Sold by: Fortinet Inc.
Deployed on AWS
Free Trial
The FortiWeb web application firewall (WAF) defends web-based applications from known and zero-day threats. Its AI-based machine learning identifies threats with virtually no false positive detections.
4.1
Overview
Whether to simply meet compliance standards or to protect mission critical hosted applications, FortiWeb Web Application Firewalls (WAFs) provide advanced features and AI-based machine learning detection engines that defend web applications from known and zero-day threats.
Using a multi-layered and correlated approach, FortiWeb intelligently and accurately protects your web applications from the OWASP Top 10 threats. Combined with Fortinet Web Application Security Service from FortiGuard Labs, FortiWeb keeps your applications safe from vulnerability exploits, bots, malware uploads, DoS attacks, advanced persistent threats (APTs), and zero day attacks.
FortiWeb software editions offer the same features of the FortiWeb hardware-based appliances with the flexibility to deploy instances as needed to meet the demands of dynamic application hosting environments.
Highlights
- EFFECTIVE protection using multiple techniques including signatures, IP reputation, antivirus, and AI-based behavioral analysis and bot mitigation
- INTEGRATED with FortiGate, FortiSandbox, and leading third-party vulnerability scanners for enhanced zero-day threat protection and virtual application patching
- ACCURATE with intelligent tools that minimize false positive detections including user scoring, session tracking, and event correlation
Details
Sold by
Categories
Delivery method
Delivery option
64-bit (x86) Amazon Machine Image (AMI)
Latest version
Operating system
OtherLinux 8.0.4
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Free trial
Try this product free for 15 days according to the free trial terms set by the vendor. Usage-based pricing is in effect for usage beyond the free trial terms. Your free trial gets automatically converted to a paid subscription when the trial ends, but may be canceled any time before that.
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time. Alternatively, you can pay upfront for a contract, which typically covers your anticipated usage for the contract duration. Any usage beyond contract will incur additional usage-based costs.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/hour |
|---|---|
r5.xlarge Recommended | $2.51 |
m3.xlarge | $2.51 |
m4.xlarge | $2.51 |
r5.2xlarge | $4.43 |
m5.xlarge | $2.51 |
m5.2xlarge | $4.43 |
m4.2xlarge | $4.43 |
m3.2xlarge | $4.43 |
t3.large | $1.04 |
r5.4xlarge | $8.00 |
Vendor refund policy
You may terminate the instance at anytime to stop incurring charges.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Additional details
Usage instructions
After deploying the instance, click on 'Manage in AWS Console' to see the running instance and public DNS address to continue the configuration of the FortiWeb-VM. Connect to the secured Web UI via the public DNS address: https://Public DNS:8443. For any CLI configuration/settings, SSH is required to log into the CLI. Default login credentials are with a username of "admin" and the AWS Instance ID value as the password. The FortiWeb-VM Install and Configure guides is located at https://docs.fortinet.com/vm/aws/fortiweb . For the full FortiWeb Administrator Guide, please refer to Fortinet documentation: https://docs.fortinet.com/fortiweb/admin-guides
Resources
Support
Vendor support
Fortinet FortiCare Support Services give you global support on a per-product basis. All FortiCare Support Services include firmware upgrades, access to the support portal and associated technical resources.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Fortinet Inc.
By Check Point Software Technologies
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Threat Detection Engine
AI-based machine learning detection with behavioral analysis to identify known and zero-day threats with minimal false positive detections
Multi-Layered Protection Mechanisms
Multiple protection techniques including signatures, IP reputation, antivirus, and bot mitigation to defend against OWASP Top 10 threats
Third-Party Integration Capabilities
Integration with FortiGate, FortiSandbox, and leading third-party vulnerability scanners for enhanced threat protection and virtual application patching
False Positive Minimization
Intelligent tools including user scoring, session tracking, and event correlation to reduce false positive detections
Flexible Deployment Architecture
Software-based editions offering equivalent features to hardware appliances with scalable instance deployment for dynamic application hosting environments
Bot Protection
Fingerprinting and challenge/response techniques combined with behavioral analysis to block automated attacks including account takeover, web/content scraping, and vulnerability reconnaissance.
Application Layer Attack Mitigation
Protection against OWASP Top 10 threats, application-layer DoS attacks, malware-infected browsers, and API protocol vulnerabilities using machine learning and threat intelligence.
IP Threat Intelligence
IP Intelligence threat feed integration to block traffic from and to malicious IP addresses with regular updates to threat campaign signatures.
Load Balancing
Traffic management and load balancing functionality supporting 1 VIP and up to 3 virtual servers per application instance.
Container Environment Support
Integration with F5 Container Ingress Services for deployment in container environments including Kubernetes clusters.
AI-Based Zero-Day Threat Prevention
Detects and blocks unknown threats and zero-day exploits in real-time, including log4shell, text4shell, and MOVEit attacks, using AI-driven contextual analysis to minimize false positives.
Intrusion Prevention System with CVE Coverage
Shields against OWASP Top 10 attacks with over 2,800 Web CVEs and Snort 3.0 signature enforcement for deep packet inspection.
