Overview:
Web Application and API Protection
FortiWeb is a web application firewall
(WAF) that protects web applications
and APIs from attacks that target known
and unknown exploits and helps maintain
compliance with regulations.
Using machine learning to model each
application, FortiWeb defends applications from known
vulnerabilities and from zero-day threats. High performance
physical, virtual appliances and containers deploy on-site or
in the public cloud to serve any size of the organization —
from small businesses to service providers, carriers, and large
enterprises.
Web Application Protection
Multi layer protection against the OWASP Top 10 application attacks
including machine learning to defend against known and unknown
attacks.
API Protection
Protect your APIs from malicious actors by automatically enforcing
positive and negative security policies. Seamlessly integrate API
security into your CI/CD pipeline.
Bot Mitigation
Protect websites, mobile applications, and APIs from automated
attacks with advanced bot mitigation that accurately differentiates
between good bot traffic and malicious bots. FortiWeb Bot Mitigation
provides the visibility and control you need without slowing down
your users with unnecessary captchas or challenges.
Highlights:
- Machine learning that detects
and blocks threats while
minimizing false positives
- Advanced Bot Mitigation
effectively protect web assets
without imposing friction on
legitimate users
- Protection for APIs, including
those used to support mobile
applications
- Enhanced protection with
Fortinet Security Fabric
integration
- Visual analytics tools for
advanced threat insights
- Third-party integration and
virtual patching
- FortiCare Worldwide
24/7 Support
- FortiGuard Security
Services
Highlights:

Comprehensive Web Application Security
Using an advanced multi-layered and correlated approach,
FortiWeb provides complete security for your web-based
applications from the OWASP Top 10 and many other
threats. FortiWeb’s first layer of defense uses traditional
WAF detection engines (e.g. attack signatures, IP address
reputation, protocol validation, and more) to identify and
block malicious traffic, powered by intelligence from Fortinet’s
industry leading security research from FortiGuard Labs.
FortiWeb’s machine learning detection engine then examines
traffic that passes this first layer, using a continuously
updated model of your application to identify malicious
anomalies and block them as well.
API Protection
Fueling the digital transformation APIs have become
increasingly popular, providing the backbone for mobile
applications, automated business to business operations
and ease of management across applications. However, with
their popularity they also increase the attack surface with
additional exposed application surfaces that organizations
must secure. Fortinet’s FortiWeb web application firewall
provides the right tools to address threats to APIs.
FortiWeb integrates out of the box policies together with an
automatically generated positive security model policy that is
based on your organization’s schema specification (OpenAPI,
XML and generic JSON are supported schemas) to protect
against API exploits. FortiWeb schema validation can be
integrated into the CI/CD pipeline, automatically generating
an updated positive security model policy once the API is
updated.
Machine Learning Improves Detection and
Drives Operational Efficiency
FortiWeb’s multi-layer approach provides two key benefits:
superior threat detection and improved operational efficiency.
FortiWeb’s ability to detect anomalous behavior relative to
the specific application being protected enables the solution
to block unknown, never-before-seen exploits, providing
your best protection against zero-day attacks targeting your
application.
Operationally, FortiWeb machine learning relieves you of
time-consuming tasks such as remediating false positives
or manually tuning WAF rules. FortiWeb continually updates
the model as your application evolves, so there is no need to
manually update rules every time you update your application.
FortiWeb enables you to get your code
into production faster, eliminating the
need for time-consuming manual WAF
rules tuning and troubleshooting the false
positives that plague less advanced WAFs
Bot Mitigation
FortiWeb protects against automated bots, webs scrapers,
crawlers, data harvesting, credential stuffing and other
automated attacks to protect your web assets, mobile APIs,
applications, users and sensitive data. Combining machine
learning with policies such as threshold based detection,
Bot deception and Biometrics based detection with superior
good bot identification FortiWeb is able to block malicious
bot attacks while reducing friction on legitimate users. With
advanced tracking techniques FortiWeb can differentiate
between humans, automated requests and repeat offenders,
track behavior over time to better identify humans from bots
and enforce CAPTCHA challenges when required. Together
with FortiView, FortiWeb’s graphical analysis dashboard
organizations can quickly identify attacks and differentiate
from good bots and legitimate users.
