We have an e-commerce business hosted approximately 3000 web sites on a web server, from which at least 500 web sites (currently, and growing) have its own domain name available under https protocol. Searching for some solution to protect them, recently we’ve got opportunity to test Sophos XG Firewall 2300 series. Unfortunately it requires to upload individual certificates to the firewall WAF rule, e.g. create individual WAF rule for each site in order to work, which is too complex and on top of that, it has limitation of maximum 60 WAF rules to be active at the same time. So my question is, how Fortigate/Fortiweb firewalls handle this, are they also require to upload individual certificate for each site, or some general WAF rule can be created to protect them all from attacks like SQL inject, XSS and etc.?
If it does require uploading individual certificate for each domain name hosted securely under https protocol, how many certificates/policies can be uploaded to the firewall? In other words, what is the maximum number of web sites hosted securely, using their own certificate on a single server which can be protected by either Fortigate or Fortiweb?