Secure your web applications with FortiWeb Cloud WAF-as-a-Service

By Calvin posted Nov 21, 2019 05:58 PM


With many of the enterprises moving to the cloud and many resources existing now in many different environments to keep product development agile and competitive, today's organizations need to be aware of securing one of their most important public-facing assets, web servers. Web servers are often a prime target for attackers simply because they are public facing and closest to the cloud edge. They often involve a large amount of transactions and data. Securing these servers involves being very knowledgeable with the OSI stack and protocols associated with the stack like HTTP and the vulnerabilities that web servers typically have.

Dealing with complexities of the cloud while not having the correct resources to protect organizations from external attacks can lead to data breaches, failed audits, legal complications, and more. Organizations need a solution that would enable them to scale security at the speed of development while still being easy to enable and use.

FortiWeb Cloud WAF-as-a-Service (FWCWaaS) provides a scalable and easy to use Web Application Firewall for customers to do quick application onboarding and advance threat security protection for their web applications. FWCWaaS utilizes enterprise-grade security technology to enable easy access protection for customers from vulnerabilities like OWASP’s Top 10 Vulnerabilities for Web Applications. Additionally, advance capabilities like DDOS prevention, API protection, account takeover, and more are available! Agencies using FortiWeb can enjoy global cloud delivery networking (CDN) for global security or restrict to a single region for compliance reasons. With privacy protection regulations like GDPR and CPPA being more visible and holding organizations more accountable for user's data, customers not only need to ensure they are securing the applications from vulnerability exploits, but also securing any personal data. PCI 6.6 recommends that organizations deploy a solution that would detect and prevent web attacks. By enabling same-region protection in FortiWeb, organizations can enjoy in-region transfer rates, compliance with their region's regulations, and better performance.

FWCWaaS are for customers of all sizes ranging from those that do not have the resources to tackle large scale manual deployments and need to meet compliance in the cloud to large enterprises looking to reduce overhead costs. Imagine being an IT/security administrator tasked with migrating and securing public facing assets deployed globally on the cloud and securing it. Although you are not new to networking (BGP, OSPF, RIP), you are unfamiliar with cloud terminologies and need to quickly build out a plan to migrate the web application, scale it along with security, and record any value-added processes that would make future workflows more efficient. Using lift and shift and utilizing native services and the cloud like load balancers, CDN, and more, you are able to do quick migration. Problem now is how would you scale your security and match it with the speed of DevOps? Additionally, how can you be certain that the security you enable meet their requirements of internal/external guidelines you need to follow? Not only do you need to understand the web application traffic that will flow through your network to build security policies, but you actually need to manage and maintain security policies. Traditional lift and shift methods have value in certain scenarios but for customers looking to refactor their web applications in the future and do a digital transformation of their cloud environment, you need to consider security services like FWCWaaS that can help answer these questions.

FWCWaaS works with organizations of any size either looking to either use a lift and shift methodology and protect their web applications with a scalable platform or for organizations re-architecting their web applications to be designed for the cloud. Businesses where the application developers are also responsible for protecting their web applications can be delighted with the ease of use of FWCWaaS. Small businesses can enjoy enterprise-grade WAF while larger businesses wanting seamless integrations in the cloud and lower TCO while increasing revenue can use FWCWaaS to save time on upgrades, save money by going to a SaaS-based service, and reduce hardware costs. Let's take a look at FWCWaaS and see how you can easily set it up and use the security capabilities to protect your web servers on a regional or global level.

Upon, logging in, you are presented with a dashboard similar to the picture below

As you can see, we have already an application server behind the FortiWeb SaaS solution. The web server, if you noticed, North California is selected as the specific region so that data only travels within this AWS region. If we wanted to enable Global CDN or select a specific region where the web application resides in, we also have the option to do that. Additionally, we also see that Block Mode is enabled. Once you add an application, you have the option to enable Block Mode to automatically block any web requests that triggers a violation. For the best transition and security, we recommend monitoring web traffic and fine tuning it before enabling Block Mode.


Once you decide to add the application to FWCWaaS, you only need to configure the domain name, network information (pulled dynamically from the cloud but you can choose to redirect ON-PREMISE or traffic from web applications from other clouds/regions to AWS FWCWaaS), choose the region where the data travels to, enable/disable block mode, change DNS records on your domain name to point to FWCWaaS, and you're done!



Clicking on the web application, we can get a good overview of the solution and get information liked blocked requests on the application, requests made to the application, data that traveled to the web application, costs, and much more.


One of the cool summaries that I found with FWCWaaS is that it gives you not only the threat level average for your web application, but also the global threat level so you can compare instantly if there is an anomaly with the web application!

 Pic6.pngYou can view trigger violations in "Logs" OR export it to an external syslog server and aggregate data for data analysis and alerting as well as storing the logs for audits. FWCWaaS can support either a generic syslog export or exports to Qradar, Splunk, Arcsight, and Microsoft's Azure OMS. This integration and capability to use Fabric partners give existing Fortinet customers or customers using these Fabric partners easy integrations with FWCWaaS.


Enabling FWCWaaS's Known Attacks is as easy as switching the protection on.  

Pic4.pngAs you can see from the images below, other services like protecting against Information Leakage, doing Geo IP Block, and enabling DDoS Prevention are easy to enable and configure.



By simplifying configuration and set up time, security administrators can focus on improving security processes, guidelines, and building frameworks to keep their organization secure and efficient. Using with strict compliance regulations can optimize their security investments by utilizing FWCWaaS to quickly enable security protections and use alerts from any triggers to feed into an analytic solution like FortiSIEM or 3rd party Fabric Partners to do threat investigations, automation, and much more.

The complex and API-driven nature of the cloud require customers to think differently about implementing solutions on the cloud. A solution like FWCWaaS offers quick-touch deployments, API-driven automation and scalability, and enterprise-grade web protection, protecting environments of all sizes. 

But don't take my word for it! Fortinet trusts that FortiWeb Cloud WAF-as-a-Service would protect the web applications that Fortinet deploys on AWS. We choose to host our main website on a public cloud platform rather than on-premises. Deployments were seamless and the integration saved Fortinet hours of man labor and lowered TCO significantly.


GET STARTED ON FORTIWEB TODAY! You can try it for FREE for 14 days:

Additional Resources: 

  • To get started on securing your web applications or if you want to learn more information, click here.
  • Want to quickly learn about FortiWeb Cloud WAF-as-a-Service? Click here
  • Want to learn how to set up Fortinet's Cloud WAF-as-a-Service for AWS? Click here
  • Want to learn about FWCWaaS on Azure? Click here
  • Join our FUSE Community to get the latest updates and answers to your Fortinet questions! Click here
  • To get started on deploying FortiWeb Cloud WAF-as-a-Service, click here







Nov 26, 2019 07:12 AM

Awesome solution and post.  Is there a reason we don't mention the benefits of moving to an OpEx model in this article?  Many customers are considering moving from CapEx to OpEx for more predictability, elasticity, and flexibility.  Also note - please have a writer give the article another once-over, there are a few typos ;c D

Nov 21, 2019 09:27 PM

Great information. Thank you sharing Calvin!