DATA SHEET

FortiWeb™
Web Application Firewall

FortiWeb
FortiWeb 100D, 400C, 1000D, 3000E, 4000E and VM Industry-Leading Web
Application Firewall
Web Application Firewalls Performance
Web Applications are an Easy Target §§ High-performance with up to
Although Payment Card Industry Data Security Standards (PCI DSS) compliance is the 20 Gbps of throughput
main reason most organizations deploy Web Application Firewalls (WAFs), many now realize §§ Included vulnerability scanner
that unprotected web applications are the easiest point of entry for even unsophisticated §§ Included Layer 7 server load
balancing
hackers. Externally-facing web applications are vulnerable to attacks such as cross site
§§ Behavioral attack detection
scripting, SQL injection, and Layer 7 Denial of Service (DoS). Internal web applications are
§§ FortiGuard IP Reputation, Attack
even easier to compromise if an attacker is able to gain access to an internal network where
Signatures, and Antivirus
many organizations think they’re protected by their perimeter network defenses. Custom
§§ Correlated, multi-layer threat
code is usually the weakest link as development teams have the impossible task of staying
scanning
on top of every new attack type. However, even commercial code is vulnerable as many
§§ Simplified deployment with
organizations don’t have the resources to apply patches and security fixes as soon as they’re
FortiGate Integration
made available. Even if you apply every patch and have an army of developers to protect
§§ Polling of FortiGate Quarantined
your systems, zero-day attacks can leave you defenseless and only able to respond after the
IP addresses
attack has occurred.
§§ Integration with FortiSandbox for
APT detection
Comprehensive Web Application Security with FortiWeb §§ Transparent user validation for
Using an advanced multi-layered and correlated approach, FortiWeb provides complete botnet protection
security for your external and internal web-based applications from the OWASP Top 10 and §§ Out-of-the-box protection against
many other threats. Using IP Reputation services, botnets and other malicious sources are automated attacks
automatically screened out before they can do any damage. DoS detection and prevention §§ Network and application layer
keeps your applications safe from being overloaded by Layer 7 DoS attacks. FortiWeb checks DoS protection
that the request hasn’t been manipulated using HTTP RFC validation. Requests are checked §§ Authentication, site publishing
against FortiWeb’s signatures to compare them against known attack types to make sure and SSO
they’re clean. Any files, attachments or code are scrubbed with FortiWeb’s built-in antivirus
and antimalware services. FortiWeb’s auto-learning behavioral detection engine reviews

FortiCare Worldwide 24x7 Support FortiGuard Security Services

support.fortinet.com www.fortiguard.com
DATA SHEET: FortiWeb™

HIGHLIGHTS
all requests that have passed the tests for known attacks. If the make a more accurate decision and help protect against the most
request is outside of user or automatic parameters, the request sophisticated attacks. This combination provides near-100%
is blocked. Lastly, FortiWeb provides a correlation engine where protection from any web application attack, including zero-day
multiple events from different security layers are correlated to threats that signature file-based systems can’t detect.

ATTACKS / THREATS
BOTNETS, MALICIOUS HOSTS, ANONYMOUS
PROXIES, DDOS SOURCES IP REPUTATION

APPLICATION LEVEL
DDOS ATTACKS DDOS PROTECTION

IMPROPER
PROTOCOL VALIDATION

CORRELATION
HTTP RFC

KNOWN APPLICATION
ATTACK TYPES ATTACK SIGNATURES

VIRUSES, MALWARE,
LOSS OF DATA ANTIVIRUS / DLP

FORTISANDBOX
APT DETECTION INTEGRATION

SCANNERS, CRAWLERS,
SCRAPERS ADVANCED PROTECTION

UNKNOWN APPLICATION
ATTACKS BEHAVIORAL VALIDATION

APPLICATION

Included Vulnerability Scanning FortiWeb is one of many Fortinet products that provides integration
Only FortiWeb includes a web application vulnerability scanner with our FortiSandbox advanced threat detection platform. FortiWeb
in every appliance at no extra cost to help you meet PCI DSS can be configured with FortiSandbox to share threat information and
compliance. FortiWeb’s vulnerability scanning dives deep into all block threats as they’re discovered in the sandboxing environment.
application elements and provides in-depth results of potential Files uploaded to web servers can be sent to FortiSandbox for
weaknesses in your applications. Vulnerability scanning is always analysis. Alerts are sent immediately when malicious files are
up-to-date with regular updates from FortiGuard Labs. identified and future similar files are blocked immediately.

