Chapter 1: What’s New
This chapter lists features and enhancements introduced in each of the FortiADC releases.
Support for large file AV scanning for HTTP/HTTPS VS
A new option is now available to enable large file AV scanning, such as for files as big as 6 GB.
Advanced character normalization for WAF
FortiADC now supports more character encoding for WAF protection:
Double Encoding/multiple Encoding
Useless embedded characters
OWASP Top 10 monitor
A new log and statistics page has been added in FortiView for OWASP Top 10, including the OWASP Top 10 threats widget in the dashboard and the OWASP Top 10 monitor page.
SR-IOV support for KVM/VMware ESXi platform
Single Root I/O virtualization (SR-IOV) provides VMs with direct access to physical Network Interface Cards (NIC). Enabling SR-IOV reduces latency and improves CPU efficiency by allowing network traffic to pass directly between a FortiADC-VM and a physical network card.
To enable the SR-IOV feature, please ensure to do the following:
Open VT-d, IOMMU and SR-IOV on BIOS.
If using ESXi, upgrade the VM compatibility to ESXi 6.7 and later.
Enable SR-IOV function on ESXi host.
Deploy FortiADC-VM with SR-IOV and add vNIC to the VM in SR-IOV Mode.
Check the Reserve all guest memory (All locked) checkbox in the VM Memory settings.
The VMware website has more details for how to configure VM support for SR-IOV:
New platform 120F support
FortiADC6.2.1 now supports the FortiADC 120F platform. For more information, please refer to the latest FortiADC datasheet.
OAuth 2.0 support
Open Authorization (OAuth) 2.0 is an authorization framework that enables applications to obtain limited access to HTTP services on behalf of a user. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2.0 provides authorization flows for web and desktop applications, and mobile devices.
FortiADC will only be supporting OAuth 2.0 which is the most widely used form of OAuth. There will be no backwards compatibility between OAuth 1.0 and OAuth 2.0 as their specifications are so different that they cannot be used together.
CAMELLIA Encryption Algorithm
New SSL ciphers have been added in the Client SSL profile and Server SSL profile:
New scripts to support WAF events and commands
A new set of Lua scripts have been added to manage WAF related events and actions. These scripts support functionalities that include enabling/disabling the WAF function, watching an event when the WAF scan starts or an attack is detected, and other custom actions.
Health check monitoring with continuous mode
The health check monitoring functionality has been enhanced to allow more settings to monitor the check and to display more information for the check results.
The following enhancements have been made for the WAF:
Brute force protection support for offloading authentication
Cookie security support for cookies generated by FortiADC
Web Vulnerability Scanner integration with third-party report
FortiADC now supports integrations with third-party vendor scanner reports, including FortiWeb, Acunetix, IBM Appscan ,Whitehat, HP Webinspect, QualysGuard, Telefonica FAAST, ImmuniWeb reports.
Web Vulnerability Scanner auto policy
You can now generate WAF policies based on FortiADC scan reports or third-party integrated reports. Users can modify the policy as needed and submit it to the virtual server to apply directly.
New platform 220F support
FortiADC6.2.1 now supports the FortiADC 220F platform. For more information, please refer to the latest FortiADC datasheet.
Trust IP list to limit the access to management service for the interface
Currently, FortiADC supports
allowaccess to allow/deny access to the interface management service. With the new Trust IP list feature, you will have more granular control over which IP addresses may be granted access to the interface management service.
HA pair on Azure using ARM templates
FortiADC is introducing a solution for HA on Azure that can eliminate the issue caused by time-consuming IP transfers in the event of HA failovers. Please refer to the new Azure deployment guide for the new HA setup on Azure.
Transfer files between HA devices
Use the new CLI command
execute ha force transfer-file <file-name> <node-id> to sync files between HA devices. This could be used to get debug files on the backup device from the master when the backup device is not accessible in some situations.
Pre-login banner support for WebUI, Console and SSH login
You can now customized banner messages to show prior to login through WebUI, console and SSH.
New VM subscription license
Two new SKUs for VM subscription license support has been added, including the Standard Bundle and Advanced Bundle license.
VDOM link for inter-VDOM traffic
FortiADC now supports inter-VDOM routing setups that allow the traffic to be sent between VDOMs without additional physical interfaces that was previously required for multiple VDOM setups. At this time, inter-VDOM routing is only available for these classic scenarios: static route, PBR, L4 SLB, L7 SLB and NAT. It is currently not supported in IPv6 related configurations.
Factory reset command enhancement to keep VDOM, interface, and static route settings
Currently, performing a factory reset would clear all settings on the devices entirely which may not be ideal for some users who need to keep basic networking settings. For this, FortiADC has added a new alternative factory reset command that will allow users to clear all configurations but keep the settings for VDOM, interface, and static route.
Support -f option for grepping CLI output
You can now filter for the string in CLI configurations.
# show full-configuration | grep –f 10.0.0.1
This will show all entries with the IP 10.0.0.1
Redesign of the select checkbox for all tables
The select checkbox column has been removed for all tables. Now you can make your selection by clicking the row, or press
Ctrl+Shift to select multiple rows.
New Application Profile Type for L7
FortiADC now supports TCP/UDP profiles for L7 with the new application profile types, L7 TCP and L7 UDP. The existing TCP/ UDP application profile types will now apply to L4 only.
SAP HTTP/HTTPS filter
FortiADC now supports HTTP/HTTPS filters for SAP system. New filters can be used with or without AS virtual host.
In SAP Connector configuration, you can enter IP address and FQDN or hostname for the server. If hostname is used, DNS-suffix (DNS name of the SAP system) is required.
Azure cloud-init custom data
Cloud-init is supported by FortiADC on Azure Platform. License for BYOL type and FortiADC CLI commands can be specified in the custom data so that FortiADC-VM can be deployed with preset configurations.
Automation Stitches can be used to automate certain actions in response to certain triggers. This includes sending alert emails in response to specific events, and allows for far more granular log-based alerting that Alert Emails configured under Log & Report.
Each Automation pairs an event trigger and one or more actions, which allows you to monitor your network and take appropriate action when the Security Fabric detects a threat. You can use Automation stitches to detect events from any source in the Security Fabric and apply actions to any destination.
For example, you can create the following Automation stitches:
Ban a compromised host’s IP address on FortiGate
Increase Server Capacity due to High Latency/Load
Increase Server Security during Web Attack
There are CLI changes relating to Automation. See "What's New" in FortiADC CLI Reference.
Matched part displayed in WAF logs
A matched part is added to WAF logs to indicate which part of the HTTP request/response has triggered the WAF event. This is helpful to identify the details for the attacks.
New hardware platforms
FortiADC1200F, 2200F, and 4200F are introduced in 6.1.1.
For more infomation, see FortiADC datasheets.
Server Load Balance
Next-hop routing for health check on L4 VS Direct Route mode
In L4 VS Direct Route deployment, you can set the VS IP on the loopback interface of real servers and publish the service on this IP.
In this mode, the service state on the real server (loopback interface IP) can't be detected. It is supported to forward the health check request to the real server as next hop, with the destination IP of VS IP. The real server will reply the request via routing just as it responses to the client's request.
Persisting new sessions to real servers in maintain mode
Normally when the real server is set to maintain mode, all new sessions will be routed to other active real servers, which may cause re-authentication in some deployment.
To solve this issue, an option is added to source address persistence. It allows new sessions to be persisted to the real server even when it is set to maintain mode.
L7 TCP/UDP VS Lua script
Lua script now supports for other L7 VS than HTTP VS, so that the actions that are not currently supported by built-in features can be performed. For example, you can use this script to manipulate request/response for Radius, ISO8583, etc.
For more information, see FortiADC Script Reference Guide.
