Sold by: Fortinet Inc.
Deployed on AWS
The Complete OWASP Top 10 Ruleset delivers comprehensive web application protection to protect against the OWASP Top 10 web application threats
Overview
This product is not for AWS WAF Classic. Fortinets WAF rulesets are based on the FortiWeb web application firewall security service signatures, and are updated on a regular basis to include the latest threat information from FortiGuard Labs. The Complete OWASP Top 10 Ruleset provides a comprehensive package for web application protection offered by Fortinet to help cover the entire list of OWASP Top 10 web application threats. Includes protection for SQL Injection, Cross Site Scripting, General and Known Exploits, Malicious Bots and Common Vulnerabilities and Exposures (CVE).
For extended web application firewall features such as protection for zero attacks using AI-based behavioral attack detection, detailed attack log visibility, custom whitelisting and dedicated tools to fine tune and manage detections you can try Fortinet FortiWeb Cloud WAF-as-a-Service, a SaaS service that requires no hardware or software deployed https://aws.amazon.com/marketplace/pp/Fortinet-Inc-Fortinet-FortiWeb-Cloud-WAF-as-a-Serv/B07PXMWJT1 .
Fortinet Managed Rules for AWS WAF Video Tutorial https://pages.awscloud.com/mp-kickstart-fortinet.html?&trk=ta_a134p000003yoFjAAI&trkCampaign=AWSMP_pap_x_x_content-hub-resources&sc_channel=ta&sc_campaign=ta_awsmp_card&sc_outcome=Marketplace&sc_geo=mult
Pricing information: Pricing consists of two dimensions:
- $30 per month for each web ACL using the Fortinet Managed Rules, per region
- $1.8 per million requests in each region
Pricing examples:
pricing example: 2x web acl in a single region (ie us-east-1)
Managed rule group charges = $60.00 (2x units for 2x web ACLs) Managed rule group request charges = $1.80/million * 10 million = $18.00 Total AWS Marketplace charges = $78.00/month
pricing example: 2x web acl in two regions (ie us-east-1 & us-east-2)
Managed rule group charges = $60.00 (2x units for 2x web ACLs) Managed rule group request charges = $1.80/million * 10 million = $18.00 Total AWS Marketplace charges = $78.00/month
pricing example: 3x web acl in two regions and one using a CloudFront (ie us-east-1, us-east-2, CloudFront)
Managed rule group charges = $90.00 (3x units for 3x web ACLs) Managed rule group request charges = $1.80/million * 10 million = $18.00 Total AWS Marketplace charges = $108.00/month
Highlights
- Complete set to help protect against the OWASP Top 10
- Can be configured to log, alert and/or block
- Regular updates from FortiGuard Labs
Details
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/unit |
|---|---|
Charge per month in each available region (pro-rated by the hour) | $30.00 |
Charge per million requests in each available region | $1.80 |
Vendor refund policy
Non-Refundable
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
Vendor support
Support offered by Fortinet. Contact Fortinet directly by email - awswaf@fortinet.com . Please see FAQ for more info.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Fortinet Inc.
By Cyber Security Cloud Inc.
Sentiment is AI generated from actual customer reviews
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Web Application Threat Protection
Comprehensive ruleset covering OWASP Top 10 web application threats including SQL Injection, Cross Site Scripting, and Known Exploits
Security Signature Updates
Regular threat information updates from FortiGuard Labs to maintain current protection signatures
Malicious Traffic Detection
Protection against malicious bots and common vulnerabilities and exposures (CVE)
Configurable Security Response
Flexible configuration options to log, alert, and block detected web application threats
Attack Vector Coverage
Comprehensive security rules targeting multiple web application attack vectors including general and known exploits
Web Application Threat Protection
Comprehensive ruleset targeting OWASP Top 10 Web Application Threats with low false-positive rate
Vulnerability Mitigation
Managed rules addressing code injection techniques including SQLi, NoSQLi, OScommandi, XSS, and directory traversal
Technology-Specific Security
Protection against known exploits for web technologies like Apache Struts2, Apache Tomcat, Oracle WebLogic, WordPress, Drupal, and Joomla
Threat Intelligence Integration
Regularly updated rulesets incorporating latest cyber threat intelligence
Compliance Support
Security rules designed to help meet security standards such as PCI-DSS
Web Attack Protection
Comprehensive defense against OWASP Top 10 web vulnerabilities including SQLi, XSS, command injection, No-SQLi injection, path traversal, and predictable resource attacks
Threat Rule Management
Dynamically written, managed, and regularly updated security rules by F5 security specialists to address evolving cyber threats
Rule Application Mechanism
Seamless integration and attachment of security rules to AWS WAF instances for immediate enhanced protection
Vulnerability Coverage
Targeted mitigation of complex web application security risks across multiple attack vectors and exploitation techniques
Security Rule Monitoring
Continuous surveillance and proactive updating of ruleset to ensure ongoing defense against emerging web-based attack methodologies
Standard contract
No
No
No
Customer reviews
4
2 ratings
2 AWS reviews
|
33 external reviews
Star ratings include only reviews from verified AWS customers. External reviews can also include a star rating, but star ratings from external reviews are not averaged in with the AWS customer star ratings.
