Overview
This listing is for AWS WAF Classic only. Fortinets WAF rulesets are based on the FortiWeb web application firewall security service signatures, and are updated on a regular basis to include the latest threat information from FortiGuard Labs. The Complete OWASP Top 10 Ruleset combines Fortinets other AWS WAF rulesets into one comprehensive package to protect web applications and to cover the entire list of OWASP Top 10 web application threats. Included are the SQLi/XSS, General and Known Exploits, and Malicious Bots rulesets.
For extended web application firewall features such as detailed trigger/event visibility, custom whitelisting and dedicated tools to fine tune and manage detections as well as detailed event visibility and AI-based behavioral attack detection you can try the FortiWeb Cloud Product: https://thinkwithwp.com/marketplace/pp/prodview-rbkvcwsvcpgsk?sr=0-1&ref_=beagle&applicationId=AWSMPContessa
For more information on AWS WAF Classic, you can find documentation here: https://docs.thinkwithwp.com/waf/latest/developerguide/classic-waf-chapter.html
Pricing information: Pricing consists of two dimensions:
- $30 per month for each web ACL using the Fortinet Managed Rules, per region
- $1.8 per million requests in each region
Pricing examples:
pricing example: 2x web acl in a single region (ie us-east-1)
Managed rule group charges = $60.00 (2x units for 2x web ACLs) Managed rule group request charges = $1.80/million * 10 million = $18.00 Total AWS Marketplace charges = $78.00/month
pricing example: 2x web acl in two regions (ie us-east-1 & us-east-2)
Managed rule group charges = $60.00 (2x units for 2x web ACLs) Managed rule group request charges = $1.80/million * 10 million = $18.00 Total AWS Marketplace charges = $78.00/month
pricing example: 3x web acl in two regions and one using a CloudFront (ie us-east-1, us-east-2, CloudFront)
Managed rule group charges = $90.00 (3x units for 3x web ACLs) Managed rule group request charges = $1.80/million * 10 million = $18.00 Total AWS Marketplace charges = $108.00/month
Highlights
- Complete set of all rules offered by Fortinet
- Can be configured to log, alert and/or block
- Regular updates from FortiGuard Labs
Details
Features and programs
Financing for AWS Marketplace purchases
Pricing
Dimension | Cost/unit |
---|---|
Charge per month in each available region (pro-rated by the hour) | $30.00 |
Charge per million requests in each available region | $1.80 |
Vendor refund policy
Non-Refundable
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
Vendor support
Support offered by Fortinet. Contact Fortinet directly by email - awswaf@fortinet.com . Please see FAQ for more info.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
Customer reviews
Easy to setup and use
Got the rules up and running in no time.
Excellent value for money, not sure why other reviewers are complaining given how cheap these rules are
Lack of visibility limits usability
I agree with other reviewers that the ability to understand why a request is counted or blocked is paramount.
In the current scenario we will be required to create custom rules to detect and allow any false positives, in order to have working solution. It would be much more useful to at least output the rule and condition that was triggers, along with the request. It would be good to be able to disable a specific rule if it was triggered.
I understand that we should not be able to list the actual rule details, but not having a list of the rule coverage also seems bad.
This box is just a bit too black for my liking. Knowing what protection is in place is a cornerstone of good security. I don't have that with this offering.
Same considerations as last reviewer
Same considerations as last reviewer, however, you can do an "Override to Count" and see request samples, to find things to white list. However, you don't know which condition triggered the "block".
Very much a Black box.
For our testing with "Override to count" in Production, I only found it blocking valid transactions for us.
Not able to see conditions
- Not being able to see actual conditions defined in the ruleset makes it too hard to white list URLs for specific OWASP conditions. Wish there is a place to see all readonly conditions of this ruleset.
- We can see requests getting blocked but we don't know why. The samples just show the Ruleset name and not the actual reason for blocking the requests. Like "SQLi" or "XSS" or "Force browsing" etc.,
Overall, If I subscribe to this ruleset, all of it seems like a Blackbox and requests are getting magically blocked, which is not good.