FortiWeb vs AWS WAF vs Azure WAF — when cloud-native isn't enough
Published 17 Jun 2026
· By
Pawan Sharma
· Network Security
· 16 min read
AWS WAF and Azure WAF are checkbox-cheap. They protect against the OWASP Top 10 string-payload attacks at the CDN / load-balancer tier, billed by request and rule. For most workloads they're not enough — they lack machine-learning detection, lack ML-driven API discovery, lack the depth of bot mitigation that beats sophisticated credential stuffing, and don't address PCI DSS 4.0 requirements 6.4.3 + 11.6.1 (Client-Side Protection) at all. This guide compares cloud-native and FortiWeb on the dimensions that actually matter at production scale.
Signatures only
Cloud-native WAFs
Managed rule groups + custom rules. No ML, no schema enforcement.
ML + Signatures
FortiWeb
Two-layer ML on top of signatures, IP rep, protocol validation.
OpenAPI ✓
Schema enforcement
Only FortiWeb. AWS/Azure WAFs treat APIs as HTTP traffic.
PCI 4.0
Client-Side Protection
Only FortiWeb addresses Req 6.4.3 + 11.6.1.
The capability comparison
| Capability | AWS WAF | Azure WAF | FortiWeb |
|---|---|---|---|
| OWASP Top 10 signature protection | ✓ | ✓ | ✓ |
| Managed rule groups (vendor-curated) | ✓ | ✓ | ✓ (FortiGuard) |
| Custom rule builder | ✓ | ✓ | ✓ |
| Two-layer ML anomaly detection | — | — | ✓ |
| OpenAPI / Swagger schema enforcement | — | — | ✓ |
| ML API Discovery (undocumented endpoints) | — | — | ✓ |
| Advanced Bot Protection (ML/biometric/behavioural) | Bot Control add-on (basic) | — | ✓ (Enterprise) |
| Credential Stuffing Defense | Fraud Control add-on (basic) | — | ✓ (Advanced+) |
| Account Takeover protection (ATO) | — | — | ✓ (Advanced+) |
| Client-Side Protection (PCI DSS 4.0 6.4.3 + 11.6.1) | — | — | ✓ (Enterprise) |
| SQLi syntax-based detection (not signatures) | — | — | ✓ |
| Centralised multi-cloud policy management | AWS only | Azure only | ✓ (FortiManager) |
| SOCaaS integration | — | — | ✓ (Enterprise) |
| Threat Analytics — ML alert grouping | — | — | ✓ (Advanced+) |
AWS WAF — cost reality at scale
AWS WAF's pricing model is per-rule + per-request. It looks cheap at low scale and gets non-trivial at production volume. From the official pricing page (snapshot 30 May 2026):
FX note — INR conversion
USD-published AWS WAF rates converted to INR at ₹98 / USD — Ogma's standard software-services reference rate. AWS bills in USD via the cloud invoice; INR equivalents are for planning. Live FX may vary.
| Component | Rate (INR @ ₹98/USD) | USD list | What it bills for |
|---|---|---|---|
| Web ACL | ₹490 / month | $5 / mo | Per ACL deployed |
| Rule | ₹98 / month | $1 / mo | Per rule in the ACL |
| Request | ₹58.80 / million | $0.60 / M | Per request inspected |
| Bot Control (add-on) | ₹980 / mo + per-req | $10 / mo | Per ACL + per request inspected |
| Fraud Control (ATP) | ₹980 / mo + per-attempt | $10 / mo | Per ACL + per login attempt |
A worked example — 500M requests / month
AWS WAF basic config: ₹490 ACL + 10 rules × ₹98 + 500M × ₹58.80/M = ~₹30,870/month (~$315)
Add Bot Control (₹980/mo + per-request rate) and Fraud Control (₹980/mo + per-attempt rate) and you're north of ₹39,000-49,000/month ($400-500) for a single app. At multi-app scale, the cost compounds. FortiWeb-VM-S BYOL VM02 at ~₹31,000/month ($317) gives you ML, API discovery, schema enforcement, Client-Side Protection — for one app or a hundred.
Source: AWS WAF pricing page snapshot, 30 May 2026. Bot Control and Fraud Control pricing per AWS public listing. INR conversion at ₹98/USD. Rates change; verify at quote time.