The following enhancements are made in GUI:
SSL proxy statistics graphs are moved from Dashboard to FortiView (SSL proxy mode)
Password policy is displayed when admin password is created or edited.
New design for interface page to show interface status/avail.
Server Load Balance
- The default down retry value has been changed from 1 attempt to 3 attempts, allowing for more tries before determining the server status to be down. The default interval time has been changed from 10 seconds to 5 seconds, and the default timeout has been changed from 5 seconds to 3 seconds.
Interface GUI enhancement
- Interface information displayed when hovering over the port column .
- Change the port status from Up/Down to Enabled/Disabled, and only use the Up/Down for the link stat in availability.
- Remove some columns to make the interface page more concise.
Sensitive language modifications
- blacklist/whitelist changed to blocklist/allowlist
- Master/Slave changed to primary/secondary
Server Load Balance
Kubernetes Connector (Ingress controller)
The FortiADC Kubernetes connector is a FortiADC built-in connector, which is used to sync Kubernetes objects (service, nod, pod) and update it to VS automatically.
Note: The K8s connector currently works with K8s Service API version 1 only. Support is not guaranteed for later versions.
MSSQL load balance
Support load balancing for MSSQL servers in the scenario where one primary replica and multiple secondary replicas are used. It allows FortiADC to forward the read SQL requests (e.g. “select”) to multiple secondary servers and other write requests to the primary server.
NTLM is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. This authentication mechanism allows clients to access resources using their Windows credentials, and is typically used within corporate environments to provide single sign-on functionality to intranet sites.
HTTP Form based authentication with FortiToken cloud
FortiToken Cloud offers two-factor authentication as a service to Fortinet customers. This feature support the authentication with FortiToken Cloud for the HTTP virtual server access.
Error page enhancement
Supports more code statuses for error page (in addition to 502), so now the error page can be used for any error.
Update TLS1.3 cipher list, and have more configuration checks for TLS1.3 settings
Keep client address for L7 DNS virtual server
In some deployments for security/audit reasons, backend real server requires the original client address. In this feature we can keep client address unchanged when forwarding the DNS request to real server.
CAPTCHA action support for WAF and DDoS
CAPTCHA(Completely Automated Public Turing test to tell Computers and Humans Apart) is a type of challenge–response test used to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites. It can be used in WAF and DDoS module as a new action.
API security gateway
The feature provides an API gateway for backend API services. It processes essential checks to API requests, such as user authentication, rate limiting, source IP limiting, request method/header limiting, and header attaching, to mitigate the attacks to backend API services.
HTTP headers security
Some HTTP headers are designed to provide another layer of security to mitigate web attacks and security vulnerabilities. This feature allows FortiADC to attach these HTTP security headers while forwarding HTTP traffic. These HTTP security headers include content-security-policy, x-xss-protection header, HTTP strict-transport-security (HSTS), x-frame-options, x-content-type-options.
Support X-HTTP-Method-Override in Request Method Rule
There exists attacks that use a trusted HTTP methods such as GET or POST, but adding HTTP headers such as XHTTP-Method, X-HTTP-Method-Override, or X-Method-Override to bypass the HTTP method restriction rules are applied by FortiADC. This feature allows FortiADC to check these HTTP headers while checking HTTP method rules to avoid such security bypassing.
New Security Fabric provides a visionary approach to integrate internal and external security connectors, including Central Manager, FortiSandbox, and FortiGSLB.
FortiADC offers external connectors for 3rd party applications.
The following external connector categories are available in the Security Fabric: Private SDN and Authentication.
Splunk App is an application runs on Splunk platform to analyze and display the information from the collected log data.
For FortiADC, customer configure the Splunk Connector to the Splunk Server, and then get all the customized graphs from the Splunk App
FortiToken Cloud support for administrator
FortiADC provide administrator login management with FortiToken Cloud as a two-factor authentication.
Add secure flag when use HTTPs to access ADC to avoid cookie leaking
Secure enhancement to enable secure flag in HTTPS response prevents authentication cookie from leaking to HTTP connections. Added https-redirect option to redirect all HTTP connection to HTTPS, enabled by default.
HA MAC address changes to management interface MAC
We allow customers to configure different virtual MAC for HA interface, which previously may have caused MAC issues on the peer switch. To avoid these issues, we reuse the same MAC of the physical interface.
- Upgrade FortiGuard authentication method to be more secure
- New FortiGate-like theme
More cohesive information in FortiView
Show all statistics of Real Servers of Virtual Server in one form.
Show all the values of each real server of each virtual server, not using the graph
WAF pages enhancement
WAF profile and signature pages redesign
Server Load Balance
Configure real server by FQDN
In some customer deployments, the real servers (RS) change their IP address due to autoscaling, upgrades, etc, which requires RS IP settings to be changed in RS pool accordingly.
This feature will support configuring FQDN for a real server. FAD will query the DNS server periodically and once the IP address changes, it will resolve the new IP address for this real server automatically.
Customizable authentication form for Form Based Authentication
Beyond the default authentication form, customers can also upload a user-defined login page for all the form-based authentications. Customers are able to define their own authentication portal.
Manage HTTP persistence via script
Customers can define any persistence rule to distribute real server via Lua script, no longer limited to the configurable persistence types.
New script commands added to set/read/dump persistence rules, and new events PERSISTENCE/POST_PERSIST.
Please refer to the latest script guide for an example.
HTTP 1.1 health check and user defined HTTP header fields
Customers can select HTTP version 1.0 or 1.1 for HTTP/HTTPS health checks and also send additional strings in HTTP headers.
LDAP health check
Support for detecting LDAP server health status.
More data type checks in input validation
Support regex type for parameter validation rule in addition to current length check.
Added predefined data types for customers to choose, including US zip code, US SSN, etc.
Allows customers to import OpenAPI documents (YAML or JSON format) to validate HTTP request headers, including servers validation, path validation, parameters validation, cookie validation, and request body validation.
Enhance search engine crawler in bot detection
Support bypass option for well-known search engines; it will not log events of these search engines' access.
Updated the latest search engines including Ask, Sogou and Tiktok.
OWASP-top10 Wizard policy
Create an OWASP-top-10 policy with a few clicks.
More information included in WAF log
Provide more detailed information about the attack event in the log, including signature example, attack defend suggestion etc.
- Firewall traffic logging support
OCSP configuration enhancement
OCSP configuration GUI redesign streamlines OCSP setup process.
- Support SafeNet Luna Network HSM 7
New platform 5000F
The high end platform FADC 5000F is released with 5.4.0. This 2U platform has 4 x 100G and 8 x 40G ports, and offers high performance for your data center (L4 up to 250Gbps, L7 HTTP up to 220G, SSL offloading up to 120Gbps). Supports 40G port breakout, splitting 40G port into 4 separate 10G ports.
Please refer to the latest datasheet for more information.
Cloud-init scripts support on AWS and VMware/KVM
Cloud-init is the industry standard start-up agent installed on virtual machines to facilitate cloud deployments. It will speed up the initialization of your FAD instance by passing user data like ssh keys and bash scripts.
- Cloud templates and autoscaling solution on AWS
Force default password change upon first-time login
In accordance with “California Privacy Law and Authentication Requirements", default passwords are no longer allowed.
New log maintaining strategy when log data size exceeds threshold
When log data size exceeds threshold, it will take some time to clear the old data in backend, which may cause CPU high usage. The new log table design clears old data faster.
OSPF Stub Area support: summary stub and no-summary stub
FAD can be placed in a stub area in order not to receive all routes from area 0.
- Removed Physical Topology page in FortiView
FortiView>Logic Topology page
Supports more filters, shows more information when you hover over a virtual server, etc.