DDoS Mitigation and Bot Prevention
Provides advanced DDoS attack mitigation with automatic traffic control and bot detection to block automated threats while maintaining service availability.
API Discovery and Schema Validation
Monitors API traffic for sensitive data exposure, performs real-time API discovery and governance, and enforces auto-generated Swagger schema validation for API security.
AWS Native Integration and Rapid Deployment
Integrates directly with AWS services including Route 53, AWS WAF, AWS Shield, API Gateway, CloudFront, and Lambda, with support for AWS CloudFormation and Terraform for Infrastructure-as-Code deployment in under 15 minutes.
Standard contract
No
No
No
Customer reviews
Alexandru R.
Secure, User-Friendly with Great Support, Minor Lag Issues
Reviewed on Feb 16, 2026
Review provided by G2
What do you like best about the product?
I really appreciate the ease of access with FortiAppSec Cloud, along with its reliable customer support which is very beneficial for me. The dashboard is also great because it allows us to monitor all activities conveniently. I found the initial setup process to be very easy, and we got everything set up in under one hour.
What do you dislike about the product?
There's some lag in the platform when we reach a large number of endpoints.
What problems is the product solving and how is that benefiting you?
FortiAppSec Cloud helps us deliver secure endpoints in the cloud to customers, with ease of access and reliable customer support.
Mansi S.
Robust Protection with Room for UI Improvement
Reviewed on Feb 13, 2026
Review provided by G2
What do you like best about the product?
I like the FortiAppSec Cloud's clean dashboard, which lets me quickly understand what’s happening without digging through endless logs. I also appreciate that I can log in and immediately see what types of attacks are being blocked, where traffic is coming from, and whether there are any unusual spikes. It's our security shield in front of our applications.
What do you dislike about the product?
The UI is clean overall, but sometimes when you're trying to troubleshoot something specific, you have to click around more than you'd like. A more straightforward log search or clearer explanations inside the dashboard would help. The UI is not customizable as well. I would love to see that option.
What problems is the product solving and how is that benefiting you?
I use FortiAppSec Cloud as a security shield for our web apps and APIs, providing deep visibility into traffic, reducing bot activity, preventing web attacks, and simplifying security reporting.
Shiv A.
Strong Security but Initial Setup Woes
Reviewed on Feb 11, 2026
Review provided by G2
What do you like best about the product?
I think the automatic security and centralized dashboard in FortiAppSec Cloud are pretty good. It's easy to integrate with Fabric, which is helpful, and it's pretty fast and easy to deploy and scale. The automatic security reduces manual rule tuning, and the centralized dashboard improves visibility and response time. The Fabric integration allows automated threat sharing across network and application layers, which improves both security posture and operational efficiency and also improves application latency.
What do you dislike about the product?
The initial configuration and setup for complex rules can be tricky, which is challenging for first-time users. Also, the UI and UX could be improved, particularly with richer incident storytelling like timeline-based views and smarter risk scoring. Sometimes, there's a bit of performance issue during peak traffic, and there's a lack of detailing in incident reports.
What problems is the product solving and how is that benefiting you?
I use FortiAppSec Cloud to reduce bot traffic, prevent API abuse, and protect from DDoS attacks and credential stuffing. It reduces manual rule management, improves visibility, and enhances security posture and operational efficiency.
Manav S.
Centralized Threat Management, Easy Setup
Reviewed on Feb 11, 2026
Review provided by G2
What do you like best about the product?
I use FortiAppSec Cloud to secure and monitor our web applications and APIs. It helps us detect vulnerabilities, manage security policies, and maintain visibility into potential threats in our cloud environment. FortiAppSec Cloud centralizes monitoring, improves alerting, and helps us respond to risks more efficiently. One of the best features is its centralized board and control center, which offers a consolidated view of application health, threat activity, and policy status in one place. This allows me to quickly see recent alerts, traffic patterns, and any flagged vulnerabilities from a single screen. The initial setup was pretty easy.
What do you dislike about the product?
I think the personalized UI could be improved. I would like to be able to change the data into a format I like, including the color scheme.
What problems is the product solving and how is that benefiting you?
I use FortiAppSec Cloud to secure and monitor our web applications and APIs, centralizing monitoring and improving alerting. It solves the problem of requiring multiple tools and manual effort. I appreciate the consolidated view of application health, threat activity, and policy status from a single dashboard.
Information Technology and Services
Robust WAF Security and Bot Mitigation in a Single Console
Reviewed on Feb 10, 2026
Review provided by G2
What do you like best about the product?
I evaluated it for WAF solution & liked it's security, bot mitigation measures, & everything security under single console. I particularly liked how it's designed to handle coming of age security threats, with agentic AI proliferation.
What do you dislike about the product?
I felt there are improvements possible in it's overall UI/UX experience & onboarding flows, making it a li'll more intuitive & performant will help smoothen the experience
What problems is the product solving and how is that benefiting you?
I like the strong AI driven security approach in its solution & offerings, allowing teams to focus on business problems, modernize their infrastructure with least worries about it's security.