AI-powered WAF that protects web

ORDERING GUIDE applications and APIs against the

OWASP Top 10

FortiWeb
Available in

Appliance Virtual Cloud SaaS Container

Machine

FortiWeb Web Application Firewall protects your business-critical web applications and APIs
from attacks that target known and unknown vulnerabilities. Using an advanced multi-layered
approach backed by a sophisticated machine learning engine, FortiWeb protects against the
OWASP Top 10 and more.

The FortiWeb product line offers solutions and deployment options across SaaS, VMs, and
appliances that can protect business applications no matter where the application is hosted.
This ordering guide will help you choose the right solution for your customer.

FortiWeb is offered as a SaaS-based cloud service, virtual appliance, or as an on-premise

appliance:

• FortiAppSec Cloud WAF (SaaS): cloud-native multitenant SaaS-based solution with a global
distribution of WAF clusters around the world.

• VM Subscription (Public/Private Cloud): virtual solution supported across public and private
clouds.

• FortiWeb Appliance: on-premise FortiWeb appliance providing best price/performance data

center WAF solution in the industry.

THREAT ANALYTICS

This new SaaS based service ingests events from across your entire hybrid cloud environments
(FortiAppSec Cloud WAF and FortiWeb HW/VM) to help address alert fatigue. Using machine
learning algorithms, it removes the complexity that comes from manually evaluating alerts by
evaluating thousands of alerts and grouping those alerts into incidents based on the patterns
identified. The solution separates significant threats from informational alerts and false positives
to help security teams focus on the threats that matter.

Threat Analytics is available for FortiAppSec Cloud Premium Plan customers and is sold as part
of the Advanced bundle or A-La-Carte for FortiWeb appliances.

1
ORDERING GUIDE | FortiWeb

PRODUCT OFFERINGS
For OPEX-based purchasing, choose between FortiAppSec Cloud WAF requiring no hardware/software installation) and
FortiWeb-VM S-series (a yearly subscription of our virtual WAF supported on all common hypervisors and public cloud
providers).

When choosing FortiAppSec Cloud WAF, simply pick between the Standard or Premium plan and choose the overall bandwidth
needed and number of web applications required. Bandwidth and Web app SKUs are seat based. 25 Mbps per Bandwidth seat,
one web application per seat.

When choosing the virtual WAF (FortiWeb-VM S series), remember this is a yearly subscription. Choose between the standard
and advanced subscription bundles, which vary by the type of services included.

OPEX
VM01 VM02 VM04 VM08 VM16
Performance

HTTP Throughput 25 Mbps 100 Mbps 500 Mbps 3 Gbps 6 Gbps

HTTPS Throughput (2048

10 Mbps 50 Mbps 250 Mbps 1 Gbps 3 Gbps
keysize)
Max Machine Learning
Domains 4 8 16 32 32

Hardware
Form Factor Virtual machine
Security Services
Web Security Standard Standard Standard Standard Standard

IP Reputation Standard Standard Standard Standard Standard

Antimalware Standard Standard Standard Standard Standard

FortiWeb Cloud Sandbox Advanced Advanced Advanced Advanced Advanced

Credential Stuffing
Advanced Advanced Advanced Advanced Advanced
Defense
Threat Analytics Advanced Advanced Advanced Advanced Advanced
Advanced Bot Protection Enterprise Enterprise Enterprise Enterprise Enterprise
DLP Enterprise Enterprise Enterprise Enterprise Enterprise
Additional Services

24x7 Support Included Included Included Included Included

MSSP License
SOCaaS Add-on Add-on Add-on Add-on Add-on

FORTIGUARD ADVANCED BOT PROTECTION

400F 600F 1000F 2000F 3000F 4000F VM01 VM02 VM04 VM08 VM16

Number of Bot Requests 1

850,000 1.25 M 1.7 M 3M 4M 11 M 200,000 400,000 900,000 1.7 M 2.8 M

1 Number of Advanced Bot Protection requests per month (varies by platform)

ORDER INFORMATION
VM01 VM02 VM04 VM08 VM16
VM01 VM02 VM04 VM08 VM16

Standard Subscription FC1-10-WBVMS-916-02-DD FC2-10-WBVMS-916-02-DD FC3-10-WBVMS-916-02-DD FC4-10-WBVMS-916-02-DD FC5-10-WBVMS-916-02-DD

