Fortinet black logo

Handbook

Home FortiADC 7.4.1 Handbook
7.4.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

What's New

What’s New

This section lists features and enhancements introduced in the FortiADC 7.4.1 release.

Global Load Balance

New Public SDN server type option for GSLB server

FortiADC now supports using Public SDN connectors as a remote GSLB server that can be used in virtual server pools.

Note: Currently, only AWS connectors are supported in this feature.

User-defined certificate for GSLB

You can now apply a self-defined certificate in Global server load balancing for authentication and allow trusted certificates to connect. This function is available in the Global Object Server configuration and the FQDN GLB Setting.


Server Load Balance

Enhancements to predefined client SSL profiles with OpenSSL upgrade

With the upgrade to OpenSSL version 3.1.1, FortiADC has added some new ciphers and removed some weaker ciphers. As a result, the following enhancements have been made to the predefined client SSL profiles:

  • Added new LB_CLIENT_SSL_PROF_MODERN that has more secure settings.

  • Updated existing predefined client SSL profiles:

    Predefined Client SSL Profile

    Updates made
    LB_CLIENT_SSL_PROF_DEFAULT

    • Removed weaker SSL ciphers:
      ECDHE-RSA-AES128-SHA

      ECDHE-RSA-DES-CBC3-SHA

      ECDHE-ECDSA-DES-CBC3-SHA

      EDH-RSA-DES-CBC3-SHA

      DES-CBC3-SHA

    • Updated Allowed SSL Versions:
      Removed TLSv1.1
      Added TLSv1.3

    • Added TLSv1.3 Cipher Suite List:
      TLS_AES_256_GCM_SHA384
      TLS_AES_128_GCM_SHA256
      TLS_CHACHA20_POLY1305_SHA256

    • Changed SSL DH Parameter Size to 2048 Bits
    LB_CLIENT_SSL_PROF_FORWARD_PROXY

    • Updated Allowed SSL Versions:
      Removed TLSv1.1
      Added TLSv1.3

    • Changed SSL DH Parameter Size to 2048 Bits
    LB_CLIENT_SSL_PROF_HTTP2

    • Changed SSL DH Parameter Size to 2048 Bits
Packet forwarding and IP pool support for Layer 4 content routing

In Layer 4 content routing, you can now configure the packet forwarding method as Inherit or Full NAT, and configure the source IP pool list.

HTTP/3 virtual server support for multiple process through CLI

An advantage of HTTP/3 multiple process functionality is that it allows you to send multiple streams in parallel by using multiple CPU cores on the same virtual server.

Previously, HTTP/3 VS restricted multi-process to only 1 CPU core. Now in FortiADC7.4.1, this restriction has lifted and HTTP/3 VS can utilize multiple processes for service, allowing for optimal utilization of CPU resources which can significantly enhance the traffic performance of the HTTP/3 VS including the throughput and connections per second.

You can configure multiple processor functionality for HTTP/3 VS via the CLI set multi-process option in config load-balance virtual-server.

New TCP Lua scripting functions

Four new TCP scripts have been added:

  • TCP:after_timer_set() function creates and schedules a timer with a callback function and timeout value that allow you to create multiple timers each with a unique callback function name.

  • TCP:after_timer_cancel() function cancels a scheduled timer.

  • TCP:after_timer_get() function gets information about the scheduled timers.

  • TCP:close() function closes the TCP connection immediately.

Security

FortiGuard ABP (Advanced Bot Protection) integration

FortiGuard ABP (Advanced Bot Protection) is a Fortinet SaaS advanced bot mitigation solution designed to detect and mitigate sophisticated bots that may be used to conduct fraudulent activities, spamming, scraping, or other malicious attacks on websites, applications, or APIs. FortiGuard ABP incorporates a combination of approaches such as behavioral analysis and deep learning algorithms.

The FortiGuard ABP integration with FortiADC works by using client information collected by JavaScript insertion, which allow the client and FortiADC (via Fabric connector) to communicate with the Advanced Bot Protection Cloud for data telemetry information (such as headers and device fingerprinting). FortiGuard ABP then inspects the request to determine if the client is human or a bot and sends instructions back to FortiADC to initiate an action against the request (such as block, CAPTCHA, or allow).

Note: This feature requires a license. Currently, FortiGuard ABP is only available on a Standalone license which is a Fortinet support account based license that is verified by the FortiGuard ABP User Portal instead of through FortiGuard. For more information, login to https://fortiabp.forticloud.com/.

Enhancements to FortiADC Automation

New Automation GUI framework
FortiADC Automation now has a new look and feel where Automation triggers and actions are "stitched" together to form an Automation Stitch.

New Automation Trigger based on FortiADC logs
You can now create FortiADC Automation Stitches based on FortiADC logs as the trigger. This feature introduces Log IDs that correspond to different log events which can be used to trigger the automation action.