ManjunathA
Effective in protecting web applications include web filtering, DDoS protection, and geo-location blocking
Reviewed on May 12, 2025
Review provided by PeerSpot
What is our primary use case?
The FortiWeb Web Application Firewall (WAF) is used when customers want to publish their sites and protect their internal public websites. Some customers ask to protect their AWS or Azure network, and during that time, we also suggest the web solution. In the network, we can use next-generation firewalls upstream or in flows wherever required, making it mandatory with the parameter-level layer security.
We focus on websites with FortiWeb Web Application Firewall (WAF) . Features such as anomaly input validation, XML protection, and API protection are already present, but we also need configuration settings that indicate the advantages or disadvantages of enabled features. If the GUI includes notifications and improved logging capabilities that allow us to see traffic and store logs for six months, that would be very helpful.
What is most valuable?
The features of FortiWeb Web Application Firewall (WAF) that have proven most effective in protecting web applications include web filtering, DDoS protection, geo-location blocking, and blocking SQL injection attacks.
The AI machine learning capabilities included in FortiWeb Web Application Firewall (WAF) analyze patterns effectively. For example, if any user tries to input any text format in a web form mistakenly using SQL queries, the web solution detects the input, checking whether it's impacting or analyzing queries in the database. Everything is analyzed to ensure protection.
What needs improvement?
Their AI technology is good. Overall, Fortinet is only good.
The improvement needed is in their response time. In the past three to four years, whenever we called for support, they responded quickly, often within five to ten minutes, and addressed our issues immediately. Now it takes longer, and they talk about SLA and 48-hour response times. Even with critical issues, they say, 'Okay, that ticket is assigned; we need to wait for their update in four hours or two hours,' which is taking too long now.
If there are issues, we need to contact the development team since we don't have configurations we can do ourselves; most features or configurations are managed by the development team. The graphical user interface looks difficult to understand, as other products allow us to see all features in one place.
The AI in FortiWeb Web Application Firewall (WAF) is just a checkmark option. To use machine learning features, we only need to enable or disable it. However, we must check how useful it is in real-time environments to determine how it protects or identifies threats.
There are features like web filtering, DDoS protection, geo-location blocking, SQL injection blocking, anomaly input validation, XML protection, and API protection already present, however, we also need configuration settings that indicate the advantages or disadvantages of enabled features. If the GUI includes notifications and improved logging capabilities that allow us to see traffic and store logs for six months, that would be very helpful. Currently, we cannot see any logs for allow traffic or monitor daily traffic effectively, which requires external syslog servers or cloud subscriptions. If inbuilt larger logging capability is added, it would enhance usability, and features like clickable options to unblock or create exceptions would greatly assist customers in managing their websites.
For how long have I used the solution?
I have been working with them for Five years.
How are customer service and support?
The technical support by Fortinet is good. The back-end development team is available, and if any issue arises, they will help us immediately by providing solutions when contacted.
How would you rate customer service and support?
Positive
What's my experience with pricing, setup cost, and licensing?
The pricing for FortiWeb Web Application Firewall (WAF) is reasonable. That said, it depends on how many websites we need to protect. The licensing is based on the number of websites or individually. If the customer has multiple websites, the price reduces automatically since it depends on the number only. If the customer wants to buy initially, there is a default license available.
