Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 25.3.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiAppSec Cloud User Guide
    25.3.0
    26.2.0
    26.1.0
    25.4.0
    25.3.0
    25.2.0

    License & Contract

    License & Contract

    FortiAppSec Cloud offers several licensing options. Review the information below to determine the most suitable contract type for you.

    If you are using a legacy FortiWeb Cloud/ FortiGSLB/ FortiABP contract, you will be required to transition fully to a FortiAppSec Cloud contract to continue service past its expiry date. For information on the transition, please refer to Contract Migration.

    Only one primary contract type can be active at a time within a single account. While a contract type is active, any other contract types remain inactive and cannot be used.

    An inactive contract's specified seat quantity is not available and does not count toward the total number of available seats.

    Gateway licenses are not subject to this restriction.

    FortiAppSec Cloud contract options

    Annual contract or pay-as-you-go

    Annual contracts:

    • Billing: Single upfront charge for agreed-upon usage.

      • With a Fortinet Contract, bandwidth and application can be purchased under separate contracts.

      • With Marketplace (AWS/Azure), you pre-pay for a set number of usage points (for example, 10,000). Any usage beyond this is billed as overage.

    • Cost: More cost-effective for consistent, long-term usage. Discounts may apply for multi-year terms (24 or 36 months).

    • Renewal: Service access expires if the contract is not renewed.

    • Enterprise Support: Supported for all annual contract types.

    Pay-as-you-go:

    • Billing: Monthly charges based on actual usage, ideal for variable workloads.

      Some services have a minimum billable usage, regardless of actual traffic.

      For example, if a WAF application is deployed, a minimum of 25 Mbps per day of WAF bandwidth will be billed, even if the application receives no traffic.

    • Cost: Flexible, no upfront commitment.

    • Enterprise Support: Supported through FortiFlex, but not available on public marketplaces (AWS, Azure, GCP).

    For more information, please see the Contract comparison table.

    Where to purchase FortiAppSec Cloud contracts

    FortiAppSec Cloud contracts are available through three different purchasing avenues.

    • Fortinet Sales offers contracts priced based on bandwidth usage, with the following features available to different tiers: Web Application Firewall (WAF), bandwidth management, Dynamic Application Security Testing (DAST), Global Server Load Balancing (GSLB) with query-per-second (QPS) limits and health checks, Advanced Bot Protection (ABP), and Security Operations Center (SOC) services.

      • WAF: Requires both an Application contract and a Bandwidth contract. The number of applications and bandwidth limits are fixed at purchase.

      • GSLB: Can be purchased as a standalone contract or together with other services.

      • ABP: Available in the Enterprise contract tier

      To purchase a new contract or make changes to an existing one, contact Fortinet Sales.

    • FortiFlex offers a pay-as-you-go billing model where FortiFlex points are consumed based on your usage.

      To purchase a new contract that includes FortiFlex points, contact Fortinet Sales. To manage changes to an existing account, log into the FortiFlex portal.

    • AWS/Azure/GCP Marketplace offers tailored subscriptions for AWS, Azure, and Google Cloud Platform, including usage-based pricing, contract-based pricing, and contracts with consumption-based billing.

      New contracts can be purchased by logging into the portals for AWS, Azure, or Google Cloud Platform. To upgrade or downgrade your existing plan, navigate to the General > Contracts page

    Contract comparison table

    The following table lists the FortiAppSec Cloud contracts available for purchase. Usage limits vary by contract.

    For additional details on the supported features of the Standard, Advanced, and Enterprise plans, please see Standard, Advanced, and Enterprise plans

    Payment type

    Contract type

    Plan

    Support

    Annual Contract

    Fortinet Contract

    Standard

    Included:

    • WAF

    Add-on options:

    • SOCaaS

    Advanced

    Included:

    • WAF

    • DAST

    Add-on options:

    • SOCaaS

    Enterprise

    Included:

    • WAF

    • DAST

    • GSLB

    • ABP

    • SOCaaS

    AWS Annual contract

    Standard

    Included:

    • WAF

    • GSLB

    Advanced

    Included:

    • WAF

    • GSLB

    • DAST

    Enterprise

    Included:

    • WAF

    • GSLB

    • DAST

    • ABP

    Please note, SOCaaS is not supported as an add-on.

