Overview:
FortiWeb is a web application firewall (WAF) that protects web applications and APIs from attacks that target known and unknown exploits and helps maintain compliance with regulations.
Using machine learning to model each application, FortiWeb defends applications from known vulnerabilities and from zero-day threats. High performance physical, virtual appliances and containers deploy on-site or in the public cloud to serve any size of the organization — from small businesses to service providers, carriers, and large enterprises.
Web Application Protection
Multi layer protection against the OWASP Top 10 application attacks
including machine learning to defend against known and unknown
attacks.
API Protection
Protect your APIs from malicious actors by automatically enforcing
positive and negative security policies. Seamlessly integrate API
security into your CI/CD pipeline.
Bot Mitigation
Protect websites, mobile applications, and APIs from automated
attacks with advanced bot mitigation that accurately differentiates
between good bot traffic and malicious bots. FortiWeb Bot Mitigation
provides the visibility and control you need without slowing down
your users with unnecessary captchas or challenges.

Key Benefits:
- Machine learning that detects and blocks threats while minimizing false positives
- Advanced Bot Mitigation effectively protect web assets without imposing friction on legitimate users
- Protection for APIs, including those used to support mobile applications
- Enhanced protection with Fortinet Security Fabric integration
- Visual analytics tools for advanced threat insights
- Third-party integration and virtual patching
Highlights:
Machine Learning Improves Detection and Drives Operational Efficiency
FortiWeb’s multi-layer approach provides two key benefits: superior threat detection and improved operational efficiency
FortiWeb’s ability to detect anomalous behavior relative to the specific application being protected enables the solution to block unknown, never-before-seen exploits, providing your best protection against zero-day attacks targeting your application.

Comprehensive Web Application Security
Using an advanced multi-layered and correlated approach, FortiWeb provides complete security for your web-based applications from the OWASP Top 10 and many other threats
API Protection
FortiWeb integrates out of the box policies together with an automatically generated positive security model policy that is based on your organization’s schema specification (OpenAPI, XML and generic JSON are supported schemas) to protect against API exploits
Bot Mitigation
FortiWeb protects against automated bots, webs scrapers, crawlers, data harvesting, credential stuffing and other automated attacks to protect your web assets, mobile APIs, applications, users and sensitive data. Combining machine learning with policies such as threshold based detection, Bot deception and Biometrics based detection with superior good bot identification FortiWeb is able to block malicious bot attacks while reducing friction on legitimate users.
Deep Integration into the Fortinet Security Fabric and Third-Party Scanners
FortiWeb’s integration with FortiGate and FortiSandbox extend basic WAF protections through synchronization and sharing of threat information to both deeply scan suspicious files and share infected internal sources. FortiWeb also provides integration with leading third-party vulnerability scanners including Acunetix, HP WebInspect, IBM AppScan, Qualys, ImmuniWeb and WhiteHat to provide dynamic virtual patches to security issues in application environments

