SoraYazılım
English
Custom software solutions from Türkiye
Fortinet · Network Security and SD-WAN

FortiWeb (WAF)

Machine-learning WAF for web application and API security.

Request a quoteFAQ
Quick answer

FortiWeb is Fortinet's ML-driven Web Application Firewall (WAF) that protects web applications against OWASP Top 10, bots, API abuse and DDoS. Runs as hardware, virtual, container or SaaS.

FortiWeb is a WAF that combines positive security (allow-list) and negative security (block-list) modes for web applications and APIs.

Its machine-learning module learns the application's normal traffic; OWASP signatures + anomaly detection + ML correlation keep false positive rates below competitors.

For API protection it includes OpenAPI/Swagger schema validation, GraphQL protection, rate limiting and API discovery.

Key features

What it offers

  • ML-based anomaly detection
  • Bot mitigation and API protection
  • Schema-based API validation
  • Hardware, virtual, container and SaaS
  • Unified reporting with FortiAnalyzer
  • OWASP Top 10 + zero-day protection
  • Layer 7 DDoS mitigation
  • TLS termination
Tech Summary

Important technical data

Form factor
FortiWeb 100E → 4000F hardware, VM, container, SaaS
Performance
100 Mbps → 100 Gbps models
TLS
TLS 1.3 termination + offload
API
REST, GraphQL, OpenAPI
Management
FortiWeb Manager (multi-device)
Licensing
Hardware + FortiGuard WAF + IP reputation
Use Cases

When would you choose this product?

E-commerce

Public e-commerce site protection

A major Turkish e-commerce platform uses FortiWeb 600F pairs to block OWASP Top 10, bot and credential stuffing attacks.

Banking

WAF in front of online banking

A bank places FortiWeb in front of its online banking app for PCI-DSS compliance — two active-passive clusters.

Government

e-Government service protection

A government organization protects an e-government service with FortiWeb; resilient to DDoS and bot traffic.

SaaS

API gateway protection

A SaaS firm protects its GraphQL API with FortiWeb; schema validation and rate limits apply automatically.

Who is it for?

Organizations publishing public-facing web and APIs; those requiring PCI-DSS compliance.

Frequently Asked Questions

Frequently asked questions

How does FortiGate UTM differ from FortiWeb?
FortiGate UTM provides basic application control; it is not a full WAF. FortiWeb adds OWASP signature depth, ML anomaly, API protection and bot mitigation. For public mission-critical web services FortiWeb is required.
Cloud WAF (FortiWeb Cloud) vs on-prem?
Cloud WAF: fast deploy, pay-as-you-go, works like a CDN. On-prem: full control, in your own data center. KVKK-sensitive organizations typically prefer on-prem.
Is OWASP Top 10 protection guaranteed?
FortiWeb covers all OWASP Top 10 (2021) items. However, no WAF gives a 100% guarantee; defense in depth with secure application code is still essential.
How are false positives reduced?
FortiWeb's ML module observes traffic for 1–2 weeks in learning mode, builds an anomaly profile, then in enforcement mode keeps false positives below 1%.
What does bot mitigation do?
It distinguishes humans from bots; separates good bots (Google crawlers) from bad ones (scraping, credential stuffing). Uses JavaScript challenge, CAPTCHA, rate limiting and fingerprinting.
How does API discovery work?
FortiWeb analyzes traffic to discover unknown endpoints and reports them — minimizing shadow API risk. Once an OpenAPI schema is loaded, non-schema calls are blocked.
Where should TLS termination happen?
Either at FortiWeb or in passthrough mode at the backend. Termination at FortiWeb is the most secure mode — all traffic is decrypted and inspected.
How strong is DDoS protection?
Layer 7 (HTTP/HTTPS) DDoS is sufficient — rate limiting, JavaScript challenge, IP reputation. For volumetric (3/4) DDoS, scrubbing services like Cloudflare/Arbor are recommended.
Is container/Kubernetes support available?
Yes. FortiWeb Container Edition runs as a sidecar or ingress controller in K8s pods. Helm charts are provided.
How does FortiAnalyzer integration work?
FortiWeb syslogs all WAF events and attack logs to FortiAnalyzer; PCI-DSS reports, attack maps and top vulnerabilities are produced.
Vendor's official product page

Opens the vendor's original technical documentation and product page in a new tab.

FortinetFortiWeb (WAF)
From the same brand

Fortinet family — other products

FortiGate NGFW

AI-driven Next-Gen Firewall family (40F → 7081F).

Details

FortiSASE

Cloud-delivered Secure Access Service Edge for hybrid workers.

Details

FortiClient (ZTNA + EPP)

One agent for VPN, ZTNA, EDR and compliance.

Details

FortiEDR / FortiXDR

Endpoint Detection & Response and extended detection/response.

Details
Comparable Solutions

Similar solutions from other brands

Fortinet

FortiGate NGFW

Often co-positioned

Details
Related Services

Services we deliver alongside this product

ozel-web-ve-backend

FortiWeb (WAF) licensing + deployment + support

Sora Yazılım handles licensing, deployment, training and ongoing management — all from a single team.

Request a quoteFortinet