Integration with FortiGate enables the sharing of quarantined IP

Deep Integration with FortiGate addresses detected and maintained on the FortiGate firewall.
and FortiSandbox Through regular polling of the FortiGate, FortiWeb is up-to-date
As the threat landscape evolves, many new threats require a
with the latest list of internal sources that have or are suspected
multi-pronged approach for protecting web-based applications.
of being infected and blocks traffic from these devices from doing
Advanced Persistent Threats that target users can take many
more damage.
different forms than traditional single-vector attack types and
can evade protections offered only by a single device. FortiWeb’s Additionally, FortiGate users can now simplify the deployment of
integration with FortiGate and FortiSandbox extend basic WAF FortiWeb in a Fortinet-based network. Using the WCCP protocol,
a FortiGate can be configured to direct HTTP traffic for inspection
protections through synchronization and sharing of threat
to a FortiWeb without having to manually configure routers or
information to both deeply scan suspicious files and share
DNS services.
infected internal sources.

2 www.fortinet.com
 DATA SHEET: FortiWeb™

HIGHLIGHTS
Users can set up custom rules to route specific traffic using application environments. Vulnerabilities found by the scanner are
comprehensive granular forwarding policies. quickly and automatically turned into security rules by FortiWeb to
protect the application until developers can address them in the
WCCP application code.
External FortiGate
WAF
ON Blazing Fast SSL Offloading
FortiWeb is able to process up to tens of thousands of web
transactions by providing hardware accelerated SSL offloading in
most models. With near real-time decryption and encryption using
HTTP Traffic ASIC-based chipsets, FortiWeb can easily detect threats that target
LAN
Quarantined IPs secure applications.

Web Application Delivery and Authentication

Server FortiWeb provides advanced Layer 7 load balancing and
authentication offload services. FortiWeb can easily expand your
FortiWeb applications across multiple servers using intelligent, application-
FortiWeb seamlessly integrates with FortiGate to pass HTTP traffic for aware Layer 7 load balancing and can be combined with SSL
inspection and shares Quarantined IP information.
offloading for load balancing secure application traffic. Using HTTP
compression, FortiWeb can also improve bandwidth utilization and
Advanced False Positive Mitigation Tools user response times for content-rich applications. Authentication
False positive detections can be very disruptive if a web application offloading integrates with many authentication services including
firewall isn’t configured correctly. Although the installation of a WAF LDAP, NTLM, Kerberos and RADIUS with 2-factor authentication
may only take minutes, fine tuning it to minimize false positives for RADIUS and RSA SecureID. Using these authentication services,
can take days or even weeks, plus there’s the regular ongoing you can easily publish websites and use Single Sign On (SSO) for
adjustments for application and environment changes. FortiWeb any web application including Microsoft applications such as
combats this problem with many sophisticated tools including alert Outlook Web Access and SharePoint. Finally, FortiWeb can improve
tuning, white lists, automatic learning exceptions, correlated threat application response times by caching often-used content to serve
detection, and advanced code-based syntax analysis. it to users faster than having to request the same information each
time it is needed.
Secured by FortiGuard
Fortinet’s Award-winning FortiGuard Labs is the backbone for many VM and Cloud Options
of FortiWeb’s layers in its approach to application security. Offered FortiWeb provides maximum flexibility in supporting your virtual and
as 3 separate options, you can choose the FortiGuard services hybrid environments. The virtual versions of FortiWeb support all
you need to protect your web applications. FortiWeb IP Reputation the same features as our hardware-based devices and work with
service protects you from known attack sources like botnets, all the top hypervisors including VMware, Microsoft Hyper-V, Citrix
spammers, anonymous proxies, and sources known to be infected XenServer, Open Source Xen and KVM. FortiWeb is also available
with malicious software. FortiWeb Security Service is designed just for Amazon Web Services and Microsoft Azure.
for FortiWeb including items such as application layer signatures,
malicious robots, suspicious URL patterns and web vulnerability Central Management and Reporting
scanner updates. Finally, FortiWeb offers FortiGuard’s top-rated FortiWeb offers the tools you need to manage multiple appliances
antivirus engine that scans all file uploads for threats that can infect and gain valuable insights on attacks that target your applications.
your servers or other network elements. From within a single management console you can configure and
manage multiple FortiWeb gateways using our VMware-based
Virtual Patching central management utility. If you need an aggregated view of
FortiWeb provides integration with leading third-party vulnerability attacks across your network, FortiWeb easily integrates into our
scanners including Acunetix, HP WebInspect, IBM AppScan and FortiAnalyzer reporting appliances for centralized logging and report
WhiteHat to provide dynamic virtual patches to security issues in consolidation from multiple FortiWeb devices.

3
DATA SHEET: FortiWeb™

FEATURES
Deployment options Application Delivery
§§ Reverse Proxy §§ Layer 7 server load balancing
§§ Inline Transparent §§ URL Rewriting
§§ True Transparent Proxy §§ Content Routing
§§ Offline Sniffing §§ HTTPS/SSL Offloading
§§ WCCP §§ HTTP Compression
§§ Caching
Web Security
§§ Automatic profiling (white list) Authentication
§§ Web server and application signatures (black list) §§ Active and passive authentication
§§ IP Reputation §§ Site Publishing and SSO
§§ IP Geolocation §§ RSA Access for 2-factor authentication
§§ HTTP RFC compliance §§ LDAP and RADIUS support
§§ SSL client certificate support
Application Attack Protection
§§ OWASP Top 10 Management and Reporting
§§ Cross Site Scripting §§ Web user interface
§§ SQL Injection §§ Command line interface
§§ Cross Site Request Forgery §§ Central management for multiple devices
§§ Built-in Vulnerability Scanner §§ REST API
§§ Third-party scanner integration (virtual patching) §§ Centralized logging and reporting
§§ Real-time dashboards
Security Services
§§ Bot dashboard
§§ Web services signatures
§§ Geo IP Analytics
§§ XML protocol conformance
§§ SNMP, Syslog and email Logging/Monitoring
§§ Malware detection
§§ Administrative Domains with full RBAC
§§ Virtual patching
§§ Protocol validation Other
§§ Brute force protection §§ IPv6 Ready
§§ Cookie poisoning protection §§ HSM Integration
§§ Custom error message and error code handling §§ High Availability with Config-sync for syncing across multiple
§§ Operating system intrusion signatures active appliances
§§ Known threat and zero-day attack protection §§ Auto setup and default configuration settings for simplified
§§ DoS prevention deployment
§§ Advanced correlation protection using multiple security elements §§ Setup Wizards for common applications and databases
§§ Data leak prevention §§ Preconfigured for common Microsoft applications; Exchange,
§§ Web Defacement Protection SharePoint, OWA
§§ Predefined security policies for Drupal and Wordpress
applications

4 www.fortinet.com
 DATA SHEET: FortiWeb™

SPECIFICATIONS
FORTIWEB 100D FORTIWEB 400C FORTIWEB 1000D FORTIWEB 3000E FORTIWEB 4000E
Hardware
10/100/1000 Interfaces (RJ-45 ports) 4 4 6 (4 bypass) 8 bypass, 8 bypass,
2x SFP GE (non-bypass) 4 SFP GE (non-bypass) 4 SFP GE (non-bypass)
10G BASE-SR SFP+ Ports 0 0 0 4 4
USB Interfaces 2 1 2 2 2
Storage 16 GB 1 TB 2x 2 TB 2x 2 TB 2x 2 TB
Form Factor Desktop 1U 2U 2U 2U
Power Supply Single Single Dual Hot Swappable Dual Hot Swappable Dual Hot Swappable

System Performance
Throughput 25 Mbps 100 Mbps 1 Gbps 5 Gbps 20 Gbps
Latency Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms
Application Licenses Unlimited Unlimited Unlimited Unlimited Unlimited
Administrative Domains 0 32 64 64 64
All performance values are “up to” and vary depending on the system configuration.

