More players are welcomed news in the WAF market, a market which seems to be aging in its infancy. Therefore Fortinet entry to the market is certainly good news. As a company that is positioned to join the big three firewall vendors, Fortinet can certainly provide much needed credibility to the WAF market. Saying that, we must recall that Cisco entry into the WAF market last year made little impact on the market place, probably due to an overprices but underpowered offering.

The coverage of the announcement was a good example of the confusion the WAF market still suffers. A Network World article lists the competitors in this field as Barracuda, Cisco, Citrix, Imperva and Palo Alto. This list is more accurate that what a security magazine would list a year ago, but still misses: Palo Alto has a great product, but certainly not a WAF, and the market leaders according to independent testimonials^[1] are probably Imperva, F5 and Breach Security, missing two out of the three in the article list.

As for the product itself: the FortiWeb 1000B is an entry level WAF priced at $20,000^[2], which is slightly higher than Imperva's entry level SE G2 Appliance ($15,000^[3]) but definitely lower than Imperva's G4 appliance ($30,000^[4]). While the 1000B is rated at 500Mps, similarly to the G4, performance in the HTTP inspection world can be very deceptive.

An important aspect of the 1000B is that it is not just a WAF, it is a full blown load balancer, XML accelerator and an SSL off-loader. If you need those features, and the level of implementation offered by the 1000B is sufficient for you, this is a plus. On the other it would probably require more re-architecting of the network than transparent or passive solutions such as those offered by Imperva or Breach Security, making it less friendly as a security centric solution. We may find out that it competes more directly with application delivery solutions such as those offered by F5 and Citrix  than with pure play WAFs.

A key question when it comes to WAFs is the level of security they provide. WAFs are still not consistent in the security engines they use to protect web sites and the level of protection offered varies dramatically. Unfortunately the marketing material provided by FortiNet reveals little. At this stage we can not say whether FortiNet actually adheres to the minimum criteria we set for a WAF, but study of the little information available suggests that it does not support a positive security model and has no learning capabilities. We will update when more information becomes available.

[1] Arian Evans, WhiteHatSec in a posting to the web security mailing list, February 2009
[2] Network World coverage of the FortiWeb 1000B release, February 2009
[3] Imperva SecureSphere SE press release, October 2008
[4] Network Computing WAF review, April 2006