    Azure Annual Contract

    Standard

    Included:

    • WAF

    • GSLB

    Advanced

    Included:

    • WAF

    • GSLB

    • DAST

    Enterprise

    Included:

    • WAF

    • GSLB

    • DAST

    • ABP

    Please note, SOCaaS is not supported as an add-on.

    Pay-As-You-Go

    FortiFlex

    Standard

    Included:

    • WAF

    Add-on options:

    • SOCaaS

    • GSLB

    Advanced

    Included:

    • WAF

    Add-on options:

    • SOCaaS

    • GSLB

    Enterprise

    Included:

    • WAF

    • DAST

    • GSLB

    • ABP

    • SOCaaS

    AWS/ Azure/ GCP Pay-As-You-Go (PAYG)

    Standard

    Included:

    • WAF

    • GSLB

    Advanced

    Included:

    • WAF

    • GSLB

    • DAST

    Standard, Advanced, and Enterprise plans

    FortiAppSec Cloud contracts are available in 3 tiers:

    • Standard: Focuses on core protections, including negative security model policies, default configurations such as signatures, request limits, and more.

    • Advanced: Includes all features of the Standard plan and adds advanced capabilities, such as machine learning for web/API/bot protection, Threat Analytics, and additional security enhancements.

    • Enterprise: Includes all features of the Advanced plan, and also bundles services that are billed separately in the Standard and Advanced plans, such as Advanced Bot Protection, GSLB, and SOCaaS.

      • Each GSLB application includes a lifetime allocation of 10 GSLB health checks (HC).

      • For every 5 Mbps of licensed bandwidth, the system allows a monthly average of up to 20 queries per second (QPS).

    Review plan feature differences here:

    Feature Category Standard

    Advanced

    Enterprise

    Web Application Protection

    Signature based Protection

    IP Threat Intelligence

    GEO-IP Intelligence

    Custom Security Rules

    HTTP Compliance

    URL, Parameter and CORS Protection

    Cookie Protection

    Information Leakage

    AV for File Uploads

    Sandboxing for File Uploads

    Zero Day Attack Protection - Machine Learning based Anomaly Detection

    API Security

    Schema Enforcement (OpenAPI, XML, JSON)

    API Gateway

    Mobile API Protection

    Machine Learning based - Discovery, PII Catalog, Protection

    Client Security

    HTTP Header Protection

    CSRF and MiTB Protection

    Bot Defense

    Signature, Threshold, Biometric and Deception

    Machine Learning based Bot Defense

    Advanced Bot Protection

    Account Takeover

    User Tracking

    Session Fixation Protection

    Credential Stuffing Defense

    DDoS

    Layer 3-4 DDoS Mitigation

    Layer 7 DDoS Mitigation

    Application Delivery

    SSL Certificates - Automatic and Custom

    Client Authentication / Mutual TLS

    Content Delivery Network (CDN)

    Limited GEO CDN

    Load Balancing and Server Health Monitoring

    Origin Server Content Routing

    Waiting Room

    Global Server Load Balancing (GSLB)

    DNS Load Balancing

    Available Separately

    Available Separately

    DNS Services + DNSSEC

    Available Separately

    Available Separately

    Health Check (Synthetic Testing)

    Available Separately

    Available Separately

    DAST Scanning

    Vulnerability Assessment

    API Scanning

    Reporting and Analytics

    Attack Logs

    Alert Notifications

    SIEM Integration

    Log Sensitive Data Masking

    FortiView - Realtime and historical log Analysis

    Security and Network Dashboards and Reports

    Traffic Logs (Cloud native storage integration)

    Threat Analytics AI

    Management

    Role Based Access Control

    Single-Sign-On Support

    API Support

    Services

    24/7 Support

    SOCaaS - log monitoring, incident triage and SOC escalation service

    Available Separately

    Available Separately

    *Available with Fortinet and FortiFlex contracts. Not available via marketplace subscriptions.

    View contract

    To view your contract type for an active service, log into the FortiAppSec Cloud web portal and go to General > Contracts.

    For details on what you can do on this page, please see Contracts

    Renew contract

    If you have an active contract, your new contract will automatically begin when your existing contract ends.

