Unprotected web applications are the easiest point of entry for hackers and vulnerable to a number of attack types. FortiWeb’s AI-enhanced and multi-layered approach protects your web apps from the OWASP Top 10 and more. When combined with our Web Application Security Service from FortiGuard Labs you’re protected from the latest application vulnerabilities, bots, and suspicious URLs, and with dual machine learning detection engines your applications are safe from sophisticated threats such as SQL injection, cross-site scripting, buffer overflows, cookie poisoning, malicious sources, and DoS attacks.

Product Details

Whether to simply meet compliance standards or to protect mission-critical hosted applications, FortiWeb’s web application firewalls provide advanced features that defend web applications from known and zero-day threats. Using an advanced multi-layered and correlated approach, FortiWeb provides complete security for your external and internal web-based applications from the OWASP Top 10 and many other threats. At the heart of FortiWeb are its dual-layer AI-based detection engines that intelligently detect threats with nearly no false positive detections.

Public Cloud

Amazon Web Services (AWS) and Microsoft Azure supported for both BYOL (bring your own license) and On-demand (pay-as-you go).

  • FortiWeb on AWS (On Demand)
  • FortiWeb on AWS (BYOL)
  • FortiWeb on Azure
  • FortiWeb on Google Cloud
  • FortiWeb on Oracle Cloud
FortiGuard Security Services for FortiWeb

FortiWeb employs multiple FortiGuard security services to protect web applications from attack. These annual subscriptions can be purchased a la carte or as part of a bundle with your FortiWeb solution.

FortiWeb Deployment Modes

  • reverse proxy
  • true transparent proxy
  • Transparent Inspection
  • Offline
Reverse Proxy
  • FortiWeb appliance sits on the traffic stream between the client and the web application acting as a reverse proxy
  • Connections to the web application are intercepted and inspected against the configured policies and profiles before being forwarded to the internal servers
  • Incoming traffic can be modified, blocked or logged
  • Full protection guaranteed
True transparent proxy
  • FortiWeb appliance sits on the traffic stream between the client and the web application
  • Connections to the web application are intercepted and inspected against the configured policies and profiles before being forwarded to the internal servers
  • Incoming traffic can be blocked, logged or modified
Transparent Inspection
  • FortiWeb appliance sits on the traffic stream between the client and the web application
  • Connections to the web application are asynchronously intercepted and inspected
  • In case of power failure, the FortiWeb unit will fail-open using its bypass interface thus all traffic to the web application is maintained
  • Incoming traffic can be logged or attempted to block but not modified
Offline Mode
  • Ideal mode for proof of concepts
  • Connections to the web application are intercepted and inspected
  • Traffic is duplicated to the FortiWeb through mirroring or SPAN port
  • Inspected traffic can be logged, attempted to block but not modified
Web Application Security

Web-facing applications are a favorite target of hackers. Protect your critical data and applications against malicious sources, DoS attacks, and sophisticated threats such as SQL injection, cross-site scripting, buffer overflows, file inclusion, cookie poisoning, and more, with FortiGuard Web Application Security.

FortiGuard Web Application Security uses information based on the latest application vulnerabilities, bots, suspicious URL patterns and data-type patterns, and specialized heuristic detection engines, to ensure your web applications remain safe from application-layer threats.

FortiGuard Web Application Service :

  • Gives you the highest level of protection with multiple, correlated threat detection methods including web attack signatures, IP reputation, antivirus, and more
  • Stops the latest application threats with real-time updates
  • Reduces both your entry and maintenance costs with device-based licensing
  • Keeps your security current with the fastest possible update speeds through push and pull options
  • Lowers management and operational costs with “set and forget” functionality
FortiGuard Labs Global Threat Intelligence

The FortiWeb Web Application Firewall achieved an overall block rate of 99.85% in the 2014 NSS Labs web application firewall test due to the intelligence delivered through the web application security, antivirus, and anti-botnet security services from FortiGuard Labs.

Credential Stuffing Defense

Attackers have easy access to millions of compromised user credentials from various sources on the dark net. Using these credentials in combination with simple botnets, they are able to initiate attacks that test the validity of username and password combinations on a website. If a credential is still active, the attacker is able to gain access to perform a variety of malicious activities including the theft of personal and payment information.

Fortinet’s Credential Stuffing Defense identifies login attempts using credentials that have been compromised using an always up-to-date feed of stolen credentials. Administrators can configure their supported devices to take various actions if a suspicious login is used including logging, alerts, and blocking.

FortiGuard Credential Stuffing Defense is available for use with the FortiWeb Web Application Firewall solutions.