System

New System Global Resources pages

The Global Resources page has been added under the System menu in the GUI to display the global system resource usage, including current and maximum usage per resource.

Border Gateway Protocol (BGP) Bidirectional Forwarding Detection (BFD) support

FortiADC now supports BFD to provide fast failure detection for BGP sessions, enabling quicker rerouting of traffic in the event of a link or peer failure. In Network > Routing, you can now configure a BFD object and enable BFD in the BGP Neighbor configuration.



DNS Override support on VDOM level

Previously, system DNS settings can only be enabled at the Global level, which could not support configurations that require each user to have their own DNS server. With this new feature, you can now configure the System DNS resolver for non-root VDOMs and override Global DNS settings to set a DNS server IP per VDOM for more flexability and support topology configurations such as MSSP/hosting.

Reverse route cache support extended for IPv6 through CLI

Reverse Route Cache dynamically caches routing information to expedite packet forwarding by minimizing repeated route lookups. IPv4 reverse route caching is already supported in previous versions, and now FortiADC has extended this functionality to support IPv6 reverse route cache and exception IPv6 lists.

HA firmware upgrade by FTP through CLI

You now have the option to upgrade your HA firmware image from an FTP server through the CLI command execute restore image ftp-ha-sync.

Introduce maturity firmware levels

Starting with FortiADC7.4.1, released FortiADC firmware images use tags to indicate the following maturity levels:

  • The Feature (F) tag indicates that the firmware release includes new features.

  • The Mature (M) tag indicates that the firmware release includes no new or major features. Mature firmware will contain bug fixes and vulnerability patches where applicable.

Instance Metadata Service v2 (IMDSv2) support on AWS

FortiADC now supports Instance Metadata Service v2 (IMDSv2) on the AWS Platform.

Client-side certificate validation against public SDN

FortiADC now uses a third-party certificate bundle to validate public SDN certificates to protect against security vulnerabilities.

Troubleshooting

Debug filter option for fnginx modules through CLI

You can now set debug filters to view specific load balancing information for fnginx modules from the CLI diagnose debug module fnginx.

Note: The debug filter is only supported for fnginx_new modules: SMTP, FTP, MSSQL, RADIUS, and ISO8583.

New debug module for named daemon issues added in CLI

You can now generate a comprehensive log to debug named daemon issues using the new CLI command diagnose debug module named.

Previous
Next

What’s New

This section lists features and enhancements introduced in the FortiADC 7.4.1 release.

Global Load Balance

New Public SDN server type option for GSLB server

FortiADC now supports using Public SDN connectors as a remote GSLB server that can be used in virtual server pools.

Note: Currently, only AWS connectors are supported in this feature.

User-defined certificate for GSLB

You can now apply a self-defined certificate in Global server load balancing for authentication and allow trusted certificates to connect. This function is available in the Global Object Server configuration and the FQDN GLB Setting.


Server Load Balance

Enhancements to predefined client SSL profiles with OpenSSL upgrade

With the upgrade to OpenSSL version 3.1.1, FortiADC has added some new ciphers and removed some weaker ciphers. As a result, the following enhancements have been made to the predefined client SSL profiles:

  • Added new LB_CLIENT_SSL_PROF_MODERN that has more secure settings.

  • Updated existing predefined client SSL profiles:

    Predefined Client SSL Profile

    Updates made
    LB_CLIENT_SSL_PROF_DEFAULT

    • Removed weaker SSL ciphers:
      ECDHE-RSA-AES128-SHA

      ECDHE-RSA-DES-CBC3-SHA

      ECDHE-ECDSA-DES-CBC3-SHA

      EDH-RSA-DES-CBC3-SHA

      DES-CBC3-SHA

    • Updated Allowed SSL Versions:
      Removed TLSv1.1
      Added TLSv1.3

    • Added TLSv1.3 Cipher Suite List:
      TLS_AES_256_GCM_SHA384
      TLS_AES_128_GCM_SHA256
      TLS_CHACHA20_POLY1305_SHA256

    • Changed SSL DH Parameter Size to 2048 Bits
    LB_CLIENT_SSL_PROF_FORWARD_PROXY

    • Updated Allowed SSL Versions:
      Removed TLSv1.1
      Added TLSv1.3

    • Changed SSL DH Parameter Size to 2048 Bits
    LB_CLIENT_SSL_PROF_HTTP2

    • Changed SSL DH Parameter Size to 2048 Bits
Packet forwarding and IP pool support for Layer 4 content routing

In Layer 4 content routing, you can now configure the packet forwarding method as Inherit or Full NAT, and configure the source IP pool list.