Dimensions
Height x Width x Length (inches) 1.61 x 8.27 x 5.24 1.7 x 17.1 x 14.3 3.50 x 17.24 x 14.49 3.5 x 17.5 x 22.6 3.5 x 17.5 x 22.6
Height x Width x Length (mm) 41 x 210 x 133 44 x 435 x 364 88 x 438 x 368 88 x 444 x 574 88 x 444 x 574
Weight 2.3 lbs (1.1 kg) 14.15 lbs (6.42 kg) 27.6 lbs (12.5 kg) 56.2 lbs (22.5 kg) 56.2 lbs (22.5 kg)
Rack Mountable Optional Yes Yes, with flanges Yes Yes

Environment
Power Required 100–240V AC, 50–60 Hz 100–240V AC, 50–60 Hz 100–240V AC, 50–60 Hz 100–240V AC, 60–50 Hz 100–240V AC, 60–50 Hz
Maximum Current 110V/1.2A, 220V/1.2A 120V/4A, 240V/2A 100V/5A, 240V/3A 120V/2.6A, 240V/1.3A 120V/3A, 240V/1.5A
Power Consumption (Average) 18 W 100.3 W 115 W 200 W 248.5 W
Heat Dissipation 74 BTU/h 410.7 BTU/h 471 BTU/h 1045.5 BTU/h 1219.8 BTU/h
Operating Temperature 32–104°F (0–40°C) 32–104°F (0–40°C) 32–104°F (0–40°C) 32–104°F (0–40°C) 32–104°F (0–40°C)
Storage Temperature -13–158°F (-25–70°C) -13–158°F (-25–70°C) -13–158°F (-25–70°C) -13–158°F (-25–70°C) -13–158°F (-25–70°C)
Humidity 10–90% non-condensing 10–90% non-condensing 5–95% non-condensing 5–95% non-condensing 5–95% non-condensing

Compliance
Safety Certifications FCC Class A Part 15, C-Tick, FCC Class A Part 15, C-Tick, FCC Class A Part 15, FCC Class A Part 15, FCC Class A Part 15, UL/CB/
VCCI, CE, UL/cUL, CB VCCI, CE, UL/cUL, CB UL/CB/cUL, C-Tick, VCCI, CE UL/CB/cUL, C-Tick, VCCI, CE cUL, C-Tick, VCCI, CE

FORTIWEB-VM (1 vCPU) FORTIWEB-VM (2 vCPU) FORTIWEB-VM (4 vCPU) FORTIWEB-VM (8 vCPU)