    If you need to increase the number of applications, bandwidth, or seats before your current contract ends, please upgrade your contract. For detailed instructions specific to your contract type, see Contracts.

    To renew your annual contract, purchase a new FortiAppSec Cloud license by contacting your Fortinet sales representative directly or from your public cloud marketplace platform (AWS or Azure).

    For service continuity and correct licensing, ensure to register the new FortiAppSec Cloud contract under the same Fortinet (FortiCloud/FortiCare) account as your existing service.

    Overage and expiration behavior

    FortiAppSec Cloud may enter read-only mode for one of the following reasons. The impact and next steps depend on the specific cause:

    • Bandwidth Overage

      If your bandwidth usage exceeds your quota limits for two consecutive months, your account will enter read-only mode.

      To regain full access:

      • Increase your bandwidth limit

        Contact your Sales Engineer to adjust the quantity on your existing contract.

      • Wait for the next billing cycle

        The 95th percentile bandwidth usage resets at the start of each billing cycle. If your usage remains within the quota throughout the next billing cycle, access will be automatically restored at the start of the following cycle.

    • Application Overage

      If you have more applications than is supported by your contract, your account will enter read-only mode.

      To regain full access:

      • Increase your application limit

        Contact your Sales Engineer to adjust the quantity on your existing contract.

      • Decrease number of applications

        Delete applications until the number of applications falls under your contract quota.

    • Expired Contract

      When your contract expires, your account enters a 21-day grace period during which it remains in read-only mode.

      To regain full access:

      • Purchase additional contracts

        You can purchase additional FortiAppSec Cloud contracts through any supported platform.

      • Extend expiration date

        Contact your Sales Engineer to extend your current contract.

      Once the 21 day grace period ends, your applications will be deleted from your FortiAppSec Cloud account.

    If the license is managed via FortiFlex, a 7-day FortiFlex grace period begins first. The entitlement may show as “Expired” but remains active during this time. The 7-day FortiAppSec Cloud grace period starts after the FortiFlex period ends.

    Changing license types (e.g., from legacy FortiWeb Cloud to FortiAppSec UC contract) may result in a change to the serial number.
    Previous
    Next

    Related Videos

    sidebar video

    FortiAppSec Cloud Contract Renewal

    • 84 views
    • 10 months ago
    sidebar video

    FortiAppSec Cloud: Public Marketplace Points Consumption

    • 50 views
    • 6 months ago

    License & Contract

    License & Contract

    FortiAppSec Cloud offers several licensing options. Review the information below to determine the most suitable contract type for you.

    If you are using a legacy FortiWeb Cloud/ FortiGSLB/ FortiABP contract, you will be required to transition fully to a FortiAppSec Cloud contract to continue service past its expiry date. For information on the transition, please refer to Contract Migration.

    Only one primary contract type can be active at a time within a single account. While a contract type is active, any other contract types remain inactive and cannot be used.

    An inactive contract's specified seat quantity is not available and does not count toward the total number of available seats.

    Gateway licenses are not subject to this restriction.

    FortiAppSec Cloud contract options

    Annual contract or pay-as-you-go

    Annual contracts:

    • Billing: Single upfront charge for agreed-upon usage.

      • With a Fortinet Contract, bandwidth and application can be purchased under separate contracts.

      • With Marketplace (AWS/Azure), you pre-pay for a set number of usage points (for example, 10,000). Any usage beyond this is billed as overage.

    • Cost: More cost-effective for consistent, long-term usage. Discounts may apply for multi-year terms (24 or 36 months).

    • Renewal: Service access expires if the contract is not renewed.

    • Enterprise Support: Supported for all annual contract types.

    Pay-as-you-go:

    • Billing: Monthly charges based on actual usage, ideal for variable workloads.

      Some services have a minimum billable usage, regardless of actual traffic.

      For example, if a WAF application is deployed, a minimum of 25 Mbps per day of WAF bandwidth will be billed, even if the application receives no traffic.

    • Cost: Flexible, no upfront commitment.

    • Enterprise Support: Supported through FortiFlex, but not available on public marketplaces (AWS, Azure, GCP).

    For more information, please see the Contract comparison table.

    Where to purchase FortiAppSec Cloud contracts

    FortiAppSec Cloud contracts are available through three different purchasing avenues.

    • Fortinet Sales offers contracts priced based on bandwidth usage, with the following features available to different tiers: Web Application Firewall (WAF), bandwidth management, Dynamic Application Security Testing (DAST), Global Server Load Balancing (GSLB) with query-per-second (QPS) limits and health checks, Advanced Bot Protection (ABP), and Security Operations Center (SOC) services.

      • WAF: Requires both an Application contract and a Bandwidth contract. The number of applications and bandwidth limits are fixed at purchase.

      • GSLB: Can be purchased as a standalone contract or together with other services.

      • ABP: Available in the Enterprise contract tier

      To purchase a new contract or make changes to an existing one, contact Fortinet Sales.

    • FortiFlex offers a pay-as-you-go billing model where FortiFlex points are consumed based on your usage.

      To purchase a new contract that includes FortiFlex points, contact Fortinet Sales. To manage changes to an existing account, log into the FortiFlex portal.

    • AWS/Azure/GCP Marketplace offers tailored subscriptions for AWS, Azure, and Google Cloud Platform, including usage-based pricing, contract-based pricing, and contracts with consumption-based billing.

      New contracts can be purchased by logging into the portals for AWS, Azure, or Google Cloud Platform. To upgrade or downgrade your existing plan, navigate to the General > Contracts page

    Contract comparison table

    The following table lists the FortiAppSec Cloud contracts available for purchase. Usage limits vary by contract.

    For additional details on the supported features of the Standard, Advanced, and Enterprise plans, please see Standard, Advanced, and Enterprise plans

    Payment type

    Contract type

    Plan

    Support

    Annual Contract

    Fortinet Contract

    Standard

    Included:

    • WAF

    Add-on options:

    • SOCaaS

    Advanced

    Included:

    • WAF

    • DAST

    Add-on options:

    • SOCaaS

    Enterprise

    Included:

    • WAF

    • DAST

    • GSLB

    • ABP

    • SOCaaS

    AWS Annual contract

    Standard

    Included:

    • WAF

    • GSLB

    Advanced

    Included:

    • WAF

    • GSLB

    • DAST

    Enterprise

    Included:

    • WAF

    • GSLB

    • DAST

    • ABP

    Please note, SOCaaS is not supported as an add-on.

    Azure Annual Contract

    Standard

    Included:

    • WAF

    • GSLB

    Advanced

    Included:

    • WAF

    • GSLB

    • DAST

    Enterprise

    Included:

    • WAF

    • GSLB

    • DAST

    • ABP

    Please note, SOCaaS is not supported as an add-on.

    Pay-As-You-Go

    FortiFlex

    Standard

    Included:

    • WAF

    Add-on options:

    • SOCaaS

    • GSLB

    Advanced

    Included:

    • WAF

    Add-on options:

    • SOCaaS

    • GSLB

    Enterprise

    Included:

    • WAF

    • DAST

    • GSLB

    • ABP

    • SOCaaS

    AWS/ Azure/ GCP Pay-As-You-Go (PAYG)

    Standard

    Included:

    • WAF

    • GSLB

    Advanced

    Included:

    • WAF

    • GSLB

    • DAST

    Standard, Advanced, and Enterprise plans

    FortiAppSec Cloud contracts are available in 3 tiers:

    • Standard: Focuses on core protections, including negative security model policies, default configurations such as signatures, request limits, and more.

    • Advanced: Includes all features of the Standard plan and adds advanced capabilities, such as machine learning for web/API/bot protection, Threat Analytics, and additional security enhancements.

    • Enterprise: Includes all features of the Advanced plan, and also bundles services that are billed separately in the Standard and Advanced plans, such as Advanced Bot Protection, GSLB, and SOCaaS.

      • Each GSLB application includes a lifetime allocation of 10 GSLB health checks (HC).

      • For every 5 Mbps of licensed bandwidth, the system allows a monthly average of up to 20 queries per second (QPS).

    Review plan feature differences here:

    Feature Category Standard

    Advanced

    Enterprise

    Web Application Protection

    Signature based Protection

    IP Threat Intelligence

    GEO-IP Intelligence

    Custom Security Rules

    HTTP Compliance

    URL, Parameter and CORS Protection

    Cookie Protection

    Information Leakage

    AV for File Uploads

    Sandboxing for File Uploads

    Zero Day Attack Protection - Machine Learning based Anomaly Detection

    API Security

    Schema Enforcement (OpenAPI, XML, JSON)

    API Gateway

    Mobile API Protection

    Machine Learning based - Discovery, PII Catalog, Protection

    Client Security

    HTTP Header Protection

    CSRF and MiTB Protection

    Bot Defense

    Signature, Threshold, Biometric and Deception

    Machine Learning based Bot Defense

    Advanced Bot Protection

    Account Takeover

    User Tracking

    Session Fixation Protection

    Credential Stuffing Defense

    DDoS

    Layer 3-4 DDoS Mitigation

    Layer 7 DDoS Mitigation

    Application Delivery

    SSL Certificates - Automatic and Custom

    Client Authentication / Mutual TLS

    Content Delivery Network (CDN)

    Limited GEO CDN

    Load Balancing and Server Health Monitoring

    Origin Server Content Routing

    Waiting Room

    Global Server Load Balancing (GSLB)

    DNS Load Balancing

    Available Separately

    Available Separately

    DNS Services + DNSSEC

    Available Separately

    Available Separately

    Health Check (Synthetic Testing)

    Available Separately

    Available Separately

    DAST Scanning

    Vulnerability Assessment

    API Scanning

    Reporting and Analytics

    Attack Logs

    Alert Notifications

    SIEM Integration

    Log Sensitive Data Masking

    FortiView - Realtime and historical log Analysis

    Security and Network Dashboards and Reports

    Traffic Logs (Cloud native storage integration)

    Threat Analytics AI

    Management

    Role Based Access Control

    Single-Sign-On Support

    API Support

    Services

    24/7 Support

    SOCaaS - log monitoring, incident triage and SOC escalation service

    Available Separately

    Available Separately

    *Available with Fortinet and FortiFlex contracts. Not available via marketplace subscriptions.

    View contract

    To view your contract type for an active service, log into the FortiAppSec Cloud web portal and go to General > Contracts.

    For details on what you can do on this page, please see Contracts

    Renew contract

    If you have an active contract, your new contract will automatically begin when your existing contract ends.

    If you need to increase the number of applications, bandwidth, or seats before your current contract ends, please upgrade your contract. For detailed instructions specific to your contract type, see Contracts.

    To renew your annual contract, purchase a new FortiAppSec Cloud license by contacting your Fortinet sales representative directly or from your public cloud marketplace platform (AWS or Azure).

    For service continuity and correct licensing, ensure to register the new FortiAppSec Cloud contract under the same Fortinet (FortiCloud/FortiCare) account as your existing service.

    Overage and expiration behavior

    FortiAppSec Cloud may enter read-only mode for one of the following reasons. The impact and next steps depend on the specific cause:

    • Bandwidth Overage

      If your bandwidth usage exceeds your quota limits for two consecutive months, your account will enter read-only mode.

      To regain full access:

      • Increase your bandwidth limit

        Contact your Sales Engineer to adjust the quantity on your existing contract.

      • Wait for the next billing cycle

        The 95th percentile bandwidth usage resets at the start of each billing cycle. If your usage remains within the quota throughout the next billing cycle, access will be automatically restored at the start of the following cycle.

    • Application Overage

      If you have more applications than is supported by your contract, your account will enter read-only mode.

      To regain full access:

      • Increase your application limit

        Contact your Sales Engineer to adjust the quantity on your existing contract.

      • Decrease number of applications

        Delete applications until the number of applications falls under your contract quota.

    • Expired Contract

      When your contract expires, your account enters a 21-day grace period during which it remains in read-only mode.

      To regain full access:

      • Purchase additional contracts

        You can purchase additional FortiAppSec Cloud contracts through any supported platform.

      • Extend expiration date

        Contact your Sales Engineer to extend your current contract.

      Once the 21 day grace period ends, your applications will be deleted from your FortiAppSec Cloud account.

    If the license is managed via FortiFlex, a 7-day FortiFlex grace period begins first. The entitlement may show as “Expired” but remains active during this time. The 7-day FortiAppSec Cloud grace period starts after the FortiFlex period ends.

    Changing license types (e.g., from legacy FortiWeb Cloud to FortiAppSec UC contract) may result in a change to the serial number.
    Previous
    Next