Advanced Subscription FC1-10-WBVMS-582-02-DD FC2-10-WBVMS-582-02-DD FC3-10-WBVMS-582-02-DD FC4-10-WBVMS-582-02-DD FC5-10-WBVMS-582-02-DD

Enterprise Subscription FC1-10-WBVMS-735-02-DD FC2-10-WBVMS-735-02-DD FC3-10-WBVMS-735-02-DD FC4-10-WBVMS-735-02-DD FC5-10-WBVMS-735-02-DD

2
 ORDERING GUIDE | FortiWeb

FORTIAPPSEC CLOUD WAF PLANS*

SERVICE FEATURE STANDARD PREMIUM
OWASP top 10 ⃝✓ ⃝✓

WAF signatures ⃝✓ ⃝✓

Threat intel ⃝✓ ⃝✓

Custom rules ⃝✓ ⃝✓
Web Application Protection
Reporting ⃝✓ ⃝✓

Sandboxing ⃝✓

ML based Anomaly Detection ⃝✓

AI Threat Analytics ⃝✓

Scheme enforcement ⃝✓ ⃝✓

API Gateway ⃝✓
API Security
API Discovery ⃝✓

ML based Anomaly detection ⃝✓

IP-based protection ⃝✓ ⃝✓

Thresholds ⃝✓ ⃝✓
Bot Defense
Account Takeover ⃝✓

Behavioral Intent Analysis (ML) Add-on Add-on

DDoS Mitigation L3-L7 ⃝✓ ⃝✓

SSL inspection ⃝✓ ⃝✓

Health Monitoring ⃝✓ ⃝✓
Application Delivery
Client Authentication ⃝✓

Content Routing ⃝✓

Caching/ acceleration ⃝✓ ⃝✓
CDN
Compression ⃝✓ ⃝✓

DAST Runtime vuln. scans Add-on Add-on

Support 24x7 ⃝✓ ⃝✓
SOC as a Service Monitoring, triage and escalation Add-on Add-on

*This is a high level plan overview. Review the full list in the FortiAppSec ordering guide.

ORDER INFORMATION
SKU NAME SKU ID DESCRIPTION
FC1-10-UCAPF-1114-02-DD Cloud WAF, 25 Mbps Standard Plan (no seat option)

FC2-10-UCAPF-1114-02-DD Cloud WAF, 50-99 Mbps Standard Plan (25Mbps/seat)

FC3-10-UCAPF-1114-02-DD Cloud WAF, 100+ Mbps Standard Plan (25Mbps/seat)

Bandwidth
FC1-10-UCAPF-1115-02-DD Cloud WAF, 25 Mbps Premium Plan (no seat option)

FC2-10-UCAPF-1115-02-DD Cloud WAF, 50-99 Mbps Premium Plan (25Mbps/seat)

FC3-10-UCAPF-1115-02-DD Cloud WAF, 100+ Mbps Premium Plan(25Mbps/seat)

FC1-10-UCAPF-1116-02-DD Cloud WAF, 1-4 Application, Standard Plan

FC2-10-UCAPF-1116-02-DD Cloud WAF, 5-24 Application, Standard Plan

FC3-10-UCAPF-1116-02-DD Cloud WAF, 25+ Application, Standard Plan

Applications
FC1-10-UCAPF-1117-02-DD Cloud WAF, 1-4 Application, Premium Plan

FC2-10-UCAPF-1117-02-DD Cloud WAF, 5-24 Application, Premium Plan

FC3-10-UCAPF-1117-02-DD Cloud WAF, 25+ Application, Premium Plan

FC1-10-UCAPF-330-02-DD Global Server Load Balancing, 100 QPS (queries per second)

Standalone Services FC1-10-UCAPF-332-02-DD Global Server Load Balancing , 10 Health Checks

FC1-10-UCAPF-726-02-DD Advanced Bot Protection, 1M Trans/Month

FC1-10-UCAPF-216-02-DD Vulnerability scanning Service , 10 IP/FQDN. Must purchase Cloud WAF as well