HTTP/3 virtual server support for multiple process through CLI

An advantage of HTTP/3 multiple process functionality is that it allows you to send multiple streams in parallel by using multiple CPU cores on the same virtual server.

Previously, HTTP/3 VS restricted multi-process to only 1 CPU core. Now in FortiADC7.4.1, this restriction has lifted and HTTP/3 VS can utilize multiple processes for service, allowing for optimal utilization of CPU resources which can significantly enhance the traffic performance of the HTTP/3 VS including the throughput and connections per second.

You can configure multiple processor functionality for HTTP/3 VS via the CLI set multi-process option in config load-balance virtual-server.

New TCP Lua scripting functions

Four new TCP scripts have been added:

  • TCP:after_timer_set() function creates and schedules a timer with a callback function and timeout value that allow you to create multiple timers each with a unique callback function name.

  • TCP:after_timer_cancel() function cancels a scheduled timer.

  • TCP:after_timer_get() function gets information about the scheduled timers.

  • TCP:close() function closes the TCP connection immediately.

Security

FortiGuard ABP (Advanced Bot Protection) integration

FortiGuard ABP (Advanced Bot Protection) is a Fortinet SaaS advanced bot mitigation solution designed to detect and mitigate sophisticated bots that may be used to conduct fraudulent activities, spamming, scraping, or other malicious attacks on websites, applications, or APIs. FortiGuard ABP incorporates a combination of approaches such as behavioral analysis and deep learning algorithms.

The FortiGuard ABP integration with FortiADC works by using client information collected by JavaScript insertion, which allow the client and FortiADC (via Fabric connector) to communicate with the Advanced Bot Protection Cloud for data telemetry information (such as headers and device fingerprinting). FortiGuard ABP then inspects the request to determine if the client is human or a bot and sends instructions back to FortiADC to initiate an action against the request (such as block, CAPTCHA, or allow).

Note: This feature requires a license. Currently, FortiGuard ABP is only available on a Standalone license which is a Fortinet support account based license that is verified by the FortiGuard ABP User Portal instead of through FortiGuard. For more information, login to https://fortiabp.forticloud.com/.

Enhancements to FortiADC Automation

New Automation GUI framework
FortiADC Automation now has a new look and feel where Automation triggers and actions are "stitched" together to form an Automation Stitch.

New Automation Trigger based on FortiADC logs
You can now create FortiADC Automation Stitches based on FortiADC logs as the trigger. This feature introduces Log IDs that correspond to different log events which can be used to trigger the automation action.

System

New System Global Resources pages

The Global Resources page has been added under the System menu in the GUI to display the global system resource usage, including current and maximum usage per resource.

Border Gateway Protocol (BGP) Bidirectional Forwarding Detection (BFD) support

FortiADC now supports BFD to provide fast failure detection for BGP sessions, enabling quicker rerouting of traffic in the event of a link or peer failure. In Network > Routing, you can now configure a BFD object and enable BFD in the BGP Neighbor configuration.



DNS Override support on VDOM level

Previously, system DNS settings can only be enabled at the Global level, which could not support configurations that require each user to have their own DNS server. With this new feature, you can now configure the System DNS resolver for non-root VDOMs and override Global DNS settings to set a DNS server IP per VDOM for more flexability and support topology configurations such as MSSP/hosting.

Reverse route cache support extended for IPv6 through CLI

Reverse Route Cache dynamically caches routing information to expedite packet forwarding by minimizing repeated route lookups. IPv4 reverse route caching is already supported in previous versions, and now FortiADC has extended this functionality to support IPv6 reverse route cache and exception IPv6 lists.

HA firmware upgrade by FTP through CLI

You now have the option to upgrade your HA firmware image from an FTP server through the CLI command execute restore image ftp-ha-sync.

Introduce maturity firmware levels

Starting with FortiADC7.4.1, released FortiADC firmware images use tags to indicate the following maturity levels:

  • The Feature (F) tag indicates that the firmware release includes new features.

  • The Mature (M) tag indicates that the firmware release includes no new or major features. Mature firmware will contain bug fixes and vulnerability patches where applicable.

Instance Metadata Service v2 (IMDSv2) support on AWS

FortiADC now supports Instance Metadata Service v2 (IMDSv2) on the AWS Platform.

Client-side certificate validation against public SDN

FortiADC now uses a third-party certificate bundle to validate public SDN certificates to protect against security vulnerabilities.

Troubleshooting

Debug filter option for fnginx modules through CLI

You can now set debug filters to view specific load balancing information for fnginx modules from the CLI diagnose debug module fnginx.

Note: The debug filter is only supported for fnginx_new modules: SMTP, FTP, MSSQL, RADIUS, and ISO8583.

New debug module for named daemon issues added in CLI

You can now generate a comprehensive log to debug named daemon issues using the new CLI command diagnose debug module named.

Previous
Next