FortiView>Vitual Server page
Shows all virtual servers by default; shows all real servers below when you click on the virtual servers row
- Added "Regex Test" tool on all configuration pages, which includes regex settings
Intrusion Prevention System (IPS) protection (Powered by FortiGuard)
IPS service will allow you to protect your virtual servers from the latest network intrusions by actively detecting and blocking external threats before they can reach potentially vulnerable devices. The combination of real-time threat intelligence updates and thousands of existing intrusion prevention rules delivers the industry’s best IPS protection.
Application and Networking DDoS Protection
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. FortiADC support 2 layers DDoS protection:
1. Networking DoS protection
The attacker sends a huge volume of large or uncompleted IP fragmentation packets to the victim, to exhaust the victim’s resources. The IP fragmentation protection here limits the total IP fragmentation memory size to avoid memory exhaustion.
TCP SYN flood
By enabling SYN-Cookie to all the SYN packets that exceed the threshold, the system will drop all the fake SYN packets sent to the virtual server.
TCP slow data flood
The attacker uses very slow traffic to consume all the target server’s resources; it is difficult to distinguish it from normal traffic. This protection will detect this type of attack by dynamically probing client 0 windows; if it comes in "last" several times, the FortiADC will rest this connection on server.
2. Application DoS protection
HTTP access limit
Limits the amount of HTTP requests-per-second from a certain IP.
HTTP connection flood
Limits the number of TCP connections with the same session cookie.
HTTP request flood
Limits the number of HTTP requests-per-second with the same session cookie.
Web Application Firewall
FortiADC web application firewalls provide advanced features that defend web applications from known and zero-day threats. FortiADC offers a complete security coverage for your web-based applications from the OWASP Top 10 and many other threats.
1. Signature DB enhancement
Enhances WAF engine to more efficiently scan for packets, also significantly increasing the detection rate.
2. New WAF signature wizard on GUI
Helps customer configure the WAF signature profile.
3. WAF Action enhancement
Besides deny and pass, supports 2 more actions for all WAF modules: Redirect and Block period.
4. CSRF protection
A cross-site request forgery (CSRF) is an attack that exploits the trust that a site has in a user's browser to transmit unauthorized commands.
To protect back-end servers from CSRF attacks, FortiADC has two lists:
- Web pages to protect against CSRF attacks – for insert JS
- URLs found in the requests that the pages generate – for Token/cookie validation
5. Input validation
FortiADC provides advanced validation of input fields, including parameter validation, hidden field validation and file security. This function will verify the user input from scan points like URL parameter, HTML form, hidden fields, upload file. If the format isn't correct or other attacks exist, the request will be blocked.
6. Brute force detection
FortiADC can prevent brute force login attacks. Brute force attackers attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight or advance knowledge of application logic or data.
7. Data loss protection
The data loss prevention (DLP) feature allows FortiADC to prevent information leaks, damages and loss.
It provides desensitization and warning measures for sensitive information leaks on websites (SSN numbers, and credit card information) and the leakage of sensitive keywords.
8. Cookie Security
HTTP cookie is a small piece of data sent from a website and stored in the client’s computer. In some cases, it will store some sensitive date inside, e.g. password.
If the client sends out the request that Fortiadc doesn’t recognize, it will take corresponding action (alert/ deny/ period-block/ remove-cookie).
9. Page anti-defacement
The anti-defacement features monitor your websites for defacement attacks. If it detects a change, it can automatically reverse the damage.
This feature monitors the modification of customer's specified page; once the modification is consider as abnormal, the specified action will be triggered, such as "restore changed page," "send email," "acknowledge changed page," or "just record log."
10. Web scraping detection
FortiADC provides an advanced access control for customers who want to have agility within web application (specific IP, files, connections).
FortiADC checks the http header content-type and the response code; if it matches the occurrence limit and is over the match percentage, it will detect it as web scraping.
11. Web vulnerability scanner enhancement
Able to add URL into the exception list.
Supports form-based login
Supports form-based login for web servers.
Firewall policy support address book
FortiADC firewall now supports address book in the policy.
Server Load Balancing
Two Factor Authentication (with FortiToken and Google Authenticator)
Two-factor authentication is a type of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors. FortiADC can use script to do 2-step verification with FortiToken and Google Authenticator.
Health Check Enhancement
Adds more detailed report for each health check failure log, so the customer can quickly grasp why the health check failed and what happened on the real server.
Supports CLI “diagnose debug slb_hc_status” to show the health check status for all the SLB pool.
Cloud and Automation
Cloud platform (AWS/Azure/OCI)
The BYOL FortiADC images are listed on the AWS/Azure/OCI cloud marketplace now, and the customer can deploy them through these cloud marketplaces.
Ansible is an automation platform that makes your applications and systems easy to deploy. FortiADC modules allow the customer to automatically initiate the configuration or manage the configuration on any kind of FortiADC devices, including physical devices, VM in hypervisor or cloud.
Export local generated unencrypted certificate
Both encrypted and unencrypted private key are allowed to be exported; it is necessary for the customer to move FortiADC hosted HTTPS services.
Supports TLS1.3 in SSL profiles
Supports TCP/TCP-SSL syslog server
Besides UDP-based syslog server, FortiADC supports TCP/TCP-SSL based remote syslog servers in case the customer needs more confidential security for the logs.
Allows global syslog server to be shared by all vdoms
In some multiple vdom deployments, some non-root vdom administrators may need to send logs to global syslog server in case of networking issues in their vdom. This feature allows the global syslog server to be shared among all non-root vdoms.
Support logical topology for LLB and GSLB
Shows all the LLB group/member status, and GSLB host status, by a topology graph on FortiView.
SSL Updated to OpenSSL version 1.1.1
FortiADC support 2 new hardware models:
• FortiADC 300F
• FortiADC 400F
For more info on new hardware, please review the FortiADC Datasheet.
Add a “response-half-closed-request” option to HTTP/HTTPS/TCPS/RDP load-balance profile
This option will allow the FortiADC to serve the request and send back the response even if the client closes the output channel.
In some cases, the client may close the output channel even after sending out the request; but at the same time the client will be waiting for a response. If this option is disabled, the FortiADC will abort, and will not serve the request anymore once it receives notice that the client has closed the channel. This may cause clients tocomplain of failures.
Forward SNI to RS under ssl-forward-proxy mode
In SSL forward deployment, the second ADC (HTTP->HTTPS) may not forward any SNI to backend Real Server, causing failure for some servers. In this feature, if “SNI forward flag” in server SSL is enabled, it will forward host in HTTP header as SNI to Real Server by default. If there is no host in HTTP header, it will forward the ssl-sni settings as SNI to Real Server.
Remove Memory Restriction on Cloud platform
Memory Restriction has been removed for all BYOL VM on AWS/GCP/Azure/OCI/Aliyun cloud platforms.
Support PROXY protocol for HTTP/HTTPS virtual server, to pass original client information, such as the client IP address, to the backend proxies or servers.
See the PROXY protocol reference.
Fortinet Security Fabric support
The Fortinet Security Fabric delivers broad protection and visibility to every network segment, device, and appliance, whether virtual, in the cloud, or on-premises. After adding FortiADC to Security Fabric, it will show the real-time visibility of FortiADC, including Virtual Server status, and various statistics.
Web Cache Communication Protocol (WCCP) support
The Web Cache Communication Protocol (WCCP) allows the server to be enabled for transparent redirection to discover, verify, and advertise connectivity to one or more web-caches. You can configure FortiADC as a WCCP server to redirect HTTP/HTTPS VS traffic to 3rd party device for caching or more security inspection.
Global Load Balance
DNS notification and zone transfer
Allows FortiADC DNS service to send zone notification to secondary servers, and also receive and process incoming zone transfer message from secondary servers.
Public/private IP support for SLB server behind NAT
Customer can provide a public IP address for the GLB discovered virtual server address, which is necessary for the deployment which whose server is behind NAT.
Allow multiple PTR DNS Resource Records with the same IP address
Service Load Balance
Radius Change of Authorization (CoA) message support
The Radius Change of Authorization (CoA), defined in RFC5176, provides a mechanism to dynamically change the attributes of an AAA session after the user or device is authenticated. By this feature, FortiADC can process CoA messages from external Radius server and send the traffic to the right dynamic authorization server through persistence.
CRLDP authentication protocol (RFC5280) support
Certificate Revocation List Distribution Point (CRLDP) defines how to get a CRL file from a distribution point, which is LDAP URI or HTTP/HTTPS URL, to verify client certificate.
Download CRL file from LDAP server
Support multiple CRL files for a single certificate verification object
Log reporting enhancement for more virtual server statistics
Collect statistics like RPS, CPS, transaction latency, session duration, throughput per virtual server/real server, and generate reports including these metrics.
Traffic log browser GUI redesign
Usually if you enable traffic log, there will be a huge volume of traffic logs. In this situation, to browse or filter traffic log is much too slow; with this feature, we redesign the traffic log browser page to show and locate logs quickly.
Server Load Balance
L2 TCP/UDP/IP VS support content routing
Supports specific routing (schedule pool, persistence, method) by source address
L7 FTP VS with FULLNAT/DNAT/Transparent mode support
Oracle DB health check support on VM platforms
Dynamic Load method enhancement
Prior to 5.2.0, all connections are cleared if RS is detected to be exceeding the threshold; now, however, when RS exceeds the threshold, the old connection is kept while not dispatching new connections
Fully ADFS proxy replacement
The ADFS Proxy is a service that brokers a connection between external users and internal ADFS servers, also called a Web Applicaition Proxy (WAP). More and more ADFS require the proxy to support MS-ADFSPIP (ADFS Proxy Integration Protocol) which involves client certificate authentication between proxy and ADFS, trust establishment, header injection, and more. FADC from 5.2.0 has support for MS-ADFSPIP.
SIP VS enhancement:
- support NAT of Media server address
- keep client address of UDP traffic for SIP server
Script new support function:
- Authentication event and operation
- Cookie encrypt/decrypt
- AES encrypt/decrypt
- crypto hash/sign/verify
- URL encode/decode/parse
- File operation
- Random generation
Global Load Balance
New dispatch method by server CPU/Memory usage
The "Server-Performance" method dynamically dispatches the DNS request to the server with the lowest CPU/Memory usage.
Web Vulnerable Scanner report enhancement
JSON schema validation support
JSON Schema provides a contract for what JSON data is required for a given application and how to interact with it. This feature supports the user uploading a JSON schema to validate JSON data, just like the XML validation that we had before.
IP Reputation block list support
Now possible to upload a list of IPs or CIDRs to the IP reputation block list, then blocking them by enabling "IP reputation" in Application Profile for VS.
Antivirus quarantine monitor page on GUI
New function to show/delete quarantined files on FortiADC by GUI (Network Security -> Quarantine Monitor)
All the certificate private key file on the ADC are encrypted now for more security
Dynamic TLS record sizing support to improve SSL latency and throughput
GEO support more accurate province
AWS/GCP/Azure/Aliyun BYOL VM support
Now supports uploading and deploying VM images on these public cloud platforms; you can easily extend existing FortiADC services to the cloud.
HA failover enhancement to avoid unnecessary switch after secondary(former primary) return back
In HA AP scenarios, the secondary device will become primary if the primary device is down, but after the former primary comes back, there will be a new switchover (the former primary takes the primary role, and the current primary, the former secondary, switches back to secondary). This switchover is unnecessary and may impact traffic, so the enhancement here is to avoid doing the switchover after the former primary comes back.
Debug enhancement, support collect all debug information and download by GUI
Before, in order to submit information to Help Support, the customer needed to gather files from different places; now, this debug enhancement automatically collects all necessary debug information into one file, so it's easier to submit to Help Support.
Support to upload/download a file to/from FADC by GUI
FortiADCManager is a central management tool to manage all your FortiADC devices in your network, providing visibility and the ability to create/edit server load balance configurations for all FortiADC devices.
Upgrade kernel to latest version
Support “| grep <fileter-string>” to filter the output on CLI
Integration with Oracle Cloud Infrastructure (OCI)
Oracle Cloud Infrastructure Compute provides bare metal compute capacity that delivers performance, flexibility, and control without compromise. It is powered by Oracle’s next generation, internet-scale infrastructure designed to help you develop and run your most demanding applications and workloads in the cloud.
This release comes with the FortiADC image (BYOL) on Oracle OCI, which provides FortiADC's complete feature set, including but are not limited to the following:
- L4/L7 SLB
- Global LB
- High Availability
- Web Application FW
- And more...
See the deployment guide for more information.
FortiADC Connector for Cisco ACI
FortiADC Connector for Cisco ACI (Application Centric Infrastructure) is the Fortinet solution to provide seamless integration between Fortinet Application Delivery Controllers (FortiADC) deployments and the Cisco APIC (Application Policy Infrastructure Controller). This integration allows customers to perform single point of FortiADC configuration and Management operation through Cisco APIC.
See the release notes for more information.
Amazon Elastic Compute Cloud
Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage.
See the deployment guide for more information.
Application Load Balancing
Health check script
- Supports health check script for testing special/legacy application servers.
- Supports all shell basic syntax variables - if, else, case, while, for, func, array, dictionary, awk, etc.
- Supports common applications - curl, nslookup, netcat/nc, ping, ps, ip, iplink, telnet, traceroute, wc, etc.
Oracle Health Check Support (hardware model only)
- Health Check can now validate the functionality of Oracle databases.
- Supports Clone Pool which can be used for copying traffic (inbound/outbound) to a dedicated IDS or a sniffer device.
- Available on both Layer-4 and Layer-7 virrtual servers (TCP, UDP, HTTP/HTTPS, etc.)
UDP Stateless LB
FortiADC now provides a UDP stateless mode, allowing you to perform load balance without attempting to match the packet to a pre-existing connection in the connection table. This feature is especially useful when loadbalancing syslog servers (FortiAnalyzer).
LDAP/RADIUS connectivity check
Provides authentication validation option, to verify if the configured credentials are correct and authentication is successful.
LLB traffic log support
Global Load Balancing
Auto Sync GLB
Support for auto sync when new virtual servers are added.
New predefined objects to GLB Configuration
- New predefined DEFAULT_DNS_SERVER to GLB server
- New predefined DEFAULT_DATA_CENTER to GLB datacenter
- New predefined DEFAULT_DNS_POLICY to Global DNS Policy
GLB configuration Wizard
FortiADC now provides a wizard (three-step procedure) to create GLB configurations.
GLB Data Analytic
Support for no-NAT option (usually when using LLB/FWLB feature).
- Physical Topology
- GLB Data-Analytics
- New LLB Traffic Log
- HTTP Statistics Enhancements
- AV Reports and Statistics
Web UI enhancements
FortiADC introduces a new WebUI theme, enhancements to FortiView, including new logs.
New Web UI Theme
New Dashboard template
New design and improvements
- Virtual Server design
- High Availability
New VDOM page
Web Vulnerability Scanner
The Web Application Vulnerability Scanner is a automated tool which performs black box test on web applications to look for security vulnerabilities, such as cross-site scripting, SQL injection, command injection, source code disclosure, and insecure server configuration.
