Reverse-Proxy Ready OWASP Top 10 Protected

FortiWeb WAF Installation &
Deployment Services in India

A FortiWeb appliance or VM sitting in front of your web applications does nothing until it's correctly deployed, traffic-routed through it, and a baseline policy is configured. Ogma's installation service ensures your FortiWeb is deployed in the right mode, SSL is terminated properly, and your applications are protected from day one — not after weeks of failed DIY attempts.

View Scope
80+
FortiWeb deployments
3–7 Days
Typical go-live timeline
4 Modes
Deployment modes supported
OWASP Top 10
Covered from day one

Which Deployment Mode is Right for You?

FortiWeb supports four deployment modes. Ogma selects and configures the right one for your architecture.

Reverse Proxy

Most common. All HTTP/HTTPS traffic passes through FortiWeb. Full inspection and modification capability. Recommended for most environments.

★ Recommended
Transparent Proxy

No IP change for clients. Suitable for environments where reverse proxy topology is complex. Slightly reduced feature set vs. reverse proxy.

Offline (Sniffer)

Passive monitoring mode — no traffic interception. Useful for assessment/baseline phase or environments with zero-downtime tolerance.

FortiWeb Cloud

SaaS WAF on AWS, Azure, or GCP. DNS-based redirection, no on-prem hardware. Fastest deployment for cloud-native applications.

Installation Scope

Everything covered in a standard FortiWeb installation engagement.

Hardware / VM Deployment

Rack-and-stack or VM provisioning (VMware, Hyper-V, KVM, AWS, Azure). Initial network interface assignment, management IP, and firmware update to latest stable FortiWeb version.

  • Physical: FortiWeb 100F – 4000F series
  • VM: vCPU/RAM/disk allocation per sizing guide
  • FortiWeb Cloud: subscription + DNS redirect
SSL/TLS Offload & Re-encryption

Certificate import or Let's Encrypt configuration. SSL offload at FortiWeb + re-encryption to backend (HTTPS-to-HTTPS inspection). TLS 1.2/1.3 enforcement; legacy protocol blocking.

  • Wildcard and multi-domain SAN certs
  • HTTP → HTTPS redirect rules
  • HSTS header injection
Initial OWASP Top 10 Policy

Configure and enable FortiWeb's signature-based protection against OWASP Top 10 attack categories: SQL injection, XSS, CSRF, RCE, path traversal, file inclusion, and more.

  • Attack signatures enabled and tuned
  • Alert mode for first 7 days (no blocking)
  • Block mode after false-positive review
Server Pool & Load Balancing

Define backend server pools, configure health checks, and set load-balancing method (round-robin, least-connections, weighted). Multiple backend servers supported with session persistence.

  • HTTP and TCP health checks
  • SSL health monitor configuration
  • Server pool failover testing
Logging & FortiAnalyzer Integration

Configure local logging, syslog forwarding to your SIEM (FortiSIEM, Splunk, QRadar), and FortiAnalyzer integration for centralised WAF log analysis and compliance reports.

  • Syslog/CEF/LEEF format selection
  • FortiAnalyzer secure tunnel setup
  • Log retention policy configuration
Hardening & Handover

Admin account hardening (MFA, role separation), management interface access restrictions, admin audit logging, and a signed-off as-built document covering all configuration decisions made during the installation.

  • Admin password and MFA policy
  • Management IP whitelist
  • As-built document + config backup

Delivery Process

Structured 4-step deployment. Minimal downtime — most steps are done offline.

1
Pre-Installation Assessment (Day 1)

We review your application inventory, server topology, existing load balancer configuration, SSL certificate inventory, and network diagrams. We confirm which deployment mode is appropriate and produce a pre-installation checklist. Downtime window is agreed — typically 30-minute maintenance window for DNS cutover only.

2
Hardware/VM Deployment & Baseline Config (Days 1–2)

FortiWeb is physically racked/VM provisioned. Management IP, interfaces, and firmware are configured. SSL certificates are imported and server pools defined. Basic connectivity is validated before any traffic is routed through FortiWeb.