SOCaaS: 24x7 cloud-based managed service, per application. Must purchase for all applications in
Add-on Services (Cloud WAF required) FC1-10-UCAPF-464-02-DD
account
SOCaaS: 24x7 cloud-based managed service, per application. Must purchase for all applications in
FC2-10-UCAPF-464-02-DD
account

3
ORDERING GUIDE | FortiWeb

PRODUCT OFFERINGS
For CAPEX-based purchasing, FortiWeb appliances provide the best price/performance data center WAF solutions in the
industry. Pick the right solution based on HTTP/HTTPS throughput and choose between the standard and advanced bundles
which vary by the type of services included.
CAPEX
100F 400F 600F 1000F 2000F 3000F 4000F

Performance
HTTP Throughput 100 Mbps 500 Mbps 1 Gbps 2.5 Gbps 5 Gbps 10 Gbps 70 Gbps
HTTPS Throughput (2048
100 Mbps 500 Mbps 1 Gbps 2.5 Gbps 5 Gbps 10 Gbps 70 Gbps
keysize)
Max Machine Learning
Domains 6 10 16 32 96 96 192

Hardware
4 GE RJ45, 4GE (2 bypass), 8GE (8 bypass), 4GE (4 bypass),
10/100/1000 4 8GE (8 bypass) 8GE (8 bypass)
4 SFP GE 4 SFP 4 SFP 4 SFP

10G SFP+ 2 4 10 (2 bypass) 10 (2 bypass)

40GE 2 bypass

Dual PS Dual Hot Swap Hot Swap Hot Swap Hot Swap

Form Factor Desktop 1RU 1RU 2RU 2RU 2RU 2RU

Security Services
Web Security Standard Standard Standard Standard Standard Standard Standard

IP Reputation Standard Standard Standard Standard Standard Standard Standard

Antimalware Standard Standard Standard Standard Standard Standard Standard

FortiWeb Cloud Sandbox Advanced Advanced Advanced Advanced Advanced Advanced Advanced
Credential Stuffing
Advanced Advanced Advanced Advanced Advanced Advanced Advanced
Defense
Threat Analytics Advanced Advanced Advanced Advanced Advanced Advanced Advanced
Advanced Bot Protection Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise
DLP Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise
Additional Services
24x7 Support Included Included Included Included Included Included Included
SOCaaS Add-on Add-on Add-on Add-on Add-on Add-on Add-on

ORDER INFORMATION
CAPEX
100F 400F 600F 1000F 2000F 3000F 4000F

Standard Bundles

FWB-100F-BDL- FWB-400F-BDL- FWB-600F-BDL- FWB-1000F-BDL- FWB-2000F-BDL- FWB-3000F-BDL- FWB-4000F-BDL-

Hardware Bundle
934-DD 934-DD 934-DD 934-DD 934-DD 934-DD 934-DD
FC-10-W01HF-934- FC-10-FV40F-934- FC-10-W06HF-934- FC-10-FW1KF-934- FC-10-FW2KF-934- FC-10-FW3KF-934- FC-10-FW4KF-934-
Renewal Bundle
02-DD 02-DD 02-DD 02-DD 02-DD 02-DD 02-DD

Advanced Bundles

FWB-100F-BDL- FWB-400F-BDL- FWB-600F-BDL- FWB-1000F-BDL- FWB-2000F-BDL- FWB-3000F-BDL- FWB-4000F-BDL-

Hardware Bundle
580-DD 580-DD 580-DD 580-DD 580-DD 580-DD 580-DD
FC-10-W01HF-580- FC-10-FV40F-580- FC-10-W06HF-580- FC-10-FW1KF-580- FC-10-FW2KF-580- FC-10-FW3KF-580- FC-10-FW4KF-580-
Renewal Bundle
02-DD 02-DD 02-DD 02-DD 02-DD 02-DD 02-DD