FortiADC now supports a variety of web frameworks and mixed-technology sites, such as
- Automatic learning capabilities
- Including blind injection vectors
- Full Reporting on vulnerability risks
FortiADC AV now supports HTTP/HTTPS and SMTP scanning protection.
WAF HTTP/HTML Decoder
FortiADC now supports several basic decoders to parse HTTP body for Web Application Firewall. They include, but are not limited to the following:
- Chunked and Multipart Body Decoder
- Compress and decompress
- Base64 & unicode
SSL Update to OpenSSL version 1.1.0
OCSP stapling tunneling to an HTTP proxy server
Support HA for BGP/OSPF route injection
Support add/delete interface inside VDOM directly
FortiADC 5.0.2 offers the following new features and enhancements:
- Support for DUO Radius proxy.
- New console commands for aggregate interface LACP negotiation
- Allows the use of user-selected listening port other than the default TCP Port 5858 for GLB server.
FortiADC 5.0.1 offers the following new features and enhancements:
- Clone Pool Traffic — Supports TCP and UDP traffic mirroring, allowing you to copy Layer-4 traffic to a dedicated IDS or a sniffer device. See Using clone pools.
- SCP support for configuration backup — Allows you to back up your configuration files via the SCP protocol. See SCP support for configuration backup.
- Password-protection for configuration backup — Enables you to protect your FortiADC configuration with a password. See Backing up and restoring configuration.
FortiADC 5.0.0 offers the following new features and enhancements:
- FortiSandbox integration—You can now use a file upload restriction policy to submit uploaded files to FortiSandbox for evaluation. If FortiSandbox identifies a file as a threat, FortiADC generates a corresponding attack log message and blocks further attempts to upload the file.
- Antivirus—FortiADC now supports the FortiSandbox's Malware Signature Database on all of its hardware platforms, except FortiADC 60F.
Management, GUI, and Logs
- Dynamic Dashboard—You can customize the Dashboard according to your preferences
- Create or edit a dashboard
- Add or remove Dashboard widgets
- FortiView enhancement—Adding new statistics for
- Server load balancing—Caching, Compression, and SSL
- Link load balancing
- Global load balancing
- Alert system enhancement—Allow to configure alert threshold based SLB (BW, Client RTT, or Connection) and Interface Avg. Bandwidth.
Server Load Balance (SLB)
- Layer-4 virtual server tunnel—In tunnel mode, FortiADC encapsulates the packet within an IP datagram and forwards it to the chosen server.
- Diameter Load balancing SSL enhancement—FortiADC supports Diameter traffic over SSL (client SSL).
- Source Pool NAT in Layer 7—Now it’s possible to configure pool NAT when using Layer-7 virtual servers.
Global Load Balance (GLB)
- Global load balancing authentication—Provide TCP-MD5SIG or authentication verify between two or more FortiADC appliances working in global load balancing.
- UTILITY_FUNCTIONS_DEMO (updated)
Web Application Firewall (WAF)
- SOAP validation—Enhances ForitADC's WAF B2B features with SOAP messages validation. It allows you to perform SOAP validation using a Web Services Description Language (WSDL) document.
- OCSP verification caching—Allows to speed up OCSP checking using OCSP caching. The first time a client accesses FortiADC or FortiADC accesses a real server, FortiADC will query the certificate’s status using OCSP and cache the response.
- Dual certificates (RSA and ECDSA) support—Allows you to create certificate groups included in parallel RSA and ECDSA certificates for improve SSL performance
- Support SSL renegotiation—FortiADC now supports SSL renegotiation between client and server. It allows the use of the existing SSL connection when client authentication is required.
- Openstack integration—FortiADC provides load balancing services for OpenStack cloud applications. With Openstack integration, FortiADC is able to provide load balancing functionality and advanced application delivery services within OpenStack.
- NVGRE and VXLAN support—FortiADC allow to use overlay tunnel with virtual network NVGRE and VXLAN segments in either multicast (VXLAN) and unicast (NVGRE/VXLAN) modes.
- BGP Route Health Injection (RHI)—Allows to advertising route to virtual address based on the health status of the corresponding service
Below are the maximum number of files per minute that can be uploaded to (Undefined variable: FortinetVariables.ProductName20) Cloud by FortiADCplatform:
- FortiADC 60F/VM01 = 5 files per minute
- FortiADC 100—400/VM02 = 10 files per minute
- FortiADC 700D/VM04 = 20 files per minute
- FortiADC 1000—2000/VM08 = 50 files per minute
- FortiADC 4000 = 100 files per minute
FortiADC 4.8.4 is mainly a patch release, with the following feature enhancements:
- Support wildcard domain in GLB zone configuration.
- Support custom port mapping between VM and vCenter.
FortiADC 4.8.3 is a patch release only; no new feature or enhancement has been implemented in this release.
FortiADC 4.8.2 is a patch release only; no new feature or enhancement has been implemented in this release.
FortiView—provides a real-time and historical traffic data from log devices by source, domain, destination, threat map, RTT, and application health check. You can filter the data by a variety of attributes, as well as by device and time period.
- Server load balance:
- Client and server RTT
- Performance (throughput, CPS, and requests)
- Health check
- Sessions and persistence
- Top locations, browsers, domains, and OSs
- Security (Web Application Firewall, GEO IP, IP Reputation, and DDoS):
- Threat map
- Top attacks, Geo IP sources, IP Reputation attacks
- System logs
- Traffic logs
- System alerts
Server load-balancing (SLB)
- Diameter Load-Balancing—offers the following features:
- Dispatch Diameter messages to multiple servers
- Server health monitoring and failover
- Session ID persistence and source address persistence
- Schedule Pool—supports schedule pool that determines the times the system uses pool servers
- RADIUS persistence enchantment—supports AND/OR persistence relationship for multiple RADIUS attributes
- HTTP Content Rewrite enhancement:
- Supports add/delete user-defined HTTP header
- Supports capture groups and back reference regular expressions - Support in rewrite host, URL, referrer, location
- HTTP to HTTPS redirection in one VS:
- Able to redirect users using only one virtual server
Global load-balancing (GLB)
- GLB protocol extends to work across all FortiADC versions.
- Two-factor authentication
- Supports admin access
- Two-factor authentication and validation using token by FortiAuthenticator
- RADIUS wildcard
- Allows admin user authentication wildcard on remote RADIUS and LDAP servers
New hardware platform
- FortiADC 200F
- New Alert System — Automatically generates email notification, SNMP traps, or Syslog entries on any critical event that occurs on FortiADC hardware or software modules
- Data Analytics — Supports security statistics (WAF, GEO-IP, IP-Reputation and DDoS) in real time
- Getting Started Wizard — Makes configuring FortiADC a breeze for first-time users
- Cisco ACI — Supports full Layer-4 service integration with Cisco Application Centric Infrastructure (ACI) via a RESTful API
Server Load Balance (SLB)
- LUA Script
- Supports HTTP body manipulation in HTTP request and response
- Allows multiple scripts in the same virtual server (VS)
- Optimizes your website to ensure that your clients receive a faster browsing experience by minimizing RTT and payload size and optimizing browser rendering
- Supports minifying CSS, JS, HTML and image optimizations
- HTTP/2.0 (Supports HTTP/2 Gateway)
- Converts from HTTP/2 (client side) to HTTP/1 (server side)
- HTTP multiplexing of transactions from client side to server
- SSL security with TLS v1.2
- OCSP Stapling — Supports Online Certificate Status Protocol (OCSP) stapling, an alternative approach to OCSP in which the certificate holder has to periodically request the revocation status of certificates of servers from OCSP servers and attache the time-stamped response to the initial SSL/TLS handshake between client and server.