FortiWeb’s machine learning accurately detects anomalies and identifies which are threats. Unlike prevailing auto-learning
detection models used by other WAF vendors that treat every anomaly as a threat, FortiWeb’s precision nearly eliminates false
positive detections and catches attack types that others cannot.
Image
Deep Integration into the Fortinet Security
Fabric and Third-Party Scanners
As the threat landscape evolves, many new threats require
a multi-pronged approach for protecting web-based
applications. Advanced Persistent Threats that target
users can take many different forms than traditional singlevector attack types and can evade protections offered only
by a single device. FortiWeb’s integration with FortiGate
and FortiSandbox extend basic WAF protections through
synchronization and sharing of threat information to both
deeply scan suspicious files and share infected internal
sources.
FortiWeb also provides integration with leading third-party
vulnerability scanners including Acunetix, HP WebInspect,
IBM AppScan, Qualys, ImmuniWeb and WhiteHat to provide
dynamic virtual patches to security issues in application
environments. Vulnerabilities found by the scanner are quickly
and automatically turned into security rules by FortiWeb to
protect the application until developers can address them in
the application code.
Solving the Challenge of False
Threat Detections
False positive threat detections can be very disruptive
and force many administrators to loosen security rules on
their web application firewalls to the point where many
often become a monitoring tool rather than a trusted threat
avoidance platform. The installation of a WAF may take only
minutes, however fine-tuning can take days, or even weeks.
Even after setup, a WAF can require regular checkups and
tweaks as applications and the environment change.
FortiWeb’s AI-based machine learning addresses false
positive and negative threat detections without the need to
tediously manage whitelists and fine-tune threat detection
policies. With near 100% accuracy, the dual layer machine
learning engines detect anomalies and then determine if they
are threats unlike other methods that block all anomalies
regardless of their intent. When combined with other
tools, including user tracking, session tracking, and threat
weighting, FortiWeb virtually eliminates all false detection
scenarios
Advanced Graphical Analysis and
Reporting
FortiWeb includes a suite of graphical analysis tools
called FortiView. Similar to other Fortinet products such
as FortiGate, FortiWeb gives administrators the ability to
visualize and drill-down into key elements of FortiWeb such
as server/IP configurations, attack and traffic logs, attack
maps, OWASP Top 10 attack categorization, and user activity.
FortiView for FortiWeb lets administrators quickly identify
suspicious activity in real time and address critical use cases
such as origin of threats, common violations, and client/
device risks
Secured by FortiGuard
Fortinet’s Award-winning FortiGuard Labs is the backbone
for many of FortiWeb’s layers in its approach to application
security. Offered as five separate options, you can choose
the FortiGuard services you need to protect your web
applications. FortiWeb IP address reputation service protects
you from known attack sources like botnets, spammers,
anonymous proxies, and sources known to be infected with
malicious software.
FortiWeb Security Service is designed just for FortiWeb
including items such as application layer signatures, machine
learning threat models, malicious robots, suspicious URL
patterns, and web vulnerability scanner updates. Credential
Stuffing Defense checks login attempts against FortiGuard’s
list of compromised credentials and can take actions ranging
from alerts to blocking logins from suspected stolen user ids
and passwords. The FortiWeb Cloud Sandbox subscription
enables FortiWeb to integrate with Fortinet’s cloud-sandbox
service. Finally, FortiWeb offers FortiGuard’s top-rated
antivirus engine that scans all file uploads for threats that can
infect your servers or other network elements.
VM and Public Cloud Options
FortiWeb provides maximum flexibility in supporting your
virtual and hybrid environments. The virtual versions of
FortiWeb support all the same features as our hardwarebased devices and can be deployed in VMware, Microsoft
Hyper-V, Citrix XenServer, Open Source Xen, VirtualBox, KVM,
and Docker platforms. FortiWeb is also available for AWS,
Azure, Google Cloud, and Oracle Cloud as a VM, and as WAF
as a Service on AWS, Azure, and Google Cloud. For more
information, see Fortiweb-Cloud.com.
Central Management and Reporting
FortiWeb offers the tools you need to manage multiple appliances and gain valuable insights on attacks that target your applications. From within a single management console you can configure and manage multiple FortiWeb gateways using our VMware-based central management utility. If you need an aggregated view of attacks across your network, FortiWeb easily integrates into our FortiAnalyzer reporting appliances for centralized logging and report consolidation from multiple FortiWeb devices