FortiWeb deployment models — the complete guide for India, 2026
Published 01 Jun 2026
· By
Pawan Sharma
· Network Security
· 18 min read
FortiWeb is one product. It ships in five distinct deployment shapes, each with its own pricing model, sizing logic, and operational fit. Picking the wrong shape doesn't just cost more — it can leave you over-engineered for a workload you don't have, or under-engineered for one you do. The five shapes are spelled out on page 1 of the official Ordering Guide (FWEB-OG-R25-20260318): Appliance, Virtual Machine, Cloud, SaaS, Container. This guide walks each one — when it's right, when it isn't, and what to buy — anchored on the official Fortinet docs.
5 shapes
Deployment options
Appliance, VM, Cloud BYOL, FortiAppSec Cloud SaaS, Container — same product, five billing models.
70 Gbps
Top hardware throughput
FortiWeb-4000F — "industry's fastest WAF appliance" per the Ordering Guide.
25 Mbps → 6 Gbps
VM tier range
VM01 (25 Mbps HTTP) to VM16 (6 Gbps HTTP). Annual subscription, all hypervisors and public clouds.
3 bundles
Service tiering
Standard / Advanced / Enterprise — the same tiering applies across appliance, VM and Cloud SaaS.
The five shapes, at a glance
| Shape | Best for | Billing model | Throughput range |
|---|---|---|---|
| Appliance (CAPEX) | Data-centre, on-prem workloads, high-throughput north-south traffic | One-time HW + service bundle | 100 Mbps (100F) → 70 Gbps (4000F) |
| VM-S Subscription (OPEX) | Private cloud, VMware/Hyper-V/KVM, AWS/Azure/GCP BYOL | Annual subscription per VM tier | 25 Mbps (VM01) → 6 Gbps (VM16) |
| Cloud BYOL | Public cloud workloads where you want partner-managed licensing in INR | BYOL via partner + cloud compute | Per VM-S tier above |
| FortiAppSec Cloud SaaS | Lift-and-shift web apps, zero infra appetite, multi-region delivery | Per-bandwidth seat + per-app seat | 25 Mbps per Bandwidth seat, 1 app per Application seat |
| Container | CI/CD-native, Kubernetes ingress protection, microservices | Container subscription | Sized to container limits |
All throughput and tier specs from the FortiWeb Ordering Guide, March 2026 release (FWEB-OG-R25-20260318). VM-S throughput row references the Performance table on page 2; appliance throughput from the CAPEX Performance table on page 5.
Shape 1 — Appliance (CAPEX)
The appliance line — the F-series — is the right choice when application traffic lives in your data centre, latency budget is tight, and the team prefers a one-time capital purchase plus annual renewals. Seven hardware models cover the spectrum from a 100 Mbps desktop to a 70 Gbps, 2RU box with 40 GE bypass interfaces.
| Model | HTTP / HTTPS throughput | ML Domains | Form factor | Ports |
|---|---|---|---|---|
| FortiWeb-100F | 100 Mbps | 6 | Desktop | 4× 10/100/1000 |
| FortiWeb-400F | 500 Mbps | 6 | 1RU | 4× GE RJ45 + 4× SFP GE |
| FortiWeb-600F | 1 Gbps | 16 | 1RU | 4× GE (2 bypass) + 4× SFP |
| FortiWeb-1000F | 2.5 Gbps | 32 | 2RU | 8× GE (8 bypass) + 4× SFP + 2× SFP+ |
| FortiWeb-2000F | 5 Gbps | 96 | 2RU | 4× GE (4 bypass) + 4× SFP + 4× SFP+ |
| FortiWeb-3000F | 10 Gbps | 96 | 2RU | 8× GE (8 bypass) + 10× SFP+ (2 bypass) |
| FortiWeb-4000F | 70 Gbps | 192 | 2RU | 8× GE + 10× SFP+ + 2× 40 GE (bypass) |
Why CAPEX still wins for data-centre workloads
Predictable cost, low tail-end latency, on-prem fabric integration
The Ordering Guide pitch is direct: "FortiWeb appliances provide the best price/performance data center WAF solutions in the industry." If your apps sit behind the firewall on a colo or DC fabric, a hardware FortiWeb is typically the lowest-cost-per-Gbps option over a 3-5 year horizon — and the inspection happens at line rate without a public-cloud hop.
