Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Chapter 1: What’s New

This chapter lists features and enhancements introduced in the FortiADC 7.1.0 release.

Server Load Balance

RFC 7919 compliance support

You can now enable/disable RFC 7919 compliance in your client SSL and real server SSL profile configurations.

Enhancements to Cookie Hash and Insert persistence types

The Cookie Hash and Insert Cookie persistence rule types have been enhanced to allow more granular specifications for persistence.

  • Cookie Hash — The persistence can now be based on a field of the cookie instead of the entire cookie.
  • Insert Cookie — You can now set the domain value on the inserted cookie to allow it to be used cross-site as a wildcard.
IPv6 support for Layer 2 TCP/UDP/IP virtual servers

FortiADC now supports IPv6 for Layer 2 server load balancing in TCP, UDP, and IP profiles.

Error page enhancement

FortiADC has enhanced the error pages to include a new WAF deny page. In response to a WAF deny action, the error page will show the Message ID, Signature ID, and Client IP of the attack in the detailed message as recorded in the attack log.

Real server pool and pool member availability enhancement

The Health Check backend workflow has been improved to allow more accurate diagnosis of the real server pool and pool member availability by accounting for status conditions that influence availability.

  • New real server pool member availability status "INIT" — This status indicates that 1) the real server status is enabled, 2) the health check status is enabled for the pool member, and 3) the real server pool is not associated with a virtual server (which means the real server pool is either not used in a virtual server or it is used in a disabled virtual server).

  • How real server pool member availability influences the real server pool availability — When the real server pool is associated with the virtual server, the real server pool availability can be influenced by the real server pool member availability if the real server pool member contains multiple availability statuses. For example, if the real server pool member availability is both "Healthy" and "Unhealthy" then the real server pool availability will be "Unhealthy".

BIND 9.18.0 upgrade

FortiADC has upgraded the BIND version to 9.18.0. As BIND 9.18.0 supports DNSSEC by default in Global Load Balancing, the option to manually enable/disable DNSSEC has been removed from the General Settings and Global DNS Policy.

Security

View and release WAF blocked IPs

You can now view and release any IP addresses that have been blocked by the WAF module through FortiView.

External IP list for firewall policies

The new IP Address external connector has been added to the FortiADC Security Fabric. You can now import external IP lists stored on an HTTP/HTTPS server and apply these IPs as an "External Source" for the Source Type/Destination Type address for IPv4 and IPv6 firewall policies.

OWASP Top 10 2021 update

The OWASP Top 10 list has been updated to the latest 2021 version. The OWASP Top 10 Wizard is automatically updated to the 2021 list, and the OWASP Top 10 2021 log data will be displayed through FortiView.

Note: Log data from OWASP Top 10 2017 can still be accessed through the Security log.

New SAP signature type

FortiADC has added the new SAP web server signature type to the Signature Creation Wizard to protect web applications against SAP vulnerabilities.

Note: The SAP signature is only supported in WAF Signature Database versions 0034 or later.

Log & Reporting

Status check for FortiAnalyzer OFTP connectivity

You can now view and test the OFTP connectivity when configuring FortiAnalyzer.

System

New Declarative REST APIs

New declarative REST APIs allow users to configure system operations by using a single REST API (/api/declarative) with the essential declaration instead of requiring multiple REST APIs for system deployments and configurations.

  • POST /api/declarative — sends the declarative API request.

  • GET /api/declarative?id=xxxxxxx — gets the declarative API processing status.

  • GET /api/declarative/sample — gets the current system configuration by declarative API format.

Example: Delete one user with declarative API

  1. Deploy the declarative API request.
  2. To delete user op1, edit the declaration to remove user op1.
  3. POST the updated declaration which no longer contain the entry for op1 to the server.
ACME enhancement

The FortiADC ACME feature now supports automatic certificate renewal through TLS-ALPN-01 challenge. When importing automated local certificates you can now select the Challenge Type between DNS-01 and TLS-ALPN-01. The new TLS-ALPN-01 Challenge Type allows you to specify a Renew Window to automatically renew the certificate before it expires.

GUI

Child configuration enhancement

The process of creating a parent and child configuration has been simplified to allow the child configuration to be created on the same page after creating the parent configuration. The initial implementation phase covers most modules that can support the simplified workflow. For now, modules that have more complex backend relationships between the parent-child configurations, such as Virtual Domain configurations, will remain unchanged.

Chapter 1: What’s New

This chapter lists features and enhancements introduced in the FortiADC 7.1.0 release.

Server Load Balance

RFC 7919 compliance support

You can now enable/disable RFC 7919 compliance in your client SSL and real server SSL profile configurations.

Enhancements to Cookie Hash and Insert persistence types

The Cookie Hash and Insert Cookie persistence rule types have been enhanced to allow more granular specifications for persistence.

  • Cookie Hash — The persistence can now be based on a field of the cookie instead of the entire cookie.
  • Insert Cookie — You can now set the domain value on the inserted cookie to allow it to be used cross-site as a wildcard.
IPv6 support for Layer 2 TCP/UDP/IP virtual servers

FortiADC now supports IPv6 for Layer 2 server load balancing in TCP, UDP, and IP profiles.

Error page enhancement

FortiADC has enhanced the error pages to include a new WAF deny page. In response to a WAF deny action, the error page will show the Message ID, Signature ID, and Client IP of the attack in the detailed message as recorded in the attack log.

Real server pool and pool member availability enhancement

The Health Check backend workflow has been improved to allow more accurate diagnosis of the real server pool and pool member availability by accounting for status conditions that influence availability.

  • New real server pool member availability status "INIT" — This status indicates that 1) the real server status is enabled, 2) the health check status is enabled for the pool member, and 3) the real server pool is not associated with a virtual server (which means the real server pool is either not used in a virtual server or it is used in a disabled virtual server).

  • How real server pool member availability influences the real server pool availability — When the real server pool is associated with the virtual server, the real server pool availability can be influenced by the real server pool member availability if the real server pool member contains multiple availability statuses. For example, if the real server pool member availability is both "Healthy" and "Unhealthy" then the real server pool availability will be "Unhealthy".

BIND 9.18.0 upgrade

FortiADC has upgraded the BIND version to 9.18.0. As BIND 9.18.0 supports DNSSEC by default in Global Load Balancing, the option to manually enable/disable DNSSEC has been removed from the General Settings and Global DNS Policy.

Security

View and release WAF blocked IPs

You can now view and release any IP addresses that have been blocked by the WAF module through FortiView.

External IP list for firewall policies

The new IP Address external connector has been added to the FortiADC Security Fabric. You can now import external IP lists stored on an HTTP/HTTPS server and apply these IPs as an "External Source" for the Source Type/Destination Type address for IPv4 and IPv6 firewall policies.

OWASP Top 10 2021 update

The OWASP Top 10 list has been updated to the latest 2021 version. The OWASP Top 10 Wizard is automatically updated to the 2021 list, and the OWASP Top 10 2021 log data will be displayed through FortiView.

Note: Log data from OWASP Top 10 2017 can still be accessed through the Security log.

New SAP signature type

FortiADC has added the new SAP web server signature type to the Signature Creation Wizard to protect web applications against SAP vulnerabilities.

Note: The SAP signature is only supported in WAF Signature Database versions 0034 or later.

Log & Reporting

Status check for FortiAnalyzer OFTP connectivity

You can now view and test the OFTP connectivity when configuring FortiAnalyzer.

System

New Declarative REST APIs

New declarative REST APIs allow users to configure system operations by using a single REST API (/api/declarative) with the essential declaration instead of requiring multiple REST APIs for system deployments and configurations.

  • POST /api/declarative — sends the declarative API request.

  • GET /api/declarative?id=xxxxxxx — gets the declarative API processing status.

  • GET /api/declarative/sample — gets the current system configuration by declarative API format.

Example: Delete one user with declarative API

  1. Deploy the declarative API request.
  2. To delete user op1, edit the declaration to remove user op1.
  3. POST the updated declaration which no longer contain the entry for op1 to the server.
ACME enhancement

The FortiADC ACME feature now supports automatic certificate renewal through TLS-ALPN-01 challenge. When importing automated local certificates you can now select the Challenge Type between DNS-01 and TLS-ALPN-01. The new TLS-ALPN-01 Challenge Type allows you to specify a Renew Window to automatically renew the certificate before it expires.

GUI

Child configuration enhancement

The process of creating a parent and child configuration has been simplified to allow the child configuration to be created on the same page after creating the parent configuration. The initial implementation phase covers most modules that can support the simplified workflow. For now, modules that have more complex backend relationships between the parent-child configurations, such as Virtual Domain configurations, will remain unchanged.