/blog/fortiweb-kubernetes-container-2026
FortiWeb in Kubernetes and container environments
Kubernetes apps don't stop being apps. The OWASP Top 10 still applies; APIs still need schema enforcement; bots still scrape. What changes is how the WAF deploys. FortiWeb Container is the shape Fortinet ships for Kubernetes / Docker environments — sidecar or ingress integration, CI/CD-aligned policy, continuous-learning ML that adapts when a deployment rolls. This guide walks the deployment patterns + the integration story.
Container
5th shape
Listed alongside HW / VM / Cloud / SaaS in the Ordering Guide.
CI/CD ✓
Continuous Learning
Policy adapts to app updates without manual rewrite.
Helm
Deployment
Standard Helm chart. GitOps-compatible policy export/import via REST.
FortiManager
Multi-cluster
One pane across container + VM + HW + FortiAppSec estates.
Two deployment patterns
Ingress pattern (north-south)
- FortiWeb Container as cluster ingress controller
- External traffic enters via FortiWeb pod before hitting any app
- One FortiWeb deployment per cluster (sized to peak traffic)
- Standard pattern — most enterprises start here
- Simpler operational model
- Policy refresh tied to cluster ingress changes
Sidecar pattern (east-west)
- FortiWeb Container as sidecar per app pod
- Inspects service-to-service traffic inside the mesh
- One FortiWeb container per app pod
- Higher policy depth; higher operational overhead
- Best for high-security microservice estates
- Per-service policy granularity
What the Ordering Guide says
Per FortiWeb Ordering Guide (FWEB-OG-R25-20260318)
"HW/VM/container: models range from 50 Mbps to 70 Gbps throughput. BYOL/PAYG for VMs deployed on public cloud."
Container is the 5th deployment shape alongside Appliance, Virtual Machine, Cloud, and SaaS. The Container line is explicitly designed for CI/CD-pipeline integration: "Continuous Learning automatically adjusts models when application changes, virtually integrating with CI/CD pipeline."
How it integrates — the CI/CD-aligned story
▸ Schema-driven policy
OpenAPI / Swagger schemas exported from your API gateway feed FortiWeb's positive-security model. Policy is generated from the schema; schema lives alongside app code.
▸ Pipeline-pushed policy
FortiWeb REST API endpoints allow policy push from CI/CD. Standard pattern: schema update in repo → policy regenerate in pipeline → push to FortiWeb at deployment time.
▸ Continuous Learning
ML model adapts the behavioural baseline as the app evolves. New endpoint in a deployment? Model learns it from traffic, schema, or both. No manual rewrite when the app changes.
▸ Helm chart deployment
Standard Helm chart. values.yaml controls FortiWeb mode (monitor / enforce), ingress class binding, replicas, CPU / memory requests.
▸ GitOps-compatible
Policy YAML lives in your repo alongside app manifests. Pipeline pushes policy updates with each release. No drift between code and WAF policy.
▸ Multi-cluster via FortiManager
One FortiManager pushes policy to FortiWeb Containers across N clusters. Multi-region, multi-cloud, multi-cluster — single pane.
Architecture patterns by app type
| App type | Recommended pattern | Why |
|---|---|---|
| Single-team microservice estate | Ingress controller | Simplest operational model; one FortiWeb per cluster |
| Multi-team / multi-tenant cluster | Ingress + per-team policy | Single FortiWeb, namespace-scoped policy |
| Zero-trust microservice estate | Sidecar per pod | East-west inspection between services |
| Hybrid: K8s app + non-K8s app | Container + VM-S BYOL | Same FortiManager / FortiAnalyzer plane |
| K8s + Istio mesh | FortiWeb at ingress; Istio mTLS inside | Layer separation: WAF policy on FortiWeb, mTLS on Istio |
A typical deployment week
Day 1 — Helm install + policy import
FortiWeb Container Helm chart installs to a dedicated namespace. Initial OpenAPI schema imported. Monitor mode.
Day 2-3 — Wire to ingress
Bind FortiWeb as the cluster ingress controller (or as ingress class for specific namespaces). Verify traffic flow + log forwarding to FortiAnalyzer.
Day 4-5 — ML baseline + tuning
Continuous-learning model builds the behavioural baseline. Review false-positive candidates. Tune signature thresholds.
Day 6-7 — Enforce on first endpoint
Flip enforce on the lowest-risk endpoint (eg health check, public docs). Watch for 24 hours. Roll back if needed.
Week 2 — Hook into CI/CD pipeline
Wire schema regeneration into your release pipeline. Future deployments auto-push schema updates to FortiWeb. Continuous Learning takes over for drift.
FortiWeb Container vs running FortiWeb-VM next to K8s
FortiWeb-VM outside K8s
- VM sits in front of K8s cluster's LB / ingress
- Standard VM operations
- Less integrated with K8s lifecycle
- Policy not tied to deployment
- Easier if team isn't K8s-native
FortiWeb Container inside K8s
- Native K8s ingress controller
- Helm-deployed, GitOps-compatible
- Continuous-learning policy aligned to releases
- Lifecycle managed via K8s
- Best for K8s-native teams
FAQ
Sidecar or ingress controller — which pattern?
Does FortiWeb Container support Istio / service-mesh?
How does Continuous Learning work for container WAF?
Can FortiWeb Container be configured via Helm chart?
What about WAF policy in GitOps workflows?
Performance overhead — what should we plan for?
Does FortiWeb Container integrate with FortiAnalyzer?
Multi-cluster — single policy plane?
Free FortiWeb K8s pilot scoping
Sized deployment plan for your specific cluster + CI/CD
Ogma scopes the right deployment pattern (ingress / sidecar / hybrid), sizes resource requests, designs the CI/CD hook for policy refresh, and returns a 2-week pilot plan.
Request the pilot scoping or explore FortiWeb API SecuritySources
- FortiWeb Ordering Guide (FWEB-OG-R25-20260318) — Container as 5th deployment shape
- FortiWeb Data Sheet — Continuous Learning, CI/CD integration
Related: FortiWeb API security · FortiWeb deployment models · FortiWeb API Security landing
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.