Enterprise Bundles

FWB-100F-BDL- FWB-400F-BDL- FWB-600F-BDL- FWB-1000F-BDL- FWB-2000F-BDL- FWB-3000F-BDL- FWB-4000F-BDL-

Hardware Bundle1
725-DD 725-DD 725-DD 725-DD 725-DD 725-DD 725-DD
FC-10-W01HF-725- FC-10-FV40F-725- FC-10-W06HF-725- FC-10-W01KF-725- FC-10-W02KF-725- FC-10-W03KF-725- FC-10-W04KF-725-
Renewal SKUs
02-DD 02-DD 02-DD 02-DD 02-DD 02-DD 02-DD

Replacement

Replacement Disk SKU SP-DFWB2T SP-DFWB2T

1 Check number of Advanced Bot Protection requests on page 2

4
 ORDERING GUIDE | FortiWeb

NSE TRAINING AND CERTIFICATION

FCP – FortiWeb Training and Certification Ordering Information
Learn how to deploy, configure, and troubleshoot FortiWeb. Learn key concepts of web
SKU DESCRIPTION
application security and explore protection and performance features. Experience traffic and
attack simulations that use real web applications. Learn how to distribute the load from virtual FT-ILT-D03
Instructor-led Training - 3 days (includes
servers to real servers, while enforcing logical parameters, inspecting flow, and securing HTTP hands-on labs)
session cookies. FortiWeb Administrator On-demand Labs
FT-LAB-H20
(within self-paced course)
Course Description
NSE-EX-FTE2 Certification Exam
For more information about prerequisites, agenda topics and learning objectives, please refer to
the course description at https://training.fortinet.com/local/staticpage/view.php?page=library_
fortiweb
SKU Mapping
https://training.fortinet.com/local/staticpage/view.php?page=purchasing_process

5
ORDERING GUIDE | FortiWeb

CHEAT SHEET

The Space Product Lineup

• WAF space consolidates around three main FortiWeb product line includes various options:
functionalities: web protection, bot mitigation, and
• HW/VM/container: models range from 50 Mbps to
API protection.
70 Gbps throughput. BYOL/PAYG for VMs deployed
• SaaS is becoming more attractive. on public cloud.

• Cloud WAF popularity is on the rise and usually • Cloud WAF: FortiAppSec Cloud SaaS-based
includes content delivery network and DDoS. solution. Global scrubbing centers across public
cloud. Priced by bandwidth and number of
• Customers have expectations for easy onboarding
applications. Can alternatively be consumed
and a low maintenance WAF.
directly from marketplace.

Major Highlights
Ordering Guide
• Industry’s fastest WAF appliance: FortiWeb-4000F
Product Offerings: OPEX and CAPEX options
at 70 Gbps HTTP/HTTPS throughput.
OPEX: two options available:
• The only vendor to provide ML for anomaly
• FortiAppSec Cloud: hassle-free, no SW/HW detection for web and API applications.
required, WAF-as-a-service. Priced by bandwidth
• Two-layer ML tech ensures virtually no false
and number of applications, measured by 95%
positives.
percentile.
• FortiGuard Labs automated updates ensure AI
• FortiWeb-VM: S-series provides yearly
threat models are up-to-date.
subscription for IaaS/private cloud. All inclusive
standard/advanced bundle options. • Continuous Learning automatically adjusts models
when application changes, virtually integrating with
CAPEX: two options available:
CI/CD pipeline.
• HW appliances: selected by throughput (50 Mbps
• One-of-a-kind SQLi and XSS syntax-based
to 70 Gbps)
detection policies, without reliance on static
• FortiWeb-VM: preferably choose S-series though signatures.
perpetual license is available.
• Strong API protection capabilities including ML
based API Discovery and Proection, API gateway,
Where to Find More Info protocol enforcement, and schema validation.

• Demo: FortiAppSec Cloud, WAF machine learning • Threat Analytics: Using Machine Learning, attacks
are analyzed across all your web applications to
• What’s New: FortiAppSec Cloud, FortiWeb identify common characteristics and patterns and
• Landing Page: FortiAppSec Cloud group them into meaningful security incidents.

• Live demo available from landing page

Visit www.fortinet.com for more details

Copyright © 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or
company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other condi-
tions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s SVP Legal and above, with a purchaser
that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any
such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise
revise this publication without notice, and the most current version of the publication shall be applicable.

FWEB-OG-R19-20250116