FortiGuard Credential Stuffing Defense:

  • Identifies login attempts using stolen credentials from numerous sources
  • Customizable controls provide visibility and can block access
  • Always up-to-date with regular automatic downloads
  • Prevents unwanted access and defends against data breaches

FortiGuard Labs Global Threat Intelligence
Every day attackers compromise new targets and gather new credentials from unsuspecting users. FortiGuard Labs continuously updates its stolen credential database and provides regular subscription updates to users.

Fortiguard IP reputation
Specific actions can be applied based on client IP reputation categories

DoS Protection
Fortiweb provides comprehensive DoS Protection at network layer, transport layer as well as application layer.

  • TCP Flood Prevention
  • TCP Syn Flood Prevention
  • HTTP Flood Prevention
  • HTTP Access Limit
  • Malicious IP

Known Search Engine Exemption
IP-header Source IP addresses of known Search Engines are exempted from security scans. IP addresses of search engines are regularly updated from Fortiguard Server.

Real Browser Enforcement
When rate limit in these DoS sensors is reached or custom rule is matched, FortiWeb will send a test script to detect any bot. Legitimate users must validate within validation period.

Defacement Protection
Not all security breaches are for extortion or secretly stealing data. Some are just for website vandalism also known as website defacement.
Fortiweb has an anti-defacement feature. It keeps hashes of files in your web server directory. Periodically, Fortiweb connects to the server to see if the files have changed. If a change is detected, Fortiweb can email administrator and optionally revert the files to original copies.

Network can be put under monitoring to learn its behavior. From here, auto-learning will create an appropriate protection profile for your protecte web servers

SSL Offload
Heavy SSL encryption and decryption can be offloaded to Fortiweb to avoid heavy load on protected web servers

Input Sanitization
Inputs sent by clients are thoroughly inspected by Fortiweb through Parameter Validation , Field Policy, File Upload Restriction Policies

Access Control
Fortiweb performs access control by though Brute Force login, URL Access, Page Access, Allowed HTTP Method Policies

Authentication Offload
Authentication mechanisms can be offloaded to Fortiweb. It supports HTTP Basic Authentication, HTML Form Authentication, Client Certificate Authentication, SSO, Kerberos Delegation, 3rd party 2-FA and HTTP Basic Delegation to back-end servers

Caching and Compression
Fortiweb can optionally perform caching on HTTP Response Content from web protected server. This is to improve performance by avoiding re-requesting same content from protected web servers.
Fortiweb can also optionally compress HTTP Response Content to reduce its bandwidth consumption on WAN network

Fortiweb Service Bundles

Fortiweb Advanced Bundle
When you want the best in web application security protection, the Advanced bundle includes all the services in the Standard bundle, plus FortiCloud Sandbox and Credential Stuffing Defense.

Fortiweb Standard Bundle
Protection that provides the core services for protecting your web-based applications that includes Web Application Security, IP Reputation & Anti-botnet, and Antivirus.

Models and Specifications

FortiWeb web application firewall is available in many different form factors with many different models to choose from to meet your needs ranging from entry-level hardware appliances to sophisticated VM options that be incorporated into latest cloud environments.

Hardware Appliance

FortiWeb 100D

  • Throughput
  • 25 Mbps
  • Ports
  • 4x GE RJ45

FortiWeb 400D

  • Throughput
  • 100 Mbps
  • Ports
  • 4x GE RJ45,4x GE SFP

FortiWeb 600D

  • Throughput
  • 250 Mbps
  • Ports
  • 4x GE RJ45(2x Bypass),4x GE SFP

FortiWeb 1000D

  • Throughput
  • 1 Gbps
  • Ports
  • 2x GE SFP,6x GE RJ45(includes 4x Bypass)

FortiWeb 1000E

  • Throughput
  • 1.3 Gbps
  • Ports
  • 2x 10 GE SFP+, 2x GE RJ45, 4x GE RJ45 bypass, 4x GE SFP

FortiWeb 2000E

  • Throughput
  • 2.5 Gbps
  • Ports
  • 2x 10 GE SFP+, 4x GE RJ45 bypass, 4x GE SFP

FortiWeb 3000E

  • Throughput
  • 5 Gbps
  • Ports
  • 4x 10 GE SFP+, 8x GE RJ45 bypass, 4x GE SFP

FortiWeb 4000E

  • Throughput
  • 5 Gbps
  • Ports
  • 8x GE RJ45 bypass, 4x GE SFP ,2x 10G SFP+ bypass, 2x 10G SFP+
Virtual Machine

VMware, Microsoft Hyper-V, Citrix XenServer, Open Source Xen, KVM servers are supported.


  • Throughput
  • 25 Mbps
  • vCPU
  • 1


  • Throughput
  • 100 Mbps
  • vCPU
  • 2


  • Throughput
  • 500 Mbps
  • vCPU
  • 4


  • Throughput
  • 2 Gbps
  • vCPU
  • 8