Web Application Firewall (WAF)
- XML & JSON Validation
- Supports XML & JSON validation and format check
- XML schema validation
- Supports XML & JSON XSS, SQLi and limit check
Global Load Balance (GLB)
- GLB authentication — Supports authentication between multiple FortiADC appliances across data centers
- FortiADC-VM License — Allows license validation without Internet connection (via proxy)
- DHCP — Support DHCP mode on data or management interfaces
New Hardware Platform
- FortiADC 60F (Note: No HSM or PageSpeed support. Available on July 1, 2017.)
FortiADC 4.7.3 is a patch release only; no new feature or enhancement has been implemented in this release.
FortiADC 4.7.2 offers the following new features or enhancements:
- Register HSM server in config file
- Save Client certificate and key to CMDB
- Upload HSM server certificate to FortiADC
- Add registered partition
- Generate CSR with HSM
- View certificate information on the GUI
- Feature configuration supported on both the CLI and the GUI
Support for new hardware models
- FortiADC 1000F
- FortiADC 2000F
- FortiADC 4000F
FortiADC 4.7.1 is a patch release which has fixed some known issues discovered in previous releases. No new features or enhancements have been implemented in this release.
For more information, refer to FortiADC 4.7.1 Release Notes.
- Network Map 2.0
- Includes SiteMap on link load balance (LLB) and global server load balance (GSLB) modules
- Real server global object
- Standalone real server objects
- Allows a single real server to be shared across multiple real server pools and virtual servers
- Configuration templates for Applications
- Supports SharePoint, Exchange, Windows Remote Desktop, IIS, and Apache
Server load balance (SLB)
- Supports Real-Time Messaging Protocol (RTMP) & Real-Time Streaming Protocol (RTSP)
- Layer 7 load-balancing
- Health check
- Supports MySQL
- Layer 7 load-balancing, user authentication, and persistence
- Health check
- MySQL rules
- Allows decompressed traffic from servers for Layer 7 manipulation (content rewrite), caching, and security (Web Application Firewall)
- Client SSL profile
- Provides advanced client SSL offloading parameters
- Supports LDAP authentication for Regular/Anonymous/LDAPS method
- Supports HTTP basic SSO with HTML Form Authentication/HTML Basic Authentication
High availability (HA)
- Supports HA sync traffic over aggregate ports
- Allows configuration from every device regardless of their HA status (backup vs. primary)
- Separated management interface for each node in an HA cluster
- Allows to retrieve license on HA active-passive secondary
- Transparent mode
- Support transparent mode installation (Layer 2 forwarding)
- Health check validation
- Allow testing health check policy before biding it to a real server pool.
- Provide a list of predefined services (TCP, UDP, HTTP, and more)
- Allows to match a admin user to a multiple VDOMs
- Adds Loopback interface in BGB/OSPF defined as router ID
- Attack logs aggregated by date and attack category
- Advanced filters in SLB logs
This is a patch release; no new features or enhancements are implemented. Refer to the Release Notes for detail.
OpenSSL Library Upgrade
The Software OpenSSL Library has been upgraded to OpenSSL-1.0.2 on FortiADC appliances shipped with the Cavium SSL card, which include the following hardware models:
- FortiADC 400D
- FortiADC 700D
- FortiADC 1500D
- FortiADC 2000D
- FortiADC 4000D
- Supports offloading TLS encryption from back-end SMTP servers
- Supports HTTP:rand_id() function for HTTP
Monitoring and Logs
- Statistics and information
- Search bar in VS and RS
- Backup server visibility
- Network map
- Three mode views
- Data analystics
DNS load-balancing, security, and caching
- Load-balance DNS traffic (queries and IP addresses) to DNS server
- Sanity check on DNS queries according to RFC 1034, 1035, ad 2671
- DNS caching for answer records
Dynamic Load-balancing algorithm
- Dynamic LB based Server Performance such CPU, Memory and Disk
Client certificate forwarding
- Sends client certificates to back-end server for authentication, without affecting SSL offloading
- Provides more information in case of syntax error
- Checks content routing for virtual servers
- Generates log message
- Import/export script files
Kerberos Authentication Relay
- Enables authentication between client and server
- Protects against eavesdropping and repay attacks
- Allows nodes communicating over a non-secure network to verify each other's identity in a secure manner
SSL/HTTP visibility (mirroring)
- FortiADC’s transparent IP, TCP/S and HTTP/S mirroring capabilities decrypt secure traffic for inspection and reporting by FortiGate or other third-party solutions
- IPv4/IPv6 support
Virtual server port enchantment
- Supports non-consecutive ports in port-range
- Allows Port 0 on TCP or UDP (to catch traffic on all ports)
Security Assertion Markup Language (SAML) 2.0
- Provides Service Provider (SP) and Meta Data of Identity Provider (Idp).
- Can access all VS web resources with user log-in until session expired.
Enhanced Global Load Balancing (GLB) proximity methodology
- Static proximity (GEO, GEO-ISP) and dynamic proximity (RTT, Least Connections, Connection-Limit, Bytes-Per-Second)
- Static match first, dynamic match second
HTTP/S health check
- Adds Username-password Authentication into HTTP/S health check (basic, digest and NTLM)
- Allows to choose SSL Version/Ciphers in HTTPS Health Check
- Allows the Admin to control password length and string
- Supports VDOMs restrictions (performance and configuration)
- Able to limit performance (throughput, CPS, SSL, etc.) on each VDOM
- Allows users to download SNMP MIBs from the Web GUI
OpenSSL Library Upgrade
Software OpenSSL library has been upgraded to OpenSSL-1.0.2 on FortiADC appliances shipped with the Cavium SSL card, which include the following hardware models:
- FortiADC 400D
- FortiADC 700D
- FortiADC 1500D
- FortiADC 2000D
- FortiADC 4000D
Software OpenSSL library upgrade
- Software OpenSSL library has been upgraded to openssl-1.01s (the latest version) on all FortiADC platforms.
- It's fully functional on FortiADC software.
Enhanced certificate validation
- Support for multiple Online Certificate Status Protocol (OCSP) configurations.
- Support for multiple Certificate Revocation List (CRL) files.
"Description" field for child records in Geo IP Allowlist
- Allows the user to add a brief notation for each child record added to a parent record.
US-Government (USG) mode
- Allows the user to change the appliance from the default regular (REG) mode to USG mode via a special license key.
- Locks the FortiADC D-Series appliance to servers located within the US only.
- Speeds up compression of .PNG, .JPG, and .BMP image files. See
- Caching time definition based on HTTP status code (200/301/302/304)
Server Load Balancing
- SSL Health Check Client certificate selection using SSL Certification
- Support for SIPv6 traffic includes a new health check and virtual server profile
- URL Redirection based on server HTTP status code
High Availability (HA)
- HA-VRRP mode that supports floating IP, traffic group, and fail-over
Global Load Balancing
- Supports DNS SRV record
- Full BGP routing support
- Adds a "Description" field in GeoIP AllowList
- Support ECDSA SSL cipher suites. See Chapter 17: SSL Transactions.
- SSL certificate validation for server-side SSL connections. See Configuring real server SSL profiles.
- L2 exception list can specify FortiGuard web filter categories. See Creating a Web Filter Profile configuration.
Server Load Balancing
- SIP—Support for SIP traffic includes a new health check, virtual server profile, and persistence method. See Configuring health checks, Configuring Application profiles, and Configuring persistence rules.
- RDP—Support for RDP traffic includes a new virtual server profile and persistence method. See Configuring Application profiles and Configuring persistence rules.
- HTTP/HTTPS profile—HTTP mode option can be set to HTTP keepalive to support Microsoft SharePoint and other apps that require the session to be kept alive. See Configuring Application profiles.
- Caching—New dynamic caching rules. See Using caching features.