Azure WAF — the tier story
Azure WAF is wrapped into two different services:
Azure Front Door WAF
- Global, multi-region delivery + WAF
- Per Front Door tier pricing (Standard / Premium)
- Managed rule sets, custom rules
- Best for globally-distributed apps
Azure Application Gateway WAF v2
- Regional, per-gateway WAF
- Per capacity-unit pricing + per-request
- Same rule sets as Front Door
- Best for in-region apps
Both share the same signature-based detection mechanism. Neither has ML anomaly detection, ML API Discovery, or Client-Side Protection. For PCI scope or schema-aware API protection, you layer FortiWeb on top — same as with AWS WAF.
Where FortiWeb actually wins
▸ ML beats signatures on zero-day
Per the Data Sheet, FortiWeb's ML applies after the first signature layer — catches anomalies and zero-day attack patterns that no signature update covers yet. Cloud-native WAFs are signature-only.
▸ API contract enforcement
OpenAPI / Swagger / XML / JSON schema validation. Reject-by-default for unknown shapes. Cloud-native WAFs see APIs as HTTP traffic only.
▸ ML API Discovery
Continuously surfaces undocumented endpoints in your real traffic. Closes the gap between declared schema and actual API surface. No cloud-native equivalent.
▸ Advanced Bot Protection
ML, biometric tracking, behavioural analysis. Cloud-native Bot Control is shallow IP + UA matching with light behavioural overlay.
▸ Client-Side Protection
PCI DSS 4.0 Req 6.4.3 + 11.6.1 — Magecart / formjacking / online skimming. Not in AWS WAF, not in Azure WAF. FortiWeb Enterprise tier.
▸ Multi-cloud single pane
FortiManager pushes policy across appliance, VM-S, FortiAppSec Cloud, Container. AWS WAF and Azure WAF only manage their own clouds.
▸ Layered defence
FortiWeb plus AWS WAF / Azure WAF at the edge is a standard layered pattern — cloud-native handles known signatures cheaply, FortiWeb handles depth and PCI.
▸ Threat Analytics
ML alert grouping across hybrid FortiWeb estates — alert fatigue reduction. Cloud-native WAFs surface raw alerts only.
Where cloud-native WAFs win
▸ Cost at low scale
Sub-100M requests / month with simple rule sets — AWS WAF at ~₹2,940-4,900/month ($30-50) beats anything else.
▸ Native integration
AWS WAF integrates with ALB, CloudFront, API Gateway in one click. Azure WAF similarly integrates with Front Door, App Gateway, APIM.
▸ Setup speed
5-minute setup for the basic protection use case. FortiWeb deployment takes a day to a week.
▸ Cloud-only estates
If you have zero on-prem and zero plans for it, cloud-native WAF's lock-in is moot.
The layered pattern most enterprises actually run
Defence in depth, not either/or
AWS WAF / Azure WAF at edge → FortiWeb depth inside the VPC
Edge layer (cloud-native): cheap signature scrubbing, basic bot, IP reputation. Filters the noise.
Depth layer (FortiWeb): ML, schema enforcement, API discovery, Advanced Bot, Client-Side Protection. The real protection. Handles what passed edge.
The cloud-native WAF runs at 50-70% of full cost (fewer rules / requests reach FortiWeb). FortiWeb runs at full feature depth on the reduced volume. Layered cost is often less than running either alone at the depth required.
FAQ
Should we replace AWS WAF with FortiWeb, or run both?
What's AWS WAF's real cost at scale?
Azure WAF: Front Door tier or Application Gateway tier?
Why isn't ML detection in AWS WAF / Azure WAF a comparable feature?
What about API Gateway / APIM — don't they cover APIs?
Client-Side Protection — does AWS WAF / Azure WAF have it?
Can we use the cloud-native WAF in dev/UAT and FortiWeb in production?
Multi-cloud — what's the management story?
Free FortiWeb vs cloud-native WAF assessment
See exactly what cloud-native is missing for your workload
Ogma audits your current AWS WAF / Azure WAF setup, maps gaps against PCI DSS 4.0, OWASP API Top 10, DPDP/RBI/SEBI, and sizes the FortiWeb layer. Output is a comparison brief + sized FortiWeb quote.
Request the comparison brief or explore FortiWeb-VM BYOL on AWS / AzureSources
- aws.amazon.com/waf/pricing — AWS WAF pricing (snapshot 30 May 2026)
- azure.microsoft.com — Azure WAF pricing
- FortiWeb Data Sheet — ML detection, API protection, Client-Side Protection
- FortiWeb Ordering Guide — tier mapping
- owasp.org/API-Security/ — OWASP API Security Top 10
Related: FortiWeb deployment models · FortiWeb API security · FortiWeb-VM BYOL on AWS / Azure
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
