Sold by: Fortinet Inc.Â
Deployed on AWS
Free Trial
The FortiWeb web application firewall (WAF) defends web-based applications from known and zero-day threats. Its AI-based machine learning identifies threats with virtually no false positive detections.
Overview
Whether to simply meet compliance standards or to protect mission critical hosted applications, FortiWeb Web Application Firewalls (WAFs) provide advanced features and AI-based machine learning detection engines that defend web applications from known and zero-day threats.
Using a multi-layered and correlated approach, FortiWeb intelligently and accurately protects your web applications from the OWASP Top 10 threats. Combined with Fortinet Web Application Security Service from FortiGuard Labs, FortiWeb keeps your applications safe from vulnerability exploits, bots, malware uploads, DoS attacks, advanced persistent threats (APTs), and zero day attacks.
FortiWeb software editions offer the same features of the FortiWeb hardware-based appliances with the flexibility to deploy instances as needed to meet the demands of dynamic application hosting environments.
Highlights
- EFFECTIVE protection using multiple techniques including signatures, IP reputation, antivirus, and AI-based behavioral analysis and bot mitigation
- INTEGRATED with FortiGate, FortiSandbox, and leading third-party vulnerability scanners for enhanced zero-day threat protection and virtual application patching
- ACCURATE with intelligent tools that minimize false positive detections including user scoring, session tracking, and event correlation
Details
Sold by
Categories
Delivery method
Delivery option
64-bit (x86) Amazon Machine Image (AMI)
Latest version
Operating system
OtherLinux 8.0.1
Deployed on AWS
Unlock automation with AI agent solutions
Fast-track AI initiatives with agents, tools, and solutions from AWS Partners.
Features and programs
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Free trial
Try this product free for 15 days according to the free trial terms set by the vendor. Usage-based pricing is in effect for usage beyond the free trial terms. Your free trial gets automatically converted to a paid subscription when the trial ends, but may be canceled any time before that.
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time. Alternatively, you can pay upfront for a contract, which typically covers your anticipated usage for the contract duration. Any usage beyond contract will incur additional usage-based costs.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/hour |
|---|---|
r5.xlarge Recommended | $2.51 |
m3.xlarge | $2.51 |
m4.xlarge | $2.51 |
r5.2xlarge | $4.43 |
m5.xlarge | $2.51 |
m5.2xlarge | $4.43 |
m4.2xlarge | $4.43 |
m3.2xlarge | $4.43 |
t3.large | $1.04 |
r5.4xlarge | $8.00 |
Vendor refund policy
You may terminate the instance at anytime to stop incurring charges.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA)Â .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Additional details
Usage instructions
After deploying the instance, click on 'Manage in AWS Console' to see the running instance and public DNS address to continue the configuration of the FortiWeb-VM. Connect to the secured Web UI via the public DNS address: https://Public DNS:8443. For any CLI configuration/settings, SSH is required to log into the CLI. Default login credentials are with a username of "admin" and the AWS Instance ID value as the password. The FortiWeb-VM Install and Configure guides is located at https://docs.fortinet.com/vm/aws/fortiweb . For the full FortiWeb Administrator Guide, please refer to Fortinet documentation: https://docs.fortinet.com/fortiweb/admin-guidesÂ
Resources
Support
Vendor support
Fortinet FortiCare Support Services give you global support on a per-product basis. All FortiCare Support Services include firmware upgrades, access to the support portal and associated technical resources.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Fortinet Inc.
By Check Point Software Technologies
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Threat Detection Mechanism
AI-based machine learning engine for identifying web application threats with high accuracy
Security Protection Layer
Multi-layered defense against OWASP Top 10 threats using signatures, IP reputation, antivirus, and behavioral analysis
Bot Mitigation
Advanced bot detection and prevention capabilities using intelligent behavioral analysis techniques
Vulnerability Protection
Integrated zero-day threat protection with virtual application patching and compatibility with third-party vulnerability scanners
Threat Correlation
Intelligent event correlation and user scoring techniques to minimize false positive security detections
Web Application Firewall
Advanced protection against OWASP Top 10 threats using machine learning and behavioral analytics
Bot Protection
Proactive defense using fingerprinting, challenge/response techniques, and behavioral analysis to block automated attacks
Threat Intelligence
IP Intelligence threat feed with regular updates to block malicious IP traffic and threat campaign signatures
Traffic Management
Load balancing functionality supporting 1 VIP and up to 3 virtual servers with per-app deployment model
Automation Integration
Supports integration with automation and CI/CD tools through Automation Toolchain, CloudFormation Templates, and Quick Start Guides
Threat Prevention
AI-driven zero-day threat detection and prevention using advanced contextual analysis
Web Application Protection
Comprehensive defense against OWASP Top 10 vulnerabilities with Intrusion Prevention System (IPS) covering over 2,800 Web CVEs
Traffic Control
Advanced rate limiting and bot prevention mechanisms with traffic flow management based on IP address, XFF, JWT, cookies, and headers
API Security
Automated API discovery, real-time traffic monitoring, and auto-generated Swagger schema validation for comprehensive API governance
Deep Packet Inspection
Snort 3.0 signature enforcement providing advanced packet-level security analysis
Standard contract
No
No
No
Customer reviews
3.8
5 ratings
5 AWS reviews
|
41 external reviews
Star ratings include only reviews from verified AWS customers. External reviews can also include a star rating, but star ratings from external reviews are not averaged in with the AWS customer star ratings.
Food Production
Excellent Content Acceleration and Caching, No Complaints
Reviewed on Oct 16, 2025
Review provided by G2
What do you like best about the product?
caching, content routing, accelerating content delivery via globally distributed servers.