- Real server pool—Member default cookie name is now the real server name. You can change this to whatever you want. See Using real server pools.
- Scripting—Added predefined scripts that you can use as templates. See Using predefined scripts and commands.
Global Load Balancing
- Persistence—Option to enable persistence for specified hosts based on source address affinity. See .
- Dynamic proximity—Optional configuration for proximity based on least connections. See Configuring virtual server pools.
- Support for @ in zone records. See Configuring DNS zones.
- Zone records (including dynamic records) displayed on zone configuration page. See Configuring DNS zones.
- Bot Detection—Integrated with FortiGuard signatures to allow "good bots" and detect "bad bots." See Configuring a WAF Profile.
Monitoring and Logs
- Fast reports—Real-time statistics and reports for SLB traffic. See Configuring fast reports.
- Session tables and persistence tables—Dashboard tabs for SLB session tables and persistence tables. See Chapter 21: System Dashboard.
- Network map search—Dashboard network map now has search. See Chapter 21: System Dashboard.
- New health checks for SIP and custom SNMP. See Configuring health checks
- Config push/pull (not related to HA). See Pushing/pulling configurations.
- HA sync can be auto/manual. See Configuring HA settings.
- HA status includes details on synchronization. See Monitoring an HA cluster.
- SNMP community host configuration supports subnet address and restriction of hosts to query or trap (or both). Configuring SNMP.
- Support STARTTLS in email alerts. See Configuring an SMTP mail server.
- Coredump utilities. See .
- Virtual machine (VM) images for Hyper-V, KVM, Citrix Xen, and opensource Xen. See the FortiADC-VM Install Guide for details.
Server Load Balancing
- New SSL forward proxy feature can be used to decrypt SSL traffic in segments where you do not have the server certificate and private key. See Chapter 17: SSL Transactions.
- New server-side SSL profiles, which have settings for the FortiADC-to-server connection. This enables you to specify different SSL version and cipher suites for the server-side connection than the ones specified for the client-side connection by the virtual server profile. See Configuring real server SSL profiles.
- Support for ECDHE ciphers, null ciphers, and user-specified cipher lists. See Chapter 17: SSL Transactions.
- You can now specify a list of SNAT IP address pools in the virtual server configuration. This enables you to use addresses associated with more than one outgoing interface. See Configuring virtual servers.
- Added a health check for UDP, and added hostname to the general settings configuration. In HTTTP/HTTPS checks, you can specify hostname instead of destination IP address. See Configuring health checks.
- UDP profiles can now be used with Layer 2 virtual servers. See Configuring Application profiles.
- Server name added to real server pool member configuration. The name can be useful in logs. When you upgrade, the names will be generated from the pool member IP address. You can change that string to whatever you like. See Using real server pools.
- Added a comments setting to the virtual server configuration so you can note the purpose of a configuration. See Configuring virtual servers.
Link Load Balancing
- You can now specify ISP addresses, address groups, and service groups in LLB policies. Using groups adds Boolean OR logic within the elements of LLB rules. See Configuring link policies.
Global Load Balancing
- Added "dynamic proximity" to the server selection algorithm. Dynamic proximity is based on RTT. See .
- Added an option to send only a single record in responses instead of an ordered list of records. See Configuring hosts.
- Support for health checks of third-party servers. See Configuring servers.
- Support for TXT resource records. See Configuring DNS zones.
- You can now specify exceptions per WAF profile or per policy. Exceptions identify specific hosts or URL patterns that are not subject to processing by WAF rules. See Configuring a WAF Profile
- Additional WAF HTTP protocol constraint rules. See Configuring a WAF Profile.
Monitoring and Logs
- Added a Network Map tab to the dashboard. In the Network Map, each virtual server is a tree. The status of the virtual server and real server pool members is displayed. See Chapter 21: System Dashboard.
- Added on-demand and scheduled reports for many common queries. You can also configure custom queries. See Configuring reports.
- Added event log categories and added a column in logs to support future integration with FortiAnalyzer. Removed the Download Logs page. Each log category page now has a Download button. See Downloading logs.
- Enhanced SNMP MIBs and traps. See Appendix A: Fortinet MIBs for information on downloading the vendor-specific and product-specific MIB files.
- Shared Resources—Merged the address and service configuration for firewall and LLB. Added address groups and service groups, which can be used in LLB policy rules. See Chapter 11: Shared Resources.
- Routing—Support for OSPF authentication. See OSPF.
- HA—Added option to actively monitor remote beacon IP addresses to determine if the network path is available. See Configuring HA settings.
- System—Updated the web UI to match CLI configuration options for global administrator and access profile. See Manage administrator users.
- Web UI—Support for Simplified Chinese. See Configuring basic system settings.
- Troubleshooting—New commands:
diagnose debug flow,
diagnose debug report,
diagnose debug timestamp,
execute checklogdisk, and
execute fixlogdisk. See the FortiADC CLI Reference.
execute telnetfor connections to remote hosts.
- REST API—Remote configuration management with a REST API. See the FortiADC REST API Reference.
- Server Load Balancing Persistence—Added a Match Across Servers option to the Source Address affinity method. This option is useful when the client session for an application has connections over multiple ports (and thus multiple virtual servers). This option ensures the client continues to access the same backend server through different virtual servers for the duration of a session.
- Server Load Balancing TCP Multiplexing— Added support for HTTPS connections.
- Global Load Balancing DNS Server—The negative caching TTL in the SOA resource record is now configurable.
- Virtual domains—Increased the maximum number of VDOMs on the following platforms:
- FortiADC 700D — 30
- FortiADC 1500D — 45
- FortiADC 2000D — 60
- FortiADC 4000D — 90
- Health checks—Added an HTTP Connect health check that is useful for testing the availability of web cache proxies, such as FortiCache.
- ISP address book—Added a province location setting to the ISP address book. The province setting is used in GLB deployments in China to enable location awareness that is province-specific. For example, based on location, the DNS server can direct a user to a datacenter in Beijing or Guangdong rather than the broader location China. Only a predefined set of Chinese provinces is supported.
- Advanced routing—Exception list for reverse path route caching.
- Authentication—Framework to offload authentication from backend servers.
- Geo IP blocking—Policy that takes the action you specify when the virtual server receives requests from IP addresses in the blocked country’s IP address space.
- Web application firewall—Protect against application layer attacks with policies such as signatures, HTTP protocol constraints, request URL and file extension patterns, and SQL/XSS injection detection.
- Scripts—Support for Lua scripts to perform actions that are not currently supported by the built-in feature set.
- SSL/TLS—Support for PFS ciphers.
- Health check improvements—The SLB and LLB health check configuration has been combined and moved to System > Shared Resources. You can configure destination IP addresses for health checks. This enables you to test both the destination server and any related services that must be up for the server to be deemed available. Also added support for Layer 2 and SSH health checks.
- Port range—Support for virtual IP address with a large number of virtual ports.
- NAT46/64—Support for NAT46/64 by the SLB module.
- ISP address book—Framework for an ISP address book that simplifies the ISP route and LLB proximity route configuration.
- Proximity routes—Support for using ISP address book entries in the LLB proximity route table.
- Backup pool member—Support for designating a link group or virtual tunnel group member as a “backup” that joins the pool when all of the main members are unavailable.
- Global load balancing—New framework that leverages the FortiGuard Geolocation database or the FortiADC predefined ISP address books to direct clients to the closest available FortiADC virtual servers.
- Stateful firewall—If client-to-server traffic is allowed, the session is maintained in a state table, and the response traffic is allowed.
- Virtual server traffic—Many of the firewall module features can be applied to virtual server traffic.
- ISP Routes—ISP routes are used for outbound traffic and link load balancing traffic.