3
Traffic Cutover & Alert Mode (Days 2–4)

DNS or load-balancer VIP is updated to route traffic through FortiWeb. The device runs in alert (detection-only) mode for 5–7 days. We review all triggered alerts daily and identify genuine false positives caused by your application's normal behaviour before switching to block mode.

4
Block Mode Activation & Handover (Days 5–7)

After false-positive review, block mode is activated for confirmed attack signatures. You receive the as-built document, config backup, and a post-deployment report showing protection coverage. A 30-day hyper-care period is included — we respond to any false-positive escalation within 4 business hours.

Engagement Tiers

Final scope confirmed after pre-sales assessment. Tell us your application count and we'll quote within 2 hours.

Starter
Competitive · fixed-scope project
1–2 applications · FortiWeb Cloud or single VM
  • Single deployment mode configuration
  • SSL offload + OWASP policy
  • Basic logging to SIEM
  • As-built document
  • 30-day hyper-care
MOST POPULAR
Enterprise
Competitive · fixed-scope project
3–8 applications · Physical or VM with HA
  • Full deployment mode selection
  • SSL offload + advanced OWASP policy
  • HA configuration (A-P or A-A)
  • FortiAnalyzer or SIEM integration
  • 7-day alert mode + block mode activation
  • As-built document + 90-day hyper-care
Large / Multi-App
Competitive · custom scope
8+ applications · FortiWeb cluster
  • Multi-node FortiWeb deployment
  • Application-specific policy per VHOST
  • LDAP/AD admin integration
  • Full SIEM + FortiManager integration
  • Custom scope — priced on assessment

FortiWeb hardware, VM licences, and FortiGuard Web Security Service subscriptions are not included. Ogma can advise on sizing and procurement.

Frequently Asked Questions

In reverse proxy mode, FortiWeb appears as the web server to clients — traffic hits FortiWeb's IP, which then forwards to your backend. This is the most capable mode (full HTTP inspection, cookie/header manipulation, etc.) but requires IP/DNS changes. In transparent proxy mode, FortiWeb sits inline but clients still connect to the backend server's real IP — useful when upstream load balancers make reverse proxy topology complex.

For reverse proxy mode, a DNS cutover window of 20–30 minutes is typically required. For transparent proxy or offline (sniffer) mode, zero downtime is needed. HA configurations require a brief failover window during the secondary node addition. We schedule all cutover steps during agreed maintenance windows — usually evenings or weekends.

FortiWeb Cloud (SaaS WAF on AWS/Azure/GCP) is ideal for cloud-native applications, development teams that need CI/CD integration, or organisations that prefer OpEx over CapEx. On-premises FortiWeb (physical or VM) is better for applications with strict data residency requirements, high-throughput environments where cloud latency matters, or where existing FortiAnalyzer/FortiSIEM integration is required.

The installation engagement includes deploying FortiWeb in alert mode and reviewing the initial OWASP signature alerts. ML-based learning (building auto-learned URL and parameter allow lists) requires 2–4 weeks of legitimate traffic analysis. Full ML tuning is scoped as a separate implementation engagement — see our FortiWeb Implementation & ML Tuning service.

Ogma is an authorised Fortinet partner and can source FortiWeb appliances (100F–4000F series) with valid FortiGuard Web Security Service subscriptions. We'll recommend the right model based on your throughput, number of protected applications, and whether HA is required. Hardware procurement can be bundled with the installation engagement.

After hyper-care, you can manage FortiWeb independently, engage Ogma on ad-hoc paid support calls, or transition to our Managed FortiWeb WAF service which includes ongoing policy updates, false-positive management, and monthly WAF health reports.

Yes. In most environments FortiWeb sits behind an existing L7 load balancer or ADC. We configure FortiWeb to trust the X-Forwarded-For header passed from your load balancer so client IP visibility is maintained for logging and rate-limiting. We'll review your load balancer config during the pre-installation assessment.

Protect Your Web Applications from Day One

Tell us how many applications you need to protect, your deployment environment (on-prem/cloud), and any compliance requirements. We'll scope the installation and provide a fixed-price quote.