All Tech Field Day Events

Defending Layer 7 with FortiWeb, Fortinet’s Web Application Firewall

As more web apps and APIs continue to come online, security attacks continue to escalate. Fronting applications with web application firewalls (WAFs) to add additional security layers can be a necessity for security-conscious organizations. FortiWeb is Fortinet’s WAF that is both available as-a-service or can be deployed on-premises and aims to protect both web apps and APIs.

A key component in Fortinet’s security fabric, FortiWeb, spans application, network, and security for “consistent cross-platform, cross-cloud security.”

Web Apps (and APIs) in Need of Securing

Organizations deploy applications and workloads across various platforms, including the public cloud, private cloud, Software-as-a-Service (SaaS), and on-premises. Even before the pandemic and the surge of remote work, publicly accessible workloads and applications have become the norm. As much as internet-facing applications or workloads can drive innovation and collaboration, they also increase an organization’s digital attack surface or vulnerabilities that could lead to a compromise of assets.

It’s not only web apps that need to be secured. Watch any Tech Field Day presentation and you’ll see Application Programming Interfaces (APIs) abound. Because APIs often allow users to make calls and pass input programmatically, API access increases the likelihood of input validation and buffer overflow attacks. Moreover, APIs typically expose a more advanced feature set compared to traditional applications. The importance that businesses place on their line-of-business apps and APIs, coupled with the frequency of security breaches, demands integrated security that transcends the software development life cycle.

Protect Internet-accessible Web Apps and APIs with FortiWeb

At Cloud Field Day 8, Fortinet showcased FortiWeb, a Web Application Firewall (WAF) that is a key part of Fortinet’s Security Fabric. The prevalence of internet-accessible apps and workloads dissolved the notion of a clear perimeter that traditional firewalls used to protect. FortiWeb, though, seeks to solve this challenge by adding another layer of security for web applications and APIs.

Customers can deploy FortiWeb as a virtual machine or consume it as-a-service using FortiWeb Cloud in AWS, Azure, or GCP. FortiWeb is a key part of how Fortinet applies application security. Fortinet aims to help customers defend their applications and APIs with FortiWeb.

Fronting the First Line of Defense for Web Apps and APIs

FortiWeb provides another layer of protection by sitting in front of protected web applications and APIs. In addition, this WAF solution can redirect any unsecured, exposed HTTP endpoints over SSL/TLS. Most WAFs monitor and mitigate the vulnerabilities listed in the OWASP Top 10 security risks. However, FortiWeb goes beyond these capabilities with many features, including an AI-powered detection engine that minimizes the noise from false-positive alerts.

FortiWeb also runs an API gateway that not only helps manage authentication and authorization but also obscures the internal API structure using API rewrites and custom responses. To protect against input threats, FortiWeb’s API gateway runs schema validation against any invoked calls and logs those events. In addition, FortiWeb’s API gateway can implement API rate limits that help ensure that any requests don’t overwhelm the API.  These features not only add to an API’s security but can also increase reliability.


Consumers aren’t the only users of web apps and APIs. Businesses increasingly run their line-of-business apps on the internet. Security can not be left to perimeter-based firewalls or bolted on at the end. There is considerable value in “consistent cross-platform, cross-cloud security” solutions like Fortinet’s FortiWeb. FortiWeb is only one of Fortinet’s offerings in a broad security fabric that spans application, platform, and network security.

To learn more about FortiWeb and more of their offerings that make up Fortinet Security Fabric, check out their presentations from Cloud Field Day 8.

About the author

Gestalt IT Staff

Gestalt IT Staff posts are a collective effort, providing the best analysis and commentary from leaders in the fields of virtualization, networking, storage, and desktop engineering.

Leave a Comment