What’s new
The following sections describe new features and enhancements:
Certificate validation for external resources
Certification is verified before fetching data from the external connectors that have SSL enabled.
To configure certificate verification:
config system external-resource edit "test" set server-identity-check {none | basic | full} next end
none |
No certificate verification (default). |
basic |
Check server certificate only. |
full |
Check server certificate and domain match server certificate. |
Detect HTTPS in HTTP request
In an explicit web proxy, you can enable detecting SSL in the HTTP request line. When enabled, HTTP get/post requests sent to the FortiProxy will be passed instead of blocked.
To enable detecting SSL in the HTTP request line:
config web-proxy explicit-proxy edit "web-proxy" set status enable set interface "any" set http-incoming-port 8080 set detect-https-in-http-request enable next end
Auto-script password encryption
When configuring an automatic script, the new password
attribute can be set. It will replace the password in the script when the script uses the %%PASSWD%%
tag. When the configuration is downloaded or viewed in the CLI, the password is encrypted.
To configure then view an automatic script with a password:
-
Configure the automatic script:
config system auto-script edit "autobackup" set interval 60 set repeat 0 set start auto set script "execute backup config sftp 10.0.0.1 admin <b>%%PASSWD%%</b> /home/user/proxy.config" set password 1234567890 next end
-
View the script:
# show system auto-script config system auto-script edit "autobackup" set interval 60 set repeat 0 set start auto set script "execute backup config sftp 10.0.0.1 admin <b>%%PASSWD%%</b> /home/user/proxy.config" set password ENC Dz6s2235D+GkaND0zptzOUQH2ptR2M4v5VEP3v3/NvB2So/yBat/tUGEavP71pUdn38HKFXUPeZ802C8+exOjDatMSo5YVebkkDnL01J4EtGzcrJuQKl97+ekrHXMzkyxA/yxtkKURuVBlhKRqBFn03DleaR7vcbj4HnLLIY73WRI018NDfPgOS3non02OqfFv9Oew== next end
The password is encrypted.
Remove quotes from external resource
When a URL is entered for an external resource, the leading and tailing quote strings are automatically removed from the URL. This includes the following characters: "
, '
, &39;
, &34;
, and &96;
.
For example: "https://docs.fortinet.com"
will be changed to: https://docs.fortinet.com
.
Learn the destