This chapter lists features and enhancements introduced in each of the FortiADC releases.
FortiADC 5.4.1 offers the following new features:
Configure real server by FQDN
In some customer deployments, the real servers (RS) change their IP address due to autoscaling, upgrades, etc, which requires RS IP settings to be changed in RS pool accordingly.
This feature will support configuring FQDN for a real server. FAD will query the DNS server periodically and once the IP address changes, it will resolve the new IP address for this real server automatically.
Customizable authentication form for Form Based Authentication
Beyond the default authentication form, customers can also upload a user-defined login page for all the form-based authentications. Customers are able to define their own authentication portal.
Manage HTTP persistence via script
Customers can define any persistence rule to distribute real server via Lua script, no longer limited to the configurable persistence types.
New script commands added to set/read/dump persistence rules, and new events PERSISTENCE/POST_PERSIST.
Please refer to the latest script guide for an example.
HTTP 1.1 health check and user defined HTTP header fields
Customers can select HTTP version 1.0 or 1.1 for HTTP/HTTPS health checks and also send additional strings in HTTP headers.
LDAP health check
Support for detecting LDAP server health status.
More data type checks in input validation
Support regex type for parameter validation rule in addition to current length check.
Added predefined data types for customers to choose, including US zip code, US SSN, etc.
Allows customers to import OpenAPI documents (YAML or JSON format) to validate HTTP request headers, including servers validation, path validation, parameters validation, cookie validation, and request body validation.
Enhance search engine crawler in bot detection
Support bypass option for well-known search engines; it will not log events of these search engines' access.
Updated the latest search engines including Ask, Sogou and Tiktok.
OWASP-top10 Wizard policy
Create an OWASP-top-10 policy with a few clicks.
More information included in WAF log
Provide more detailed information about the attack event in the log, including signature example, attack defend suggestion etc.
- Firewall traffic logging support
OCSP configuration enhancement
OCSP configuration GUI redesign streamlines OCSP setup process.
- Support SafeNet Luna Network HSM 7
New platform 5000F
The high end platform FADC 5000F is released with 5.4.0. This 2U platform has 4 x 100G and 8 x 40G ports, and offers high performance for your data center (L4 up to 250Gbps, L7 HTTP up to 220G, SSL offloading up to 120Gbps). Supports 40G port breakout, splitting 40G port into 4 separate 10G ports.
Please refer to the latest datasheet for more information.
Cloud-init scripts support on AWS and VMware/KVM
Cloud-init is the industry standard start-up agent installed on virtual machines to facilitate cloud deployments. It will speed up the initialization of your FAD instance by passing user data like ssh keys and bash scripts.
- Cloud templates and autoscaling solution on AWS
Force default password change upon first-time login
In accordance with “California Privacy Law and Authentication Requirements", default passwords are no longer allowed.
New log maintaining strategy when log data size exceeds threshold
When log data size exceeds threshold, it will take some time to clear the old data in backend, which may cause CPU high usage. The new log table design clears old data faster.
OSPF Stub Area support: summary stub and no-summary stub
FAD can be placed in a stub area in order not to receive all routes from area 0.
- Removed Physical Topology page in FortiView
FortiView>Logic Topology page
Supports more filters, shows more information when you hover over a virtual server, etc.
FortiView>Vitual Server page
Shows all virtual servers by default; shows all real servers below when you click on the virtual servers row
- Added "Regex Test" tool on all configuration pages, which includes regex settings
This chapter lists features and enhancements introduced in each of the FortiADC releases.
FortiADC 5.3.0 offers the following new features:
IPS service will allow you to protect your virtual servers from the latest network intrusions by actively detecting and blocking external threats before they can reach potentially vulnerable devices. The combination of real-time threat intelligence updates and thousands of existing intrusion prevention rules delivers the industry’s best IPS protection.
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. FortiADC support 2 layers DDoS protection:
1. Networking DoS protection
The attacker sends a huge volume of large or uncompleted IP fragmentation packets to the victim, to exhaust the victim’s resources. The IP fragmentation protection here limits the total IP fragmentation memory size to avoid memory exhaustion.
TCP SYN flood
By enabling SYN-Cookie to all the SYN packets that exceed the threshold, the system will drop all the fake SYN packets sent to the virtual server.
TCP slow data flood
The attacker uses very slow traffic to consume all the target server’s resources; it is difficult to distinguish it from normal traffic. This protection will detect this type of attack by dynamically probing client 0 windows; if it comes in "last" several times, the FortiADC will rest this connection on server.
2. Application DoS protection
HTTP access limit
Limits the amount of HTTP requests-per-second from a certain IP.
HTTP connection flood
Limits the number of TCP connections with the same session cookie.
HTTP request flood
Limits the number of HTTP requests-per-second with the same session cookie.
FortiADC web application firewalls provide advanced features that defend web applications from known and zero-day threats. FortiADC offers a complete security coverage for your web-based applications from the OWASP Top 10 and many other threats.
1. Signature DB enhancement
Enhances WAF engine to more efficiently scan for packets, also significantly increasing the detection rate.
2. New WAF signature wizard on GUI
Helps customer configure the WAF signature profile.
3. WAF Action enhancement
Besides deny and pass, supports 2 more actions for all WAF modules: Redirect and Block period.
4. CSRF protection
A cross-site request forgery (CSRF) is an attack that exploits the trust that a site has in a user's browser to transmit unauthorized commands.
To protect back-end servers from CSRF attacks, FortiADC has two lists:
- Web pages to protect against CSRF attacks – for insert JS
- URLs found in the requests that the pages generate – for Token/cookie validation
5. Input validation
FortiADC provides advanced validation of input fields, including parameter validation, hidden field validation and file security. This function will verify the user input from scan points like URL parameter, HTML form, hidden fields, upload file. If the format isn't correct or other attacks exist, the request will be blocked.
6. Brute force detection
FortiADC can prevent brute force login attacks. Brute force attackers attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight or advance knowledge of application logic or data.
7. Data loss protection
The data loss prevention (DLP) feature allows FortiADC to prevent information leaks, damages and loss.
It provides desensitization and warning measures for sensitive information leaks on websites (SSN numbers, and credit card information) and the leakage of sensitive keywords.
8. Cookie Security
HTTP cookie is a small piece of data sent from a website and stored in the client’s computer. In some cases, it will store some sensitive date inside, e.g. password.
If the client sends out the request that Fortiadc doesn’t recognize, it will take corresponding action (alert/ deny/ period-block/ remove-cookie).
9. Page anti-defacement
The anti-defacement features monitor your websites for defacement attacks. If it detects a change, it can automatically reverse the damage.
This feature monitors the modification of customer's specified page; once the modification is consider as abnormal, the specified action will be triggered, such as "restore changed page," "send email," "acknowledge changed page," or "just record log."
10. Web scraping detection
FortiADC provides an advanced access control for customers who want to have agility within web application (specific IP, files, connections).
FortiADC checks the http header content-type and the response code; if it matches the occurrence limit and is over the match percentage, it will detect it as web scraping.
11. Web vulnerability scanner enhancement
Able to add URL into the exception list.
Supports form-based login
Supports form-based login for web servers.
FortiADC firewall now supports address book in the policy.
Two-factor authentication is a type of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors. FortiADC can use script to do 2-step verification with FortiToken and Google Authenticator.
Adds more detailed report for each health check failure log, so the customer can quickly grasp why the health check failed and what happened on the real server.
Supports CLI “diagnose debug slb_hc_status” to show the health check status for all the SLB pool.
The BYOL FortiADC images are listed on the AWS/Azure/OCI cloud marketplace now, and the customer can deploy them through these cloud marketplaces.
Ansible is an automation platform that makes your applications and systems easy to deploy. FortiADC modules allow the customer to automatically initiate the configuration or manage the configuration on any kind of FortiADC devices, including physical devices, VM in hypervisor or cloud.
Both encrypted and unencrypted private key are allowed to be exported; it is necessary for the customer to move FortiADC hosted HTTPS services.
Besides UDP-based syslog server, FortiADC supports TCP/TCP-SSL based remote syslog servers in case the customer needs more confidential security for the logs.
In some multiple vdom deployments, some non-root vdom administrators may need to send logs to global syslog server in case of networking issues in their vdom. This feature allows the global syslog server to be shared among all non-root vdoms.
Shows all the LLB group/member status, and GSLB host status, by a topology graph on FortiView.
FortiADC support 2 new hardware models:
• FortiADC 300F
• FortiADC 400F
For more info on new hardware, please review the FortiADC Datasheet.
FortiADC 5.2.3 offers the following new features:
This option will allow the FortiADC to serve the request and send back the response even if the client closes the output channel.
In some cases, the client may close the output channel even after sending out the request; but at the same time the client will be waiting for a response. If this option is disabled, the FortiADC will abort, and will not serve the request anymore once it receives notice that the client has closed the channel. This may cause clients tocomplain of failures.
In SSL forward deployment, the second ADC (HTTP->HTTPS) may not forward any SNI to backend Real Server, causing failure for some servers. In this feature, if “SNI forward flag” in server SSL is enabled, it will forward host in HTTP header as SNI to Real Server by default. If there is no host in HTTP header, it will forward the ssl-sni settings as SNI to Real Server.
FortiADC 5.2.2 offers the following new features:
Memory Restriction has been removed for all BYOL VM on AWS/GCP/Azure/OCI/Aliyun cloud platforms.
Support PROXY protocol for HTTP/HTTPS virtual server, to pass original client information, such as the client IP address, to the backend proxies or servers.
See the PROXY protocol reference.
FortiADC 5.2.1 offers the following new features:
The Fortinet Security Fabric delivers broad protection and visibility to every network segment, device, and appliance, whether virtual, in the cloud, or on-premises. After adding FortiADC to Security Fabric, it will show the real-time visibility of FortiADC, including Virtual Server status, and various statistics.
The Web Cache Communication Protocol (WCCP) allows the server to be enabled for transparent redirection to discover, verify, and advertise connectivity to one or more web-caches. You can configure FortiADC as a WCCP server to redirect HTTP/HTTPS VS traffic to 3rd party device for caching or more security inspection.
Allows FortiADC DNS service to send zone notification to slave servers, and also receive and process incoming zone transfer message from slave servers.
Customer can provide a public IP address for the GLB discovered virtual server address, which is necessary for the deployment which whose server is behind NAT.
The Radius Change of Authorization (CoA), defined in RFC5176, provides a mechanism to dynamically change the attributes of an AAA session after the user or device is authenticated. By this feature, FortiADC can process CoA messages from external Radius server and send the traffic to the right dynamic authorization server through persistence.
Certificate Revocation List Distribution Point (CRLDP) defines how to get a CRL file from a distribution point, which is LDAP URI or HTTP/HTTPS URL, to verify client certificate.
Collect statistics like RPS, CPS, transaction latency, session duration, throughput per virtual server/real server, and generate reports including these metrics.
Usually if you enable traffic log, there will be a huge volume of traffic logs. In this situation, to browse or filter traffic log is much too slow; with this feature, we redesign the traffic log browser page to show and locate logs quickly.
FortiADC 5.2.0 offers the following new features:
Supports specific routing (schedule pool, persistence, method) by source address
Prior to 5.2.0, all connections are cleared if RS is detected to be exceeding the threshold; now, however, when RS exceeds the threshold, the old connection is kept while not dispatching new connections
The ADFS Proxy is a service that brokers a connection between external users and internal ADFS servers, also called a Web Applicaition Proxy (WAP). More and more ADFS require the proxy to support MS-ADFSPIP (ADFS Proxy Integration Protocol) which involves client certificate authentication between proxy and ADFS, trust establishment, header injection, and more. FADC from 5.2.0 has support for MS-ADFSPIP.
- support NAT of Media server address
- keep client address of UDP traffic for SIP server
- Authentication event and operation
- Cookie encrypt/decrypt
- AES encrypt/decrypt
- crypto hash/sign/verify
- URL encode/decode/parse
- File operation
- Random generation
The "Server-Performance" method dynamically dispatches the DNS request to the server with the lowest CPU/Memory usage
JSON Schema provides a contract for what JSON data is required for a given application and how to interact with it. This feature supports the user uploading a JSON schema to validate JSON data, just like the XML validation that we had before.
Now possible to upload a list of IPs or CIDRs to the IP reputation black list, then blocking them by enabling "IP reputation" in Application Profile for VS.
New function to show/delete quarantined files on FortiADC by GUI (Network Security -> Quarantine Monitor)
Now supports uploading and deploying VM images on these public cloud platforms; you can easily extend existing FortiADC services to the cloud.
In HA AP scenarios, the slave device will become master if the master device is down, but after the former master comes back, there will be a new switchover (the former master takes the master role, and the current master, the former slave, switches back to slave). This switchover is unnecessary and may impact traffic, so the enhancement here is to avoid doing the switchover after the former master comes back.
Before, in order to submit information to Help Support, the customer needed to gather files from different places; now, this debug enhancement automatically collects all necessary debug information into one file, so it's easier to submit to Help Support.
FortiADCManager is a central management tool to manage all your FortiADC devices in your network, providing visibility and the ability to create/edit server load balance configurations for all FortiADC devices.
FortiADC 5.1.0 offers the following new features and enhancements:
Oracle Cloud Infrastructure Compute provides bare metal compute capacity that delivers performance, flexibility, and control without compromise. It is powered by Oracle’s next generation, internet-scale infrastructure designed to help you develop and run your most demanding applications and workloads in the cloud.
This release comes with the FortiADC image (BYOL) on Oracle OCI, which provides FortiADC's complete feature set, including but are not limited to the following:
- L4/L7 SLB
- Global LB
- High Availability
- Web Application FW
- And more...
See the deployment guide for more information.
FortiADC Connector for Cisco ACI (Application Centric Infrastructure) is the Fortinet solution to provide seamless integration between Fortinet Application Delivery Controllers (FortiADC) deployments and the Cisco APIC (Application Policy Infrastructure Controller). This integration allows customers to perform single point of FortiADC configuration and Management operation through Cisco APIC.
See the release notes for more information.
Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage.
See the deployment guide for more information.
- Supports health check script for testing special/legacy application servers.
- Supports all shell basic syntax variables - if, else, case, while, for, func, array, dictionary, awk, etc.
- Supports common applications - curl, nslookup, netcat/nc, ping, ps, ip, iplink, telnet, traceroute, wc, etc.
- Health Check can now validate the functionality of Oracle databases.
- Supports Clone Pool which can be used for copying traffic (inbound/outbound) to a dedicated IDS or a sniffer device.
- Available on both Layer-4 and Layer-7 virrtual servers (TCP, UDP, HTTP/HTTPS, etc.)
FortiADC now provides a UDP stateless mode, allowing you to perform load balance without attempting to match the packet to a pre-existing connection in the connection table. This feature is especially useful when loadbalancing syslog servers (FortiAnalyzer).
Provides authentication validation option, to verify if the configured credentials are correct and authentication is successful.
Support for auto sync when new virtual servers are added.
- New predefined DEFAULT_DNS_SERVER to GLB server
- New predefined DEFAULT_DATA_CENTER to GLB datacenter
- New predefined DEFAULT_DNS_POLICY to Global DNS Policy
FortiADC now provides a wizard (three-step procedure) to create GLB configurations.
Support for no-NAT option (usually when using LLB/FWLB feature)
- Physical Topology
- GLB Data-Analytics
- New LLB Traffic Log
- HTTP Statistics Enhancements
- AV Reports and Statistics
FortiADC introduces a new WebUI theme, enhancements to FortiView, including new logs.
- Virtual Server design
- High Availability
The Web Application Vulnerability Scanner is a automated tool which performs black box test on web applications to look for security vulnerabilities, such as cross-site scripting, SQL injection, command injection, source code disclosure, and insecure server configuration.
FortiADC now supports a variety of web frameworks and mixed-technology sites, such as
- Automatic learning capabilities
- Including blind injection vectors
- Full Reporting on vulnerability risks
FortiADC AV now supports HTTP/HTTPS and SMTP scanning protection.
FortiADC now supports several basic decoders to parse HTTP body for Web Application Firewall. They include, but are not limited to the following:
- Chunked and Multipart Body Decoder
- Compress and decompress
- Base64 & unicode
FortiADC 5.0.2 offers the following new features and enhancements:
- Support for DUO Radius proxy.
- New console commands for aggregate interface LACP negotiation
- Allows the use of user-selected listening port other than the default TCP Port 5858 for GLB server.
FortiADC 5.0.1 offers the following new features and enhancements:
- Clone Pool Traffic — Supports TCP and UDP traffic mirroring, allowing you to copy Layer-4 traffic to a dedicated IDS or a sniffer device. See Using clone pools.
- SCP support for configuration backup — Allows you to back up your configuration files via the SCP protocol. See SCP support for configuration backup.
- Password-protection for configuration backup — Enables you to protect your FortiADC configuration with a password. See Backing up and restoring configuration.
FortiADC 5.0.0 offers the following new features and enhancements:
- FortiSandbox integration—You can now use a file upload restriction policy to submit uploaded files to FortiSandbox for evaluation. If FortiSandbox identifies a file as a threat, FortiADC generates a corresponding attack log message and blocks further attempts to upload the file.
- Antivirus—FortiADC now supports the FortiSandbox's Malware Signature Database on all of its hardware platforms, except FortiADC 60F.
- Dynamic Dashboard—You can customize the Dashboard according to your preferences
- Create or edit a dashboard
- Add or remove Dashboard widgets
- FortiView enhancement—Adding new statistics for
- Server load balancing—Caching, Compression, and SSL
- Link load balancing
- Global load balancing
- Alert system enhancement—Allow to configure alert threshold based SLB (BW, Client RTT, or Connection) and Interface Avg. Bandwidth.
- Layer-4 virtual server tunnel—In tunnel mode, FortiADC encapsulates the packet within an IP datagram and forwards it to the chosen server.
- Diameter Load balancing SSL enhancement—FortiADC supports Diameter traffic over SSL (client SSL).
- Source Pool NAT in Layer 7—Now it’s possible to configure pool NAT when using Layer-7 virtual servers.
- Global load balancing authentication—Provide TCP-MD5SIG or authentication verify between two or more FortiADC appliances working in global load balancing.
- UTILITY_FUNCTIONS_DEMO (updated)
- SOAP validation—Enhances ForitADC's WAF B2B features with SOAP messages validation. It allows you to perform SOAP validation using a Web Services Description Language (WSDL) document.
- OCSP verification caching—Allows to speed up OCSP checking using OCSP caching. The first time a client accesses FortiADC or FortiADC accesses a real server, FortiADC will query the certificate’s status using OCSP and cache the response.
- Dual certificates (RSA and ECDSA) support—Allows you to create certificate groups included in parallel RSA and ECDSA certificates for improve SSL performance
- Support SSL renegotiation—FortiADC now supports SSL renegotiation between client and server. It allows the use of the existing SSL connection when client authentication is required.
- Openstack integration—FortiADC provides load balancing services for OpenStack cloud applications. With Openstack integration, FortiADC is able to provide load balancing functionality and advanced application delivery services within OpenStack.
- NVGRE and VXLAN support—FortiADC allow to use overlay tunnel with virtual network NVGRE and VXLAN segments in either multicast (VXLAN) and unicast (NVGRE/VXLAN) modes.
- BGP Route Health Injection (RHI)—Allows to advertising route to virtual address based on the health status of the corresponding service
Below are the maximum number of files per minute that can be uploaded to (Undefined variable: FortinetVariables.ProductName20) Cloud by FortiADCplatform:
- FortiADC 60F/VM01 = 5 files per minute
- FortiADC 100—400/VM02 = 10 files per minute
- FortiADC 700D/VM04 = 20 files per minute
- FortiADC 1000—2000/VM08 = 50 files per minute
- FortiADC 4000 = 100 files per minute
FortiADC 4.8.4 is mainly a patch release, with the following feature enhancements:
- Support wildcard domain in GLB zone configuration.
- Support custom port mapping between VM and vCenter.
FortiADC 4.8.3 is a patch release only; no new feature or enhancement has been implemented in this release.
FortiADC 4.8.2 is a patch release only; no new feature or enhancement has been implemented in this release.
FortiView—provides a real-time and historical traffic data from log devices by source, domain, destination, threat map, RTT, and application health check. You can filter the data by a variety of attributes, as well as by device and time period.
- Server load balance:
- Client and server RTT
- Performance (throughput, CPS, and requests)
- Health check
- Sessions and persistence
- Top locations, browsers, domains, and OSs
- Security (Web Application Firewall, GEO IP, IP Reputation, and DDoS):
- Threat map
- Top attacks, Geo IP sources, IP Reputation attacks
- System logs
- Traffic logs
- System alerts
Server load-balancing (SLB)
- Diameter Load-Balancing—offers the following features:
- Dispatch Diameter messages to multiple servers
- Server health monitoring and failover
- Session ID persistence and source address persistence
- Schedule Pool—supports schedule pool that determines the times the system uses pool servers
- RADIUS persistence enchantment—supports AND/OR persistence relationship for multiple RADIUS attributes
- HTTP Content Rewrite enhancement:
- Supports add/delete user-defined HTTP header
- Supports capture groups and back reference regular expressions - Support in rewrite host, URL, referrer, location
- HTTP to HTTPS redirection in one VS:
- Able to redirect users using only one virtual server
Global load-balancing (GLB)
- GLB protocol extends to work across all FortiADC versions.
- Two-factor authentication
- Supports admin access
- Two-factor authentication and validation using token by FortiAuthenticator
- RADIUS wildcard
- Allows admin user authentication wildcard on remote RADIUS and LDAP servers
New hardware platform
- FortiADC 200F
- New Alert System — Automatically generates email notification, SNMP traps, or Syslog entries on any critical event that occurs on FortiADC hardware or software modules
- Data Analytics — Supports security statistics (WAF, GEO-IP, IP-Reputation and DDoS) in real time
- Getting Started Wizard — Makes configuring FortiADC a breeze for first-time users
- Cisco ACI — Supports full Layer-4 service integration with Cisco Application Centric Infrastructure (ACI) via a RESTful API
Server Load Balance (SLB)
- LUA Script
- Supports HTTP body manipulation in HTTP request and response
- Allows multiple scripts in the same virtual server (VS)
- Optimizes your website to ensure that your clients receive a faster browsing experience by minimizing RTT and payload size and optimizing browser rendering
- Supports minifying CSS, JS, HTML and image optimizations
- HTTP/2.0 (Supports HTTP/2 Gateway)
- Converts from HTTP/2 (client side) to HTTP/1 (server side)
- HTTP multiplexing of transactions from client side to server
- SSL security with TLS v1.2
- OCSP Stapling — Supports Online Certificate Status Protocol (OCSP) stapling, an alternative approach to OCSP in which the certificate holder has to periodically request the revocation status of certificates of servers from OCSP servers and attache the time-stamped response to the initial SSL/TLS handshake between client and server.
Web Application Firewall (WAF)
- XML & JSON Validation
- Supports XML & JSON validation and format check
- XML schema validation
- Supports XML & JSON XSS, SQLi and limit check
Global Load Balance (GLB)
- GLB authentication — Supports authentication between multiple FortiADC appliances across data centers
- FortiADC-VM License — Allows license validation without Internet connection (via proxy)
- DHCP — Support DHCP mode on data or management interfaces
New Hardware Platform
- FortiADC 60F (Note: No HSM or PageSpeed support. Available on July 1, 2017.)
FortiADC 4.7.3 is a patch release only; no new feature or enhancement has been implemented in this release.
FortiADC 4.7.2 offers the following new features or enhancements:
- Register HSM server in config file
- Save Client certificate and key to CMDB
- Upload HSM server certificate to FortiADC
- Add registered partition
- Generate CSR with HSM
- View certificate information on the GUI
- Feature configuration supported on both the CLI and the GUI
Support for new hardware models
- FortiADC 1000F
- FortiADC 2000F
- FortiADC 4000F
FortiADC 4.7.1 is a patch release which has fixed some known issues discovered in previous releases. No new features or enhancements have been implemented in this release.
For more information, refer to FortiADC 4.7.1 Release Notes.
- Network Map 2.0
- Includes SiteMap on link load balance (LLB) and global server load balance (GSLB) modules
- Real server global object
- Standalone real server objects
- Allows a single real server to be shared across multiple real server pools and virtual servers
- Configuration templates for Applications
- Supports SharePoint, Exchange, Windows Remote Desktop, IIS, and Apache
Server load balance (SLB)
- Supports Real-Time Messaging Protocol (RTMP) & Real-Time Streaming Protocol (RTSP)
- Layer 7 load-balancing
- Health check
- Supports MySQL
- Layer 7 load-balancing, user authentication, and persistence
- Health check
- MySQL rules
- Allows decompressed traffic from servers for Layer 7 manipulation (content rewrite), caching, and security (Web Application Firewall)
- Client SSL profile
- Provides advanced client SSL offloading parameters
- Supports LDAP authentication for Regular/Anonymous/LDAPS method
- Supports HTTP basic SSO with HTML Form Authentication/HTML Basic Authentication
High availability (HA)
- Supports HA sync traffic over aggregate ports
- Allows configuration from every device regardless of their HA status (backup vs. master)
- Separated management interface for each node in an HA cluster
- Allows to retrieve license on HA active-passive slave
- Transparent mode
- Support transparent mode installation (Layer 2 forwarding)
- Health check validation
- Allow testing health check policy before biding it to a real server pool.
- Provide a list of predefined services (TCP, UDP, HTTP, and more)
- Allows to match a admin user to a multiple VDOMs
- Adds Loopback interface in BGB/OSPF defined as router ID
- Attack logs aggregated by date and attack category
- Advanced filters in SLB logs
This is a patch release; no new features or enhancements are implemented. Refer to the Release Notes for detail.
OpenSSL Library Upgrade
The Software OpenSSL Library has been upgraded to OpenSSL-1.0.2 on FortiADC appliances shipped with the Cavium SSL card, which include the following hardware models:
- FortiADC 400D
- FortiADC 700D
- FortiADC 1500D
- FortiADC 2000D
- FortiADC 4000D
- Supports offloading TLS encryption from back-end SMTP servers
- Supports HTTP:rand_id() function for HTTP
Monitoring and Logs
- Statistics and information
- Search bar in VS and RS
- Backup server visibility
- Network map
- Three mode views
- Data analystics
DNS load-balancing, security, and caching
- Load-balance DNS traffic (queries and IP addresses) to DNS server
- Sanity check on DNS queries according to RFC 1034, 1035, ad 2671
- DNS caching for answer records
Dynamic Load-balancing algorithm
- Dynamic LB based Server Performance such CPU, Memory and Disk
Client certificate forwarding
- Sends client certificates to back-end server for authentication, without affecting SSL offloading
- Provides more information in case of syntax error
- Checks content routing for virtual servers
- Generates log message
- Import/export script files
Kerberos Authentication Relay
- Enables authentication between client and server
- Protects against eavesdropping and repay attacks
- Allows nodes communicating over a non-secure network to verify each other's identity in a secure manner
SSL/HTTP visibility (mirroring)
- FortiADC’s transparent IP, TCP/S and HTTP/S mirroring capabilities decrypt secure traffic for inspection and reporting by FortiGate or other third-party solutions
- IPv4/IPv6 support
Virtual server port enchantment
- Supports non-consecutive ports in port-range
- Allows Port 0 on TCP or UDP (to catch traffic on all ports)
Security Assertion Markup Language (SAML) 2.0
- Provides Service Provider (SP) and Meta Data of Identity Provider (Idp).
- Can access all VS web resources with user log-in until session expired.
Enhanced Global Load Balancing (GLB) proximity methodology
- Static proximity (GEO, GEO-ISP) and dynamic proximity (RTT, Least Connections, Connection-Limit, Bytes-Per-Second)
- Static match first, dynamic match second
HTTP/S health check
- Adds Username-password Authentication into HTTP/S health check (basic, digest and NTLM)
- Allows to choose SSL Version/Ciphers in HTTPS Health Check
- Allows the Admin to control password length and string
- Supports VDOMs restrictions (performance and configuration)
- Able to limit performance (throughput, CPS, SSL, etc.) on each VDOM
- Allows users to download SNMP MIBs from the Web GUI
OpenSSL Library Upgrade
Software OpenSSL library has been upgraded to OpenSSL-1.0.2 on FortiADC appliances shipped with the Cavium SSL card, which include the following hardware models:
- FortiADC 400D
- FortiADC 700D
- FortiADC 1500D
- FortiADC 2000D
- FortiADC 4000D
Software OpenSSL library upgrade
- Software OpenSSL library has been upgraded to openssl-1.01s (the latest version) on all FortiADC platforms.
- It's fully functional on FortiADC software.
Enhanced certificate validation
- Support for multiple Online Certificate Status Protocol (OCSP) configurations.
- Support for multiple Certificate Revocation List (CRL) files.
"Description" field for child records in Geo IP Whitelist
- Allows the user to add a brief notation for each child record added to a parent record.
US-Government (USG) mode
- Allows the user to change the appliance from the default regular (REG) mode to USG mode via a special license key.
- Locks the FortiADC D-Series appliance to servers located within the US only.
- Speeds up compression of .PNG, .JPG, and .BMP image files. See
- Caching time definition based on HTTP status code (200/301/302/304)
Server Load Balancing
- SSL Health Check Client certificate selection using SSL Certification
- Support for SIPv6 traffic includes a new health check and virtual server profile
- URL Redirection based on server HTTP status code
High Availability (HA)
- HA-VRRP mode that supports floating IP, traffic group, and fail-over
Global Load Balancing
- Supports DNS SRV record
- Full BGP routing support
- Adds a "Description" field in GeoIP White List
- Support ECDSA SSL cipher suites. See Chapter 17: SSL Transactions.
- SSL certificate validation for server-side SSL connections. See Configuring real server SSL profiles.
- L2 exception list can specify FortiGuard web filter categories. See Creating a Web Filter Profile configuration.
Server Load Balancing
- SIP—Support for SIP traffic includes a new health check, virtual server profile, and persistence method. See Configuring health checks, Configuring Application profiles, and Configuring persistence rules.
- RDP—Support for RDP traffic includes a new virtual server profile and persistence method. See Configuring Application profiles and Configuring persistence rules.
- HTTP/HTTPS profile—HTTP mode option can be set to HTTP keepalive to support Microsoft SharePoint and other apps that require the session to be kept alive. See Configuring Application profiles.
- Caching—New dynamic caching rules. See Using caching features.
- Real server pool—Member default cookie name is now the real server name. You can change this to whatever you want. See Using real server pools.
- Scripting—Added predefined scripts that you can use as templates. See Using predefined scripts and commands.
Global Load Balancing
- Persistence—Option to enable persistence for specified hosts based on source address affinity. See .
- Dynamic proximity—Optional configuration for proximity based on least connections. See Configuring virtual server pools.
- Support for @ in zone records. See Configuring DNS zones.
- Zone records (including dynamic records) displayed on zone configuration page. See Configuring DNS zones.
- Bot Detection—Integrated with FortiGuard signatures to allow "good bots" and detect "bad bots." See Configuring a WAF Profile.
Monitoring and Logs
- Fast reports—Real-time statistics and reports for SLB traffic. See Configuring fast reports.
- Session tables and persistence tables—Dashboard tabs for SLB session tables and persistence tables. See Chapter 21: System Dashboard.
- Network map search—Dashboard network map now has search. See Chapter 21: System Dashboard.
- New health checks for SIP and custom SNMP. See Configuring health checks
- Config push/pull (not related to HA). See Pushing/pulling configurations.
- HA sync can be auto/manual. See Configuring HA settings.
- HA status includes details on synchronization. See Monitoring an HA cluster.
- SNMP community host configuration supports subnet address and restriction of hosts to query or trap (or both). Configuring SNMP.
- Support STARTTLS in email alerts. See Configuring an SMTP mail server.
- Coredump utilities. See .
- Virtual machine (VM) images for Hyper-V, KVM, Citrix Xen, and opensource Xen. See the FortiADC-VM Install Guide for details.
Server Load Balancing
- New SSL forward proxy feature can be used to decrypt SSL traffic in segments where you do not have the server certificate and private key. See Chapter 17: SSL Transactions.
- New server-side SSL profiles, which have settings for the FortiADC-to-server connection. This enables you to specify different SSL version and cipher suites for the server-side connection than the ones specified for the client-side connection by the virtual server profile. See Configuring real server SSL profiles.
- Support for ECDHE ciphers, null ciphers, and user-specified cipher lists. See Chapter 17: SSL Transactions.
- You can now specify a list of SNAT IP address pools in the virtual server configuration. This enables you to use addresses associated with more than one outgoing interface. See Configuring virtual servers.
- Added a health check for UDP, and added hostname to the general settings configuration. In HTTTP/HTTPS checks, you can specify hostname instead of destination IP address. See Configuring health checks.
- UDP profiles can now be used with Layer 2 virtual servers. See Configuring Application profiles.
- Server name added to real server pool member configuration. The name can be useful in logs. When you upgrade, the names will be generated from the pool member IP address. You can change that string to whatever you like. See Using real server pools.
- Added a comments setting to the virtual server configuration so you can note the purpose of a configuration. See Configuring virtual servers.
Link Load Balancing
- You can now specify ISP addresses, address groups, and service groups in LLB policies. Using groups adds Boolean OR logic within the elements of LLB rules. See Configuring link policies.
Global Load Balancing
- Added "dynamic proximity" to the server selection algorithm. Dynamic proximity is based on RTT. See .
- Added an option to send only a single record in responses instead of an ordered list of records. See Configuring hosts.
- Support for health checks of third-party servers. See Configuring servers.
- Support for TXT resource records. See Configuring DNS zones.
- You can now specify exceptions per WAF profile or per policy. Exceptions identify specific hosts or URL patterns that are not subject to processing by WAF rules. See Configuring a WAF Profile
- Additional WAF HTTP protocol constraint rules. See Configuring a WAF Profile.
Monitoring and Logs
- Added a Network Map tab to the dashboard. In the Network Map, each virtual server is a tree. The status of the virtual server and real server pool members is displayed. See Chapter 21: System Dashboard.
- Added on-demand and scheduled reports for many common queries. You can also configure custom queries. See Configuring reports.
- Added event log categories and added a column in logs to support future integration with FortiAnalyzer. Removed the Download Logs page. Each log category page now has a Download button. See Downloading logs.
- Enhanced SNMP MIBs and traps. See Appendix A: Fortinet MIBs for information on downloading the vendor-specific and product-specific MIB files.
- Shared Resources—Merged the address and service configuration for firewall and LLB. Added address groups and service groups, which can be used in LLB policy rules. See Chapter 11: Shared Resources.
- Routing—Support for OSPF authentication. See OSPF.
- HA—Added option to actively monitor remote beacon IP addresses to determine if the network path is available. See Configuring HA settings.
- System—Updated the web UI to match CLI configuration options for global administrator and access profile. See Manage administrator users.
- Web UI—Support for Simplified Chinese. See Configuring basic system settings.
- Troubleshooting—New commands:
diagnose debug flow,
diagnose debug report,
diagnose debug timestamp,
execute checklogdisk, and
execute fixlogdisk. See the FortiADC CLI Reference.
execute telnetfor connections to remote hosts.
- REST API—Remote configuration management with a REST API. See the FortiADC REST API Reference.
- Server Load Balancing Persistence—Added a Match Across Servers option to the Source Address affinity method. This option is useful when the client session for an application has connections over multiple ports (and thus multiple virtual servers). This option ensures the client continues to access the same backend server through different virtual servers for the duration of a session.
- Server Load Balancing TCP Multiplexing— Added support for HTTPS connections.
- Global Load Balancing DNS Server—The negative caching TTL in the SOA resource record is now configurable.
- Virtual domains—Increased the maximum number of VDOMs on the following platforms:
- FortiADC 700D — 30
- FortiADC 1500D — 45
- FortiADC 2000D — 60
- FortiADC 4000D — 90
- Health checks—Added an HTTP Connect health check that is useful for testing the availability of web cache proxies, such as FortiCache.
- ISP address book—Added a province location setting to the ISP address book. The province setting is used in GLB deployments in China to enable location awareness that is province-specific. For example, based on location, the DNS server can direct a user to a datacenter in Beijing or Guangdong rather than the broader location China. Only a predefined set of Chinese provinces is supported.
- Advanced routing—Exception list for reverse path route caching.
- Authentication—Framework to offload authentication from backend servers.
- Geo IP blocking—Policy that takes the action you specify when the virtual server receives requests from IP addresses in the blocked country’s IP address space.
- Web application firewall—Protect against application layer attacks with policies such as signatures, HTTP protocol constraints, request URL and file extension patterns, and SQL/XSS injection detection.
- Scripts—Support for Lua scripts to perform actions that are not currently supported by the built-in feature set.
- SSL/TLS—Support for PFS ciphers.
- Health check improvements—The SLB and LLB health check configuration has been combined and moved to System > Shared Resources. You can configure destination IP addresses for health checks. This enables you to test both the destination server and any related services that must be up for the server to be deemed available. Also added support for Layer 2 and SSH health checks.
- Port range—Support for virtual IP address with a large number of virtual ports.
- NAT46/64—Support for NAT46/64 by the SLB module.
- ISP address book—Framework for an ISP address book that simplifies the ISP route and LLB proximity route configuration.
- Proximity routes—Support for using ISP address book entries in the LLB proximity route table.
- Backup pool member—Support for designating a link group or virtual tunnel group member as a “backup” that joins the pool when all of the main members are unavailable.
- Global load balancing—New framework that leverages the FortiGuard Geolocation database or the FortiADC predefined ISP address books to direct clients to the closest available FortiADC virtual servers.
- Stateful firewall—If client-to-server traffic is allowed, the session is maintained in a state table, and the response traffic is allowed.
- Virtual server traffic—Many of the firewall module features can be applied to virtual server traffic.
- ISP Routes—ISP routes are used for outbound traffic and link load balancing traffic.
- HA upgrade—Simpler one-to-many upgrade from the primary node.
- HA status—HA status tab on the system dashboard.
- HA remote login—You can use the
execute ha managecommand to connect to the command-line interface of a member node. See the CLI reference.
- SNMPv3 support
- Statistics and log database to better support dashboard and report queries.
- Improved dashboard—New time period options for the virtual server throughput graphs.
- Improved reports—New report queries for SLB HTTP virtual server reports, including client IP address, client browser type, client OS, and destination URL.
- Backup & restore—Option to back up the entire configuration, including error page files, script files, and ISP address books.
New CLI commands to facilitate troubleshooting:
diagnose debug config-error-log—Use this command to see debug errors that might be generated after an upgrade or major configuration change.
diagnose debug crashlog—Use this command to manage crashlog files. Typically, you use these commands to gather information for Fortinet Services & Support.
execute statistics-db—Use this command to reset or restore traffic statistics.
config system setting—Use this command to configure log database behavior (overwrite or stop writing) when disk utilization reaches its capacity.
For details, see the CLI reference.
- HTTPS and TCPS Profiles—Support for SHA-256 ciphers suites.
- Content rewriting—Support for PCRE capture and back reference to write the Location URL in redirect rules.
- Web UI—You can clone configuration objects to quickly create similar configuration objects. If a configuration object can be cloned, the copy icon appears in the tools column for its summary configuration page.
- Web UI—You can sort many of the configuration summary tables by column values. If a configuration summary table can be sorted, it includes sort arrows in the column headings. For example, the Server Load Balance > Virtual Server configuration summary page can be sorted by Availability, Status, Real Server pool, and so on. You can also sort the Dashboard > Virtual Server > Real Server list by column values-for example, by Availability, Status, Total Sessions, or throughput bytes.
Bug fixes only.