What do you dislike about the product?
Nothing to say. Very useful and good working features.
What problems is the product solving and how is that benefiting you?
Evolving threats & zero-day / sophisticated attacks.
Nithinya G.
Comprehensive Security Application
Reviewed on Oct 14, 2025
Review provided by G2
What do you like best about the product?
It's comprehensive security and highly user friendly.
What do you dislike about the product?
The documentation and configuration could have been much simple and user friendly
What problems is the product solving and how is that benefiting you?
It is solving the operational complexity and it provides simplified security
Mihir R.
Review for FortiAppSec Cloud
Reviewed on Oct 08, 2025
Review provided by G2
What do you like best about the product?
This product is straightforward to use and implement. I appreciate its fully managed, cloud-based WAF approach, along with the real-time protection it offers and the responsive customer support. I rely on its machine learning and behavior-based detection features for daily monitoring, and I also value how seamlessly it integrates with other Fortinet products.
What do you dislike about the product?
Limited advanced configurations and custom rule tuning.
What problems is the product solving and how is that benefiting you?
This tool makes both load balancing and security management much simpler.
Sujit S.
Excellent Protection, Complex Interface
Reviewed on Oct 08, 2025
Review provided by G2
What do you like best about the product?
I like that FortiAppSec Cloud provides AI-driven, fully managed WAF protection with minimal tuning required, excellent integration with Fortinet Security Fabric, and strong coverage for web apps and APIs against evolving threats.
What do you dislike about the product?
The interface could be more intuitive, and deeper customization or reporting options would improve flexibility. Integration with non-Fortinet tools also requires extra configuration.
What problems is the product solving and how is that benefiting you?
FortiAppSec Cloud protects our web apps and APIs from OWASP Top 10 threats and bot attacks while reducing manual management. It improves visibility, automates protection, and strengthens our overall security posture.
ManjunathA
Effective in protecting web applications include web filtering, DDoS protection, and geo-location blocking
Reviewed on May 12, 2025
Review provided by PeerSpot
What is our primary use case?
The FortiWeb Web Application Firewall (WAF) is used when customers want to publish their sites and protect their internal public websites. Some customers ask to protect their AWS or Azure network, and during that time, we also suggest the web solution. In the network, we can use next-generation firewalls upstream or in flows wherever required, making it mandatory with the parameter-level layer security.
We focus on websites with FortiWeb Web Application Firewall (WAF)Â . Features such as anomaly input validation, XML protection, and API protection are already present, but we also need configuration settings that indicate the advantages or disadvantages of enabled features. If the GUI includes notifications and improved logging capabilities that allow us to see traffic and store logs for six months, that would be very helpful.
What is most valuable?
The features of FortiWeb Web Application Firewall (WAF) that have proven most effective in protecting web applications include web filtering, DDoS protection, geo-location blocking, and blocking SQL injection attacks.
The AI machine learning capabilities included in FortiWeb Web Application Firewall (WAF) analyze patterns effectively. For example, if any user tries to input any text format in a web form mistakenly using SQL queries, the web solution detects the input, checking whether it's impacting or analyzing queries in the database. Everything is analyzed to ensure protection.
What needs improvement?
Their AI technology is good. Overall, Fortinet is only good.
The improvement needed is in their response time. In the past three to four years, whenever we called for support, they responded quickly, often within five to ten minutes, and addressed our issues immediately. Now it takes longer, and they talk about SLA and 48-hour response times. Even with critical issues, they say, 'Okay, that ticket is assigned; we need to wait for their update in four hours or two hours,' which is taking too long now.
If there are issues, we need to contact the development team since we don't have configurations we can do ourselves; most features or configurations are managed by the development team. The graphical user interface looks difficult to understand, as other products allow us to see all features in one place.
The AI in FortiWeb Web Application Firewall (WAF) is just a checkmark option. To use machine learning features, we only need to enable or disable it. However, we must check how useful it is in real-time environments to determine how it protects or identifies threats.
There are features like web filtering, DDoS protection, geo-location blocking, SQL injection blocking, anomaly input validation, XML protection, and API protection already present, however, we also need configuration settings that indicate the advantages or disadvantages of enabled features. If the GUI includes notifications and improved logging capabilities that allow us to see traffic and store logs for six months, that would be very helpful. Currently, we cannot see any logs for allow traffic or monitor daily traffic effectively, which requires external syslog servers or cloud subscriptions. If inbuilt larger logging capability is added, it would enhance usability, and features like clickable options to unblock or create exceptions would greatly assist customers in managing their websites.
For how long have I used the solution?
I have been working with them for Five years.
How are customer service and support?
The technical support by Fortinet is good. The back-end development team is available, and if any issue arises, they will help us immediately by providing solutions when contacted.
How would you rate customer service and support?
Positive
What's my experience with pricing, setup cost, and licensing?
The pricing for FortiWeb Web Application Firewall (WAF) is reasonable. That said, it depends on how many websites we need to protect. The licensing is based on the number of websites or individually. If the customer has multiple websites, the price reduces automatically since it depends on the number only. If the customer wants to buy initially, there is a default license available.
When going for multiple websites, the price also reduces.
What other advice do I have?
I am providing next-generation firewalls or FortiWeb Web Application Firewalls (WAF).
Both web application firewalls and next-generation firewalls are available, which we are doing daily.
I usually recommend the FortiWeb Web Application Firewall (WAF) for various types of companies, including retail, hospitals, manufacturing, construction, and banking.
It is the best option on the market.
I rate FortiWeb Web Application Firewall (WAF) eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other