Shape 2 — Virtual Machine (OPEX subscription)
FortiWeb-VM S-series is the OPEX equivalent — yearly subscription, runs on every common hypervisor (VMware, Hyper-V, KVM, Xen, OpenStack) and every major public cloud as a BYOL image. Five sizing tiers; the same Standard / Advanced / Enterprise service bundles as the appliance line.
| VM tier | HTTP throughput | HTTPS (2048) | Max ML Domains | Bot requests / month |
|---|---|---|---|---|
| VM01 | 25 Mbps | 10 Mbps | 4 | 200,000 |
| VM02 | 100 Mbps | 50 Mbps | 8 | 400,000 |
| VM04 | 500 Mbps | 250 Mbps | 16 | 900,000 |
| VM08 | 3 Gbps | 1 Gbps | 32 | 1.7 M |
| VM16 | 6 Gbps | 3 Gbps | 32 | 2.8 M |
Subscription SKU pattern by bundle (the leading FCx digit selects VM tier, 1=VM01 → 5=VM16):
- Standard Subscription —
FCx-10-WBVMS-916-02-DD - Advanced Subscription —
FCx-10-WBVMS-582-02-DD - Enterprise Subscription —
FCx-10-WBVMS-1267-02-DD
Shape 3 — Cloud (BYOL on public cloud)
The same VM-S image runs as a BYOL deployment on AWS, Azure, GCP, OCI and IBM. You pay the cloud provider for the compute / storage / bandwidth; you pay Fortinet (via Ogma in India) for the annual VM subscription. The alternative is PAYG via the cloud marketplace — same image, different commercial. The savings math is worth a whole post on its own; the short version is that BYOL via a partner typically wins decisively on 12-36 month workloads, while PAYG wins for bursty / sub-quarter projects.
BYOL vs PAYG, in one sentence
Same FortiWeb, two ways to pay
BYOL = annual subscription priced in INR via Ogma, cloud bill carries only compute. PAYG = single line item in AWS / Azure marketplace, bundled with compute, higher hourly rate. We unpack the math in FortiWeb BYOL via Ogma vs PAYG via AWS / Azure Marketplace.
Shape 4 — FortiAppSec Cloud (SaaS)
FortiAppSec Cloud is the SaaS-delivered FortiWeb — Fortinet hosts, Fortinet operates, you change DNS / CNAME and the WAF sits inline. Multi-tenant clusters distributed globally. Priced by bandwidth seats (25 Mbps per seat) and application seats (1 web app per seat), selected via three plan tiers.
| FortiAppSec Plan | Anchor capabilities | Bandwidth SKU | Applications SKU |
|---|---|---|---|
| Standard | OWASP Top 10, signatures, custom rules, IP-based bot, scheme enforcement, SSL inspection, CDN caching, FortiAI Assist, 24×7 support | FC1/2/3-10-UCAPF-1114-02-DD |
FC1/2/3/4-10-UCAPF-1116-02-DD |
| Advanced | + Sandboxing, ML anomaly detection, AI Threat Analytics, API Gateway, API Discovery, Account Takeover protection, DAST, Content Routing | FC1/2/3-10-UCAPF-1115-02-DD |
FC1/2/3-10-UCAPF-1257-02-DD |
| Enterprise | + Behavioral Intent Analysis (ML), Client-Side Security, included SOCaaS | FC1/2/3-10-UCAPF-1254-02-DD |
FC1/2/3-10-UCAPF-1256-02-DD |
SaaS is the right answer when the team has zero appetite for managing a WAF, the applications are internet-facing, and the workload sits behind a single DNS record (or a small set). Multi-region coverage is global by default. The Bandwidth and Applications SKUs are both required — they're paired, not interchangeable.
Shape 5 — Container
FortiWeb is also available as a container image for Kubernetes / Docker environments. Per the Ordering Guide, the container line is sized to container limits and integrates with CI/CD pipelines. Critically, the continuous-learning model "automatically adjusts when application changes, virtually integrating with [the] CI/CD pipeline" — meaning a new release won't break your WAF policy.
The bundle question — Standard, Advanced or Enterprise?
The service bundle tiering is identical across appliance, VM-S, and FortiAppSec Cloud. The features that move from tier to tier are the same in each:
| Capability | Standard | Advanced | Enterprise |
|---|---|---|---|
| OWASP Top 10, signatures, IP rep, antimalware | ✓ | ✓ | ✓ |
| FortiWeb Cloud Sandbox | — | ✓ | ✓ |
| Credential Stuffing Defense | — | ✓ | ✓ |
| Threat Analytics (ML alert grouping) | — | ✓ | ✓ |
| Advanced Bot Protection (ML / biometric / behavioural) | — | — | ✓ |
| Client-Side Protection (PCI DSS 4.0) | — | — | ✓ |
| DLP | — | — | ✓ |
| 24×7 Support, FortiAI Assist | ✓ | ✓ | ✓ |
| SOCaaS | Add-on | Add-on | Included |
If the workload handles card payments or has any PCI DSS 4.0 exposure (mandatory requirements 6.4.3 + 11.6.1), Enterprise is effectively non-optional — Client-Side Protection is the control that satisfies those PCI clauses. Card-payment-free workloads typically land on Advanced for the ML and threat-analytics features.