System Performance
HTTP Throughput 25 Mbps 100 Mbps 500 Mbps 2 Gbps
Application Licenses Unlimited Unlimited Unlimited Unlimited
Administrative Domains 4 to 64 based on the amount of memory allocated
Virtual Machine
Hypervisor Support VMware ESX / ESXi 4.0 / 4.1 / 5.0 / 5.1 / 5.5 / 6.0, Microsoft Hyper-V, VMware ESX / ESXi 4.0 / 4.1 / 5.0 / 5.1 / 5.5 / 6.0, Microsoft Hyper-V,
Citrix XenServer 6.5, Open Source Xen 4.2, KVM, Amazon Web Services (AWS) Citrix XenServer 6.5, Open Source Xen 4.2, KVM, Amazon Web Services (AWS),
Microsoft Azure
vCPU Support (Minimum / Maximum) 1 2 2/4 2/8
Network Interface Support (Minimum / Maximum) 1 / 4 (10 VMware ESX) 1 / 4 (10 VMware ESX) 1 / 4 (10 VMware ESX) 1 / 4 (10 VMware ESX)
Storage Support (Minimum / Maximum) 40 GB / 2 TB 40 GB / 2 TB 40 GB / 2 TB 40 GB / 2 TB
Memory Support (Minimum / Maximum) 1,024 MB / Unlimited for 64-bit 1,024 MB / Unlimited for 64-bit 1,024 MB / Unlimited for 64-bit 1,024 MB / Unlimited for 64-bit
Recommended Memory 4 GB 4 GB 4 GB 4 GB
High Availability Support Yes Yes Yes Yes
Actual performance values may vary depending on the network traffic and system configuration. Performance metrics were observed using a Dell PowerEdge R710 server (2x Intel Xeon E5504 2.0 GHz 4 MB Cache) running VMware ESXi 5.5 with 4 GB of vRAM
assigned to the 4 vCPU and 8 vCPU FortiWeb Virtual Appliance and 4 GB of vRAM assigned to the 2 vCPU FortiWeb Virtual Appliance.

5
DATA SHEET: FortiWeb™

ORDER INFORMATION
Product SKU Description
FortiWeb 100D FWB-100D Web Application Firewall — 4x GE RJ45 ports, 16 GB storage.
FortiWeb 400C FWB-400C Web Application Firewall — 4x GE RJ45 ports, 1 TB storage.
FortiWeb 1000D FWB-1000D Web Application Firewall — 2x GE SFP slots, 6x GE RJ45 ports (includes 4x bypass ports), dual AC power supplies, 4 TB storage.
FortiWeb 3000E FWB-3000E Web Application Firewall — 4x 10 GE SFP+ ports, 8x GE RJ45 bypass ports, 4x GE SFP ports, dual AC power supplies, 2x 2 TB storage.
FortiWeb 4000E FWB-4000E Web Application Firewall — 4x 10 GE SFP+ ports, 8x GE RJ45 bypass ports, 4x GE SFP ports, dual AC power supplies, 2x 2 TB storage.
FortiWeb-VM01 FWB-VM01 FortiWeb-VM, up to 1 vCPU supported. 64-bit OS.
FortiWeb-VM02 FWB-VM02 FortiWeb-VM, up to 2 vCPUs supported. 64-bit OS.
FortiWeb-VM04 FWB-VM04 FortiWeb-VM, up to 4 vCPUs supported. 64-bit OS.
FortiWeb-VM08 FWB-VM08 FortiWeb-VM, up to 8 vCPUs supported. 64-bit OS.
Central Manager 10 FWB-CM-BASE FortiWeb Central Manager license key, manage up to 10 FortiWeb devices, VMware vSphere.
Central Manager Unlimited FWB-CM-UL FortiWeb Central Manager license key, manage unlimited number of FortiWeb devices, VMware vSphere.

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA SALES OFFICE
Fortinet Inc. 120 rue Albert Caquot 300 Beach Road 20-01 Prol. Paseo de la Reforma 115 Int. 702
899 Kifer Road 06560, Sophia Antipolis, The Concourse Col. Lomas de Santa Fe,
Sunnyvale, CA 94086 France Singapore 199555 C.P. 01219
United States Tel: +33.4.8987.0510 Tel: +65.6513.3730 Del. Alvaro Obregón
Tel: +1.408.235.7700 México D.F.
www.fortinet.com/sales Tel: 011-52-(55) 5524-8480

Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary and may be significantly less effective than the metrics stated herein. Network variables, different network environments
and other conditions may negatively affect performance results and other metrics stated herein. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General
Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet and any such commitment
shall be limited by the disclaimers in this paragraph and other limitations in the written contract. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests, and in no event will Fortinet be responsible for events or issues that are outside of its
reasonable control. Notwithstanding anything to the contrary, Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version
of the publication shall be applicable.
FST-PROD-DS-FWEB FWEB-DAT-R33-201511