners or our technical team regarding stability. Perhaps three or four years ago there was an incident at a customer site in Serbia, but that was not related to Fortinet. The issue was related to network segmentation because they could not reach all logs from their network. The problem was not from Fortinet but from the Cisco ASAÂ , not the switch.
What do I think about the scalability of the solution?
For scalability on a scale from one to ten, Fortinet FortiWeb is very scalable and it is easy to improve the bandwidth and the system. You can add additional boxes that combine together to achieve a bigger throughput for investigation and research.
How was the initial setup?
I have not received any complaints from the partner side regarding troubles or issues with implementation. The implementation of Fortinet FortiWeb and WAF into the Fortinet ecosystem proceeded very smoothly.
What about the implementation team?
That is a question for the technical part of my team and is not within my area of responsibility.
What other advice do I have?
We primarily sell Fortinet's flagship model, which is FortiGate, their next-generation firewall. After that, we sell switches, wireless devices, and solutions such as mail, web protection, and EDR. These are the most sold products in Serbia from Fortinet's portfolio.
We have recently closed a deal in Serbia with Fortinet FortiWeb.
The documentation is excellent, particularly the implementation manual. The pricing is very competitive compared to most vendors producing similar solutions. When comparing Fortinet FortiWeb to F5 BIG-IPÂ , which is their matching solution, Fortinet FortiWeb uses smaller boxes while meeting the same technical specifications. This automatically makes Fortinet FortiWeb cheaper than F5. F5 is considered the most sold vendor in this area for Web Application Firewalls globally, and Fortinet FortiWeb offers better pricing in comparison. I would rate this product a ten out of ten.
HameedAhmed
Security threats have been reduced through seamless deployment and strong integration with other tools
Reviewed on Nov 14, 2025
Review provided by PeerSpot
What is our primary use case?
I am familiar with Fortinet FortiWeb , and I'm working with the product. I have been using Fortinet FortiWeb in my organization for the last three years. We are using Fortinet FortiWeb as a security solution because a few applications are running on our website through which external users are hitting our application. We have installed this product for outside users, not inside users, especially for outside users from the organization.
What is most valuable?
Reporting in Fortinet FortiWeb is very good. Fortinet FortiWeb has positively impacted my organization because most of our servers and applications are secure from hackers and other security threats. We have a lot of security challenges, but with the installation of Fortinet FortiWeb, we have reduced many security threats with its help.
What needs improvement?
The reason it took one week to ten days is that fine-tuning is a challenge, as we have many applications behind the product. Fine-tuning took this time; otherwise, installation is one to two days of work only. Fine-tuning is a room for improvement in Fortinet FortiWeb.
For how long have I used the solution?
I have been using Fortinet FortiWeb in my organization for the last three years.
How are customer service and support?
I would rate the technical support of Fortinet as fine; they provide very nice technical support and are responsive.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We do not have options to replace it with another solution because we have installed it and we are using it. We have trained manpower, and it is not easy to replace.
How was the initial setup?
The deployment of Fortinet FortiWeb was actually easy and our team is managing it quite easily. The deployment of Fortinet FortiWeb in my case took one week to two weeks.
What about the implementation team?
I have a dedicated team to manage the product. For this purpose, we have only one engineer in our technical team.
What's my experience with pricing, setup cost, and licensing?
With pricing, I think Fortinet FortiWeb is a reasonable price compared to other products like Barracuda, as it is cheaper than Barracuda or maybe competitive. Most security products charge less at the time of purchase because of competition, but when we go to renewals, the prices become very high.
What other advice do I have?
I have used Fortinet FortiWeb's integration features. We have easily integrated all of the applications with the product. Most of the applications we are using are in-house built.
My technical team is looking after the best features. I have not used it extensively for maybe two and a half years. I have been involved in the installation, but I am not actually using the product. I work with it from time to time but not extensively.
I would assess Fortinet FortiWeb's adaptive machine learning and artificial intelligence as having new patches installed regarding artificial intelligence, but when we bought it, I think the learning feature was there. Now they have installed artificial intelligence features through patches.
We have a complete portfolio of Fortinet in our organization, including FortiMail , Fortinet FortiWeb, and FortiGate, along with multi-factor authentication. All of the products are from Fortinet. Fortinet tools integrate with each other and work in conjunction.
I think Fortinet FortiWeb has helped us meet regulatory compliance because we are not a regulatory organization, but our sister organization is regulatory. We have regulatory compliance with the International Civil Aviation Authority, whose audit teams have checked our data center and these security products, and they are satisfied with us. The question about leveraging Fortinet FortiWeb's automated policy management does not pertain to my domain because I am not so technical, but I am in a management role now. My engineer is more technical than me.
I would rate this product an eight point five out of ten.
Jamshina P.
Smart, Reliable Security with Impressive AI—Minor Slowdowns Under Heavy Load
Reviewed on Oct 29, 2025
Review provided by G2
What do you like best about the product?
What I appreciate most about FortiAppSec Cloud is its intelligent and automated approach to web application security, which makes the entire process much simpler. The AI driven threat detection is particularly impressive, as it can identify and block attacks in real time. This not only reduces the need for manual intervention but also ensures robust and consistent protection. Overall, I find it reliable, efficient, and straightforward to manage offering everything necessary for securing modern applications.
What do you dislike about the product?
What I dislike about FortiAppSec Cloud is that it can occasionally cause application performance to slow down, especially when managing high volumes of traffic or dealing with intricate security rules.
What problems is the product solving and how is that benefiting you?
This solution safeguards web applications from threats such as SQL injection and bots by using AI driven automation. It helps save time while ensuring that applications remain secure.
Information Technology and Services
Powerful Automated Security, but Setup and Reporting Could Improve
Reviewed on Oct 29, 2025
Review provided by G2
What do you like best about the product?
FortiAppSec Cloud provides impressive automated protection by leveraging advanced AI to ensure strong web application security. It is highly effective at detecting and mitigating threats autonomously, which reduces the need for constant manual intervention. The deployment process is straightforward, and the platform integrates smoothly with existing cloud environments, making security management both simple and efficient.
What do you dislike about the product?
The initial configuration can be somewhat complex, particularly for those setting it up for the first time. This is especially true when it comes to fine-tuning custom security policies, which may require additional effort. Additionally, although the dashboards provide useful information, the reporting features lack flexibility. More customizable options would be helpful for users who need detailed analytics or have specific compliance requirements.
What problems is the product solving and how is that benefiting you?
FortiAppSec Cloud has been effective in safeguarding our web applications against threats such as SQL injection and bots. By doing so, it lessens the need for manual security tasks and enhances the overall reliability of our applications.
Ajay Y.
Robust AI Security and Easy Management, with Room for Smoother Setup
Reviewed on Oct 27, 2025
Review provided by G2
What do you like best about the product?
FortiAppSec Cloud stands out for its AI-driven threat detection and easy deployment. It delivers strong, adaptive protection against web attacks without needing constant tuning, ensuring security and performance while simplifying management through an intuitive, centralized dashboard.
What do you dislike about the product?
FortiAppSec Cloud can sometimes feel complex during initial configuration, especially for advanced policies. Its reporting options could be more detailed, and occasional latency during policy updates slightly affects real-time monitoring efficiency for large-scale deployments.
What problems is the product solving and how is that benefiting you?
FortiAppSec Cloud protects web applications from threats like SQL injection, cross-site scripting, and DDoS attacks. It automates security management, reduces manual intervention, and ensures compliance—helping maintain uptime, improve data protection, and boost user confidence with consistent, real-time threat mitigation.