- New web UI
- New log subtypes
- New dashboard and report features
- Additional load balancing methods—Support for new methods based on a hash of a full URI, domain name, hostname, or destination IP address.
- Predefined health checks—Helps you get started with your deployment.
- Predefined persistence rules—Helps you get started with your deployment.
- HTTP Turbo profile—Improves the performance of HTTP applications that do not require our optional profile features.
- Layer 2 load balancing—Support for TCP profiles.
- Granular SSL configuration—Specify the SSL/TLS versions and encryption algorithms per profile.
- Connection rate limiting—Set a connection rate limit per real server or per virtual server.
- HTTP transaction rate limiting—Set a rate limit on HTTP transactions per virtual server.
- Additional link load balancing methods—Support for new methods in link groups, including spillover and hash of the source IP address.
- Global load balancing—A new implementation of our DNS-based solution that enables you to deploy redundant resources around the globe that you can leverage to keep your business online when a local area deployment experiences unexpected spikes or downtime.
- HA active-active clustering—Support for active-active clusters.
- Administrator authentication enhancements—Support for authenticating users against LDAP and RADIUS servers.
- Multinetting—You can configure a secondary IP address for a network interface when necessary to support deployments with backend servers that belong to different subnets.
- High speed logging—Supports deployments that require a high volume of logging activity.
- Packet Capture—Support for tcpdump.
No design changes. Bug fixes only.
No design changes. Bug fixes only.
No design changes. Bug fixes only.
- VDOMs—Virtual domains (VDOMs) allow you to divide a FortiADC into two or more virtual units that are configured and function independently. The administrator for each virtual domain can view and manage the configuration for his or her domain. The
adminadministrator has access to all virtual domain configurations.
- Caching – A RAM cache is a cache of HTTP objects stored in FortiADC's system RAM that are reused by subsequent HTTP transactions to reduce the amount of load on the backend servers.
- IP Reputation—You can now block source IP addresses that have a poor reputation using data from the FortiGuard IP Reputation Service.
- Layer 2 server load balancing—FortiADC can now load balance Layer 3 routers, gateways or firewalls. This feature is useful when the request’s destination IP is unknown and you need to load balance connections between multiple next-hop gateways. Supports HTTP, HTTPS and TCPS client-side connection profiles only.
- Open Shortest Path First (OSPF) support—The new OSPF feature allows FortiADC to learn dynamic routes from or redistribute routes to neighboring routers.
- HTTPS profile type for virtual servers—The HTTPS profile type provides a standalone HTTPS client-side connection profile.
- Consistent Hash IP – The persistence policy type Hash IP has changed to Consistent Hash IP. Consistent hashing allows FortiADC to achieve session persistence more efficiently than traditional hashing.
- Enhanced logs
- Link routing policies—You can now specify how FortiADC routes traffic for each available ISP link, including by source or destination address and port.
- Virtual tunnels—You can now use tunneling between two FortiADC appliances to balance traffic across multiple links to each appliance. A typical scenario is a VPN between a branch office and headquarters for application-specific access.
- Persistent routing—You can now configure connections that persist regardless of the FortiADC link load balancing activity. You can configure persistence based on source IP, destination IP, and subnet.
- Proximity-based routing—Maximize WAN efficiency by using link proximity to determine latency between FortiADC and remote WAN sites so that FortiADC can choose the best route for traffic.
- Scheduled link load balancing—You can now apply a link load balancing policy during a specific time period.
- One-to-one (1-to-1) NAT—You can now fully define how each individual source and destination IP address will be translated. This feature is useful when you require a different NAT range for each ISP.
- PPPoE interface support—To support DSL connectivity, you can now configure interfaces to use PPPoE (Point-to-Point Protocol over Ethernet) to automatically retrieve its IP address configuration.
- Custom error page—You can now upload a custom error page to FortiADC that it can use to respond to clients when HTTP service is unavailable.
- Full NAT for Layer 3/4 load balancing—Layer 3/4 load balancing now supports full NAT (translation of both source and destination IP addresses). FortiADC can now round robin among a pool of source IP addresses for its connections to backend servers.
- Standby server—You can now configure FortiADC to forward traffic to a hot standby (called a Backup Server) when all other servers in the pool are unavailable.
- Log cache memory—To avoid hard disk wear and tear, FortiADC can cache logs in memory and then periodically write them to disk in bulk. Previously, FortiADC always wrote each log message to disk instantaneously.
- HA sync for health check status with IPv6—For high availability FortiADC clusters, the Layer 4 health check status of IPv6-enabled virtual servers is now synchronized.
- Link load balancing—FortiADC now supports load balancing among its links, in addition to distributing among local and globally distributed servers. Depending on if the traffic is inbound or outbound, different mechanisms are available: outbound can use weighted round robin; inbound can use DNS-based round robin or weighted round robin.
- HTTP response compression—FortiADC now can compress responses from your backend servers, allowing you to off load compression from your backend servers for performance tuning that delivers faster replies to clients.
- Quality of service (QoS)—FortiADC now can guarantee bandwidth and queue based upon source/destination address, direction, and network service.
- Source NAT (SNAT)—When applying NAT, FortiADC can now apply either static or dynamic source NAT, depending on your preference.
- Session persistence by source IP segment—FortiADC now can apply session persistence for entire segments of source IPs such as 10.0.2.0/24. Previously, session persistence applied to a single source IP.
- Health check enhancements—FortiADC now supports additional health check types for servers that respond to these protocols: email (SMTP, POP3, IMAP), TCPS, TCP
SYN(half-open connection), SNMP, and UDP.
- HA enhancements—FortiADC HA now synchronizes Layer 3/4 and Layer 7 sessions and connections for session persistence and uninterrupted connections when the standby assumes control of traffic.
Support for FortiADC 200D and FortiADC VM—FortiADC software has been released to support these new platforms.