- HA upgrade—Simpler one-to-many upgrade from the primary node.
- HA status—HA status tab on the system dashboard.
- HA remote login—You can use the
execute ha managecommand to connect to the command-line interface of a member node. See the CLI reference.
- SNMPv3 support
- Statistics and log database to better support dashboard and report queries.
- Improved dashboard—New time period options for the virtual server throughput graphs.
- Improved reports—New report queries for SLB HTTP virtual server reports, including client IP address, client browser type, client OS, and destination URL.
- Backup & restore—Option to back up the entire configuration, including error page files, script files, and ISP address books.
New CLI commands to facilitate troubleshooting:
diagnose debug config-error-log—Use this command to see debug errors that might be generated after an upgrade or major configuration change.
diagnose debug crashlog—Use this command to manage crashlog files. Typically, you use these commands to gather information for Fortinet Services & Support.
execute statistics-db—Use this command to reset or restore traffic statistics.
config system setting—Use this command to configure log database behavior (overwrite or stop writing) when disk utilization reaches its capacity.
For details, see the CLI reference.
- HTTPS and TCPS Profiles—Support for SHA-256 ciphers suites.
- Content rewriting—Support for PCRE capture and back reference to write the Location URL in redirect rules.
- Web UI—You can clone configuration objects to quickly create similar configuration objects. If a configuration object can be cloned, the copy icon appears in the tools column for its summary configuration page.
- Web UI—You can sort many of the configuration summary tables by column values. If a configuration summary table can be sorted, it includes sort arrows in the column headings. For example, the Server Load Balance > Virtual Server configuration summary page can be sorted by Availability, Status, Real Server pool, and so on. You can also sort the Dashboard > Virtual Server > Real Server list by column values-for example, by Availability, Status, Total Sessions, or throughput bytes.
Bug fixes only.
- New web UI
- New log subtypes
- New dashboard and report features
- Additional load balancing methods—Support for new methods based on a hash of a full URI, domain name, hostname, or destination IP address.
- Predefined health checks—Helps you get started with your deployment.
- Predefined persistence rules—Helps you get started with your deployment.
- HTTP Turbo profile—Improves the performance of HTTP applications that do not require our optional profile features.
- Layer 2 load balancing—Support for TCP profiles.
- Granular SSL configuration—Specify the SSL/TLS versions and encryption algorithms per profile.
- Connection rate limiting—Set a connection rate limit per real server or per virtual server.
- HTTP transaction rate limiting—Set a rate limit on HTTP transactions per virtual server.
- Additional link load balancing methods—Support for new methods in link groups, including spillover and hash of the source IP address.
- Global load balancing—A new implementation of our DNS-based solution that enables you to deploy redundant resources around the globe that you can leverage to keep your business online when a local area deployment experiences unexpected spikes or downtime.
- HA active-active clustering—Support for active-active clusters.
- Administrator authentication enhancements—Support for authenticating users against LDAP and RADIUS servers.
- Multinetting—You can configure a secondary IP address for a network interface when necessary to support deployments with backend servers that belong to different subnets.
- High speed logging—Supports deployments that require a high volume of logging activity.
- Packet Capture—Support for tcpdump.
No design changes. Bug fixes only.
FortiADC 4.0 Patch 2
No design changes. Bug fixes only.
FortiADC 4.0 Patch 1
No design changes. Bug fixes only.
- VDOMs—Virtual domains (VDOMs) allow you to divide a FortiADC into two or more virtual units that are configured and function independently. The administrator for each virtual domain can view and manage the configuration for his or her domain. The
adminadministrator has access to all virtual domain configurations.
- Caching – A RAM cache is a cache of HTTP objects stored in FortiADC's system RAM that are reused by subsequent HTTP transactions to reduce the amount of load on the backend servers.
- IP Reputation—You can now block source IP addresses that have a poor reputation using data from the FortiGuard IP Reputation Service.
- Layer 2 server load balancing—FortiADC can now load balance Layer 3 routers, gateways or firewalls. This feature is useful when the request’s destination IP is unknown and you need to load balance connections between multiple next-hop gateways. Supports HTTP, HTTPS and TCPS client-side connection profiles only.
- Open Shortest Path First (OSPF) support—The new OSPF feature allows FortiADC to learn dynamic routes from or redistribute routes to neighboring routers.
- HTTPS profile type for virtual servers—The HTTPS profile type provides a standalone HTTPS client-side connection profile.
- Consistent Hash IP – The persistence policy type Hash IP has changed to Consistent Hash IP. Consistent hashing allows FortiADC to achieve session persistence more efficiently than traditional hashing.
- Enhanced logs
- Link routing policies—You can now specify how FortiADC routes traffic for each available ISP link, including by source or destination address and port.
- Virtual tunnels—You can now use tunneling between two FortiADC appliances to balance traffic across multiple links to each appliance. A typical scenario is a VPN between a branch office and headquarters for application-specific access.
- Persistent routing—You can now configure connections that persist regardless of the FortiADC link load balancing activity. You can configure persistence based on source IP, destination IP, and subnet.
- Proximity-based routing—Maximize WAN efficiency by using link proximity to determine latency between FortiADC and remote WAN sites so that FortiADC can choose the best route for traffic.
- Scheduled link load balancing—You can now apply a link load balancing policy during a specific time period.
- One-to-one (1-to-1) NAT—You can now fully define how each individual source and destination IP address will be translated. This feature is useful when you require a different NAT range for each ISP.
- PPPoE interface support—To support DSL connectivity, you can now configure interfaces to use PPPoE (Point-to-Point Protocol over Ethernet) to automatically retrieve its IP address configuration.
- Custom error page—You can now upload a custom error page to FortiADC that it can use to respond to clients when HTTP service is unavailable.
- Full NAT for Layer 3/4 load balancing—Layer 3/4 load balancing now supports full NAT (translation of both source and destination IP addresses). FortiADC can now round robin among a pool of source IP addresses for its connections to backend servers.
- Standby server—You can now configure FortiADC to forward traffic to a hot standby (called a Backup Server) when all other servers in the pool are unavailable.
- Log cache memory—To avoid hard disk wear and tear, FortiADC can cache logs in memory and then periodically write them to disk in bulk. Previously, FortiADC always wrote each log message to disk instantaneously.
- HA sync for health check status with IPv6—For high availability FortiADC clusters, the Layer 4 health check status of IPv6-enabled virtual servers is now synchronized.
- Link load balancing—FortiADC now supports load balancing among its links, in addition to distributing among local and globally distributed servers. Depending on if the traffic is inbound or outbound, different mechanisms are available: outbound can use weighted round robin; inbound can use DNS-based round robin or weighted round robin.
- HTTP response compression—FortiADC now can compress responses from your backend servers, allowing you to off load compression from your backend servers for performance tuning that delivers faster replies to clients.
- Quality of service (QoS)—FortiADC now can guarantee bandwidth and queue based upon source/destination address, direction, and network service.
- Source NAT (SNAT)—When applying NAT, FortiADC can now apply either static or dynamic source NAT, depending on your preference.
- Session persistence by source IP segment—FortiADC now can apply session persistence for entire segments of source IPs such as 10.0.2.0/24. Previously, session persistence applied to a single source IP.
- Health check enhancements—FortiADC now supports additional health check types for servers that respond to these protocols: email (SMTP, POP3, IMAP), TCPS, TCP
SYN(half-open connection), SNMP, and UDP.
- HA enhancements—FortiADC HA now synchronizes Layer 3/4 and Layer 7 sessions and connections for session persistence and uninterrupted connections when the standby assumes control of traffic.
Support for FortiADC 200D and FortiADC VM—FortiADC software has been released to support these new platforms.