The decision tree
Is the application internet-facing and DNS-front-able?
If yes, FortiAppSec Cloud (SaaS) is the lowest-friction option. CNAME swap, multi-region by default, no infra. Go there if the team has zero appetite for managing WAF infra.
Does the application live in a public cloud (AWS, Azure, GCP, OCI)?
Use FortiWeb-VM BYOL via your Fortinet partner. PAYG via marketplace is the easier-to-sign-up option, but it costs ~30-50% more on 12-36 month horizons. (See the BYOL vs PAYG post for the line-by-line math.)
Does the application live in your data centre or colo?
Use a FortiWeb appliance. Pick model by HTTP/HTTPS throughput class — a 600F for 1 Gbps, 1000F for 2.5 Gbps, 2000F for 5 Gbps, 3000F for 10 Gbps, 4000F for 70 Gbps. Form factor and bypass-port count usually nudge the choice.
Does the application live in Kubernetes / a container platform?
Use the FortiWeb Container form factor. Integrates with CI/CD; the continuous-learning ML model adapts to app updates without a policy rewrite.
Hybrid pattern?
Common in India: HW at HQ DC + VM-S BYOL on cloud workloads + FortiAppSec Cloud for the marketing site. All three feed central reporting; Threat Analytics aggregates incidents across the estate. This is a typical mid-market deployment shape.
Hybrid patterns — what most real estates look like
▸ DC + Cloud
HW appliance protects the corporate workloads in colo; VM-S BYOL covers the cloud-resident applications. Single FortiManager pane.
▸ SaaS + Hardware
FortiAppSec Cloud for public-facing marketing / commerce sites; HW appliance for the internal-facing apps that can't take a CNAME swap.
▸ Cloud + Container
VM-S BYOL fronts the legacy stack; Container FortiWeb inline in Kubernetes for new microservices. Same policy framework across both.
▸ Multi-region SaaS
FortiAppSec Cloud across regions with bandwidth seats sized to peak. Multi-region delivery and CDN caching come bundled.
What's NEW in 2026 across all five shapes
▸ FortiAI Assist (Beta)
Automates policy updates, configuration fixes, and answers spec / deployment questions. Bundled with all FortiAppSec Cloud plans.
▸ Threat Analytics
SaaS-based ML grouping of alerts into incidents across hybrid FortiWeb estates. Available in FortiAppSec Cloud Advanced + a-la-carte for appliances.
▸ Client-Side Protection
JavaScript integrity protection for PCI DSS 4.0 requirements 6.4.3 + 11.6.1. Enterprise tier.
▸ 70 Gbps top-of-line
FortiWeb-4000F — Ordering Guide describes it as the "industry's fastest WAF appliance" at 70 Gbps HTTP/HTTPS throughput.
FAQ
Can the same FortiManager / FortiAnalyzer manage multiple FortiWeb shapes?
Is BYOL really cheaper than marketplace PAYG?
What's the difference between VM-S and FortiAppSec Cloud?
Do I need Enterprise tier for PCI DSS 4.0 compliance?
Can I start on PAYG and move to BYOL later?
What about renewals after the first term?
FC-10-FW1KF-934-02-DD). VM-S subscriptions renew annually under the same SKU. FortiAppSec Cloud is per-month subscription with continuous renewal.How does FortiWeb integrate with FortiGate?
What's the FortiAI Assist beta caveat?
Free FortiWeb sizing assessment
We pick the right shape and tier against your workload — no commitment
Ogma reviews your application portfolio — DC vs cloud vs SaaS, traffic profile, PCI / DPDP scope, team capability — and returns a sized FortiWeb deployment plan with the right shape (HW / VM / Cloud / SaaS / Container) and bundle (Standard / Advanced / Enterprise), with INR pricing and term options.
Request the sizing assessment or explore Ogma's FortiWeb implementation serviceSources (official Fortinet documentation only)
- FortiWeb Data Sheet — feature set, ML detection, Client-Side Protection, FortiAI Assist
- FortiWeb Ordering Guide (FWEB-OG-R25-20260318) — deployment shapes, SKUs, VM-S tiers, appliance models, FortiAppSec Cloud plans
- FortiWeb Cloud Data Sheet — FortiAppSec Cloud SaaS architecture, PoP coverage
- fortinet.com/products/web-application-firewall/fortiweb — FortiWeb product page
- FCP – FortiWeb Administrator Training — Fortinet's official cert track
Related: FortiWeb BYOL vs PAYG — the savings math · FortiWeb VM on AWS / Azure BYOL · FortiWeb Cloud SaaS · FortiWeb hardware appliances · FortiWeb Managed WAF
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
