FortiADC 7.2.0 offers the following new features:
Global Load Balance
DNS over HTTP, HTTPS and TLS support
FortiADC now supports DoH (DNS over HTTP/HTTPS) and DoT (DNS over TLS) to increase user privacy and security by using the HTTP/HTTPS or TLS protocol to encrypt the DNS queries. You can now enable DNS over HTTP, HTTPS or TLS through the GLB Zone Tools general settings.
Server Load Balance
New AUTH class Lua scripting function
The BEFORE_AUTH function has been added to trigger the event before authentication is performed to enable the user-group specified by the function to override the authentication result of the original authentication policy. This allows users to apply different levels of authentication based on the client information via script.
HTTP persistence Lua scripting function enhancements
Enhancements have been made to the HTTP persistence Lua scripting functions:
HTTP:persist() function extended to support HTTP_REQUEST event to enable access to other HTTP elements in PERSISTENCE.
New LB:get_value_routing() function added to enable users to obtain an alternative backend.
New LB:get_current_routing() function added to show the currently allocated backend.
New LB:method_assign_server() function added to obtain the server through the current load balance method.
New addrbook check added to avoid port conflict with named default port 53
Port 53 has been added to the addrbook when GLB is enabled to place a port limitation on port 53 when it is used in GLB as the named port and in GLB licd.
Layer 4 server load balance debug flow enhancements
The Layer 4 server load balance diagnose debug flow has been enhanced to support the following:
Filtering by virtual server name and/or the traffic pattern.
Layer 4 flow debug messages for error cases.
Enhanced help string filtering to match the protocol number with the protocol.
Improvements to Layer 4 FTP profile
To minimize the impact of Layer 4 FTP virtual servers on Layer 7 virtual servers, L4 NAT/FullNAT will now only listen on port 21, and L4 Direct Routing/Tunneling will listen to ports 21/1024-65535.
In scenarios where the L4 load balance module cannot find an existing session or a service for an FTP data packet with port 20 or 1024-64435, the L4 load balance module would search for an FTP virtual server with the same IP. As the L4 load balance module is listening to port 20/1024-64435, as well as port 21 for L4 FTP virtual servers, it interferes with L7 virtual servers if the L7 VS has port 1024-65535, and the IP happens to be the same as the L4 FTP VS.
New Bot Mitigation sub-modules for the Web Application Firewall
Two new Bot Mitigation sub-modules have been added to the FortiADC Web Application Firewall:
Threshold Based Detection detects the occurrence of suspicious behaviors within a specified time frame to determine whether the request is coming from a human or a bot.
Biometrics Based Detection detects client events, such as mouse movement, keyboard, screen touch, and scroll within a specified period to determine whether the request is coming from a human or a bot.
ZTNA enhancements in FortiView
New columns have been added to the FortiView > ZTNA page to enhance the real-time status monitoring of the endpoints registered to FortiClient EMS. The new columns include: Public IP, Tags, MAC, OS Type, and OS Version.
FortiADC AWS Auto Scaling support
FortiADC now supports Auto Scaling on AWS. Multiple FortiADC-VM instances can form an Auto Scaling Group (ASG) to provide highly efficient clustering at times of high workloads. You can now deploy FortiADC-VMs to support Auto Scaling on AWS using the AWS Cloud Formation Template (CFT) as part of a manual deployment process.
Automations workflow redesign and enhancements
The FortiADC Automations workflow has now been redesigned with the following enhancements:
Triggers and Actions are now configured separately and referenced in the Automation configuration.
System predefined configurations that were previously uneditable can now be modified and applied as user-defined configurations.
System predefined configuration templates are now available to be cloned and used as templates for user-defined configurations.
TACACS+ remote authentication support
FortiADC now supports Terminal Access Controller Access-Control System (TACACS+) as a remote authentication option. TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices via one or more centralized servers.
Declarative REST API enhancements
Declarative API capabilities have been enhanced to allow verifications of uploaded declarations and an easy means of getting a snapshot of the current system.