Solving the Challenge of False Threat Detections
FortiWeb’s AI-based machine learning addresses false positive and negative threat detections without the need to tediously manage whitelists and fine-tune threat detection policies. With near 100% accuracy, the dual layer machine learning engines detect anomalies and then determine if they are threats unlike other methods that block all anomalies regardless of their intent
Advanced Graphical Analysis and Reporting
FortiWeb includes a suite of graphical analysis tools called FortiView. Similar to other Fortinet products such as FortiGate, FortiWeb gives administrators the ability to visualize and drill-down into key elements of FortiWeb such as server/IP configurations, attack and traffic logs, attack maps, OWASP Top 10 attack categorization, and user activity.
Secured by FortiGuard
Fortinet’s Award-winning FortiGuard Labs is the backbone for many of FortiWeb’s layers in its approach to application security. Offered as five separate options, you can choose the FortiGuard services you need to protect your web applications. FortiWeb IP address reputation service protects you from known attack sources like botnets, spammers, anonymous proxies, and sources known to be infected with malicious software.
VM and Public Cloud Options
FortiWeb provides maximum flexibility in supporting your virtual and hybrid environments. The virtual versions of FortiWeb support all the same features as our hardwarebased devices and can be deployed in VMware, Microsoft Hyper-V, Citrix XenServer, Open Source Xen, VirtualBox, KVM, and Docker platforms. FortiWeb is also available for AWS, Azure, Google Cloud, and Oracle Cloud as a VM, and as WAF as a Service on AWS, Azure, and Google Cloud
Specifications:
|
FortiWeb 1000E |
FortiWeb 2000F |
FortiWeb 3000F |
FortiWeb 4000F |
10/100/1000 Interfaces (RJ45 ports)
|
6 (4 bypass), 4x SFP GE (non-bypass)
|
4GE (4 bypass), 4 SFP GE
|
8GE (8 bypass)
|
8GE (8 bypass)
|
10G BASE-SR SFP+ Ports
|
2
|
4
|
10 (2 bypass)
|
10 (2 bypass)
|
40G QSFP
|
-
|
-
|
-
|
2 bypass
|
SSL/TLS Processing
|
Hardware
|
Hardware
|
Hardware
|
Hardware
|
USB Interfaces
|
2
|
2
|
2
|
2
|
Storage
|
2x 1 TB
|
2 x 480 GB SSD
|
2 x 960 GB SSD
|
2 x 960 GB SSD
|
Form Factor
|
2U
|
2U
|
2U
|
2U
|
Power Supply
|
Dual Hot Swappable
|
Dual Hot Swappable
|
Dual Hot Swappable
|
Dual Hot Swappable
|
System Performance
|
Throughput
|
1.3 Gbps
|
5 Gbps
|
10 Gbps
|
70 Gbps
|
Latency
|
<5ms
|
<5ms
|
<5ms
|
<5ms
|
High Availability
|
Active/Passive, Active/Active Clustering
|
Active/Passive, Active/Active Clustering
|
Active/Passive, Active/Active Clustering
|
Active/Passive, Active/Active Clustering
|
Application Licenses
|
Unlimited
|
Unlimited
|
Unlimited
|
Unlimited
|
Administrative Domains
|
64
|
96
|
96
|
192
|
Dimensions
|
Height x Width x Length (inches)
|
3.46 x 16.93 x 19.73
|
3.5 x 17.2 x 20.8
|
3.5 x 17.5 x 22.6
|
3.5 x 17.5 x 22.6
|
Height x Width x Length (mm)
|
88 x 430 x 501.20
|
88 x 438 x 530
|
88 x 444 x 574
|
88 x 444 x 574
|
Weight
|
28 lbs (12.8 kg)
|
33 lbs (15 kg)
|
56.2 lbs (22.5 kg)
|
56.2 lbs (22.5 kg)
|
Rack Mountable
|
Yes, with flanges
|
Yes
|
Yes
|
Yes
|
Environment
|
Power Required
|
100–240V AC, 50–60 Hz
|
100–240V AC, 60–50 Hz
|
100–240V AC, 60–50 Hz
|
100–240V AC, 60–50 Hz
|
Maximum Current
|
100V/5A, 240V/3A
|
120V/6A, 240V/3A
|
120V/2.6A, 240V/1.3A
|
120V/3A, 240V/1.5A
|
Power Consumption (Average)
|
140 W
|
200 W
|
200 W
|
248.5 W
|
Heat Dissipation
|
471 BTU/h
|
1433 BTU/h
|
1045.5 BTU/h
|
1219.8 BTU/h
|
Operating Temperature
|
32–104°F (0–40°C)
|
32–104°F (0–40°C)
|
32–104°F (0–40°C)
|
32–104°F (0–40°C)
|
Storage Temperature
|
-4–158°F (-20–70°C)
|
-4–158°F (-20–70°C)
|
-4–158°F (-20–70°C)
|
-4–158°F (-20–70°C)
|
Humidity
|
5–90% non-condensing
|
5–90% non-condensing
|
5–90% non-condensing
|
5–90% non-condensing
|
Compliance
|
Safety Certifications
|
FCC Class A Part 15, RCM, VCCI, CE, UL/CB/cUL
|
FCC Class A Part 15, RCM, VCCI, CE, UL/CB/cUL
|
FCC Class A Part 15, RCM, VCCI, CE, UL/CB/cUL
|
FCC Class A Part 15, RCM, VCCI, CE, UL/CB/cUL
|
Actual performance values may vary depending on the network traffic and system configuration. Performance metrics were observed using a Dell PowerEdge R710 server (2x Intel Xeon E5504 2.0 GHz 4 MB Cache) running VMware ESXi 5.5 with 4 GB of vRAM assigned to the 4 vCPU and 8 vCPU FortiWeb Virtual Appliance and 4 GB of vRAM assigned to the 2 vCPU FortiWeb Virtual Appliance.
All performance values are “up to” and vary depending on the system configuration.