When going for multiple websites, the price also reduces.
What other advice do I have?
I am providing next-generation firewalls or FortiWeb Web Application Firewalls (WAF).
Both web application firewalls and next-generation firewalls are available, which we are doing daily.
I usually recommend the FortiWeb Web Application Firewall (WAF) for various types of companies, including retail, hospitals, manufacturing, construction, and banking.
It is the best option on the market.
I rate FortiWeb Web Application Firewall (WAF) eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
reviewer2641242
Offers competitive pricing and robust channel support with good training
Reviewed on Jan 09, 2025
Review provided by PeerSpot
What is our primary use case?
I mentioned that the firewalls, such as the one from Fortinet, help protect my infrastructure from outside attacks. They perform a lot of network scanning and do not allow any unauthorized person to access my details and data. That's their application. A similar action is performed by the web application firewall, where web applications are restricted to certain users. This means that not anyone with malicious intent can access my web application content.
What is most valuable?
The good thing about Fortinet is that their enablement is very good in terms of training me and enabling resources on their technology.
Secondly, if I look at their pricing, Fortinet's pricing is way more competitive than Cisco or Palo Alto. They have almost 45% share in the firewall market, as per IDC. Fortinet is a large-sized company where their channel program is very robust and very flexible. They also understand the different personas of the channel stakeholders. In that way, they are rapidly growing in the channel ecosystem space and have started getting a lot of business. They are replacing many big traditional players in that space.
What needs improvement?
There are some issues pertaining to the migration. If some of my customers want to migrate from F5 to Fortinet Firewall , or the Fortinet WAF solution, there are some migration issues since I cannot migrate all the elements quickly using Fortinet Firewall� . There is some integration work required to do that.
For how long have I used the solution?
I have been working with Fortinet for almost one year and eight or nine months.
How are customer service and support?
Their support is truly exceptional when I compare it with similar large-sized companies. In that category, they are top-notch at this point in time.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I was with SquadCast earlier.
Which other solutions did I evaluate?
F5 is a leader. They have some technical supremacy. F5 is more in demand, however, other players like Radware are also available in the market.
What other advice do I have?
I would rate the solution eight out of ten at least.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Andreas Lalos
Enhanced application protection with an extensive attack signature library
Reviewed on Nov 11, 2024
Review provided by PeerSpot
What is our primary use case?
FortiWeb is used for web application protection. It protects a web application against attacks targeting their web applications, such as cross-site scripting, SQL injection, and other common application-specific attacks.
How has it helped my organization?
FortiWeb allows the organization to operate efficiently without any downtime or serious security breach.
What is most valuable?
FortiWeb has a very extensive library of known attack signatures, which makes the product fit for any environment, regardless if the customer uses Windows-specific or non-Windows-specific applications. It also has a very low rate of false positives and incorporates other FortiGuard capabilities, such as detection of botnet traffic.
What needs improvement?
For users not familiar with Fortinet, it could be beneficial to provide more user-friendly analytics and reporting. The product could offer better capabilities and analytics to pinpoint threat landscapes more efficiently.
For how long have I used the solution?
I have been working with FortiWeb for approximately four years, maybe more.
What do I think about the stability of the solution?
FortiWeb has proven to be very stable and does not introduce latency in the network.
What do I think about the scalability of the solution?
The product can scale according to the organization's traffic and architecture. It is available as a virtual appliance and a hardware appliance.
How are customer service and support?
Fortinet provides very good support, which I would rate as eight out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
At the moment, we are only working with Fortinet and not with other web application firewalls.
How was the initial setup?
Someone without prior experience with the product might find it challenging to deploy. However, Fortinet provides good online training to assist administrators.
What was our ROI?
The total cost of ownership should be calculated based on the actual protection it offers to the application. Deploying FortiWeb can save 20% to 30% of resources within the organization.
What's my experience with pricing, setup cost, and licensing?
FortiWeb uses a subscription-based license, but there is also an option for a perpetual license. It's not the cheapest solution. That said, it is worth the investment.
Which other solutions did I evaluate?
I have experience with other web application products.
What other advice do I have?
I'd rate the solution nine out of ten.
Martin Janzsó
Has good integration with load-balancing applications
Reviewed on Sep 05, 2024
Review provided by PeerSpot
What is our primary use case?
Our company provides data center and cloud services as infrastructure providers. When customers need infrastructure like VMs or server allocation, we provide them with the vendor and offer services to operate, manage, implement, and integrate these security components.
What is most valuable?
The most valuable feature is the tool's integration with load-balancing applications, similar to FortiADC. Its importance depends on customer requirements, such as whether they prioritize application load balancing or layer seven protection.
What needs improvement?
Regarding areas for improvement, the documentation needs work. We had issues with a customer because the documentation didn't clearly show which devices can connect with FortiWeb WAF, leading to misconfiguration and difficult meetings. We also need deeper technical support - finding who's responsible for technical aspects is challenging. Hungary has a good Fortinet office with strong sales and pre-sales employees.
For how long have I used the solution?
I have been using the product for four to five years.
What do I think about the stability of the solution?
I rate the tool's stability a nine out of ten.
What do I think about the scalability of the solution?
It's not good with normal perpetual licensing, but we can solve the problem using flex licensing. That's why I'd rate it nine out of ten. We're satisfied with it. Many of our customers, including small, medium, and enterprise businesses, use FortiWeb WAF.
How was the initial setup?
I rate the tool's deployment ease as seven out of ten. We have spent about 600 working hours to implement it.
What's my experience with pricing, setup cost, and licensing?
The product provides very good prices to customers. The price is set well and offers great value for money.
What other advice do I have?
I rate the overall solution an eight out of ten. I advise others looking to use FortiWeb WAF to create deeper policy rules.
Which deployment model are you using for this solution?
On-premises
Martin Ellmann
Provides users with ease of policy configuration and good integration capabilities
Reviewed on Aug 08, 2024
Review provided by PeerSpot
What is our primary use case?
I use the solution in my company to make web applications more secure because we have a special portal or web interface that we have to make secure for cybersecurity and different accesses. We found that FortiWeb Web Application Firewall (WAF) works fine for such use cases.
What is most valuable?
The tool's most valuable feature is the web access it offers. We control every access, like who goes in and what they do.
What needs improvement?
The tool's price and performance are areas of concern where improvements are required.
For how long have I used the solution?
I have been using FortiWeb Web Application Firewall (WAF) for three years.
What do I think about the stability of the solution?
It is a 100 percent stable solution. Stability-wise, I rate the solution a ten out of ten.
What do I think about the scalability of the solution?
My company has three customers using the tool. One of the customers has 1,00,000 users.
How are customer service and support?
My company manages the technical support with around four people, so it is not a complex process for us to handle. In general, the tool's support team is friendly.
How was the initial setup?
The product's initial setup phase was easy.
The solution's deployment needs a bit of time because we have to discuss it with the deployment team, which consists of software. The project keeps growing and changing daily, so if the people involved in the deployment make new software, we have to change something. It is an easy process and can be managed in around two weeks by one person.
What's my experience with pricing, setup cost, and licensing?
The tool is really expensive. In our company, we could do a lot more, but the price is always a point covering areas like why we need one, whether it is important to discuss, why it is so expensive and so on.
Speaking about the licensing model, people need to opt for a subscription-based model. My company likes to have a subscription for at least three or five years because, otherwise, you have to renew the license. Managing the licensing part for one person can also be very complex.
What other advice do I have?
The solution helps protect our company's web applications against common threats up to 99 percent. We feel very safe with the tool.
Speaking about how the tool has effectively mitigated web security threats for an application, I would say that it is an application behind the web portal, so there are about a hundred or thousand people who can access a website. If it is a sensitive application, and we have to watch every access to it to make it really safe, that is the reason why we need WAF on the application.
My company doesn't use AI with the tool.
I recommend the product to others. I would say that others need to have it if they have a shopping website or something similar. I know it is hard to sell because we find it quite hard whenever my company tries to do so.
The solution offers 100 percent integration with other Fortinet security products.
The ease of policy configuration in the tool is okay.
I rate the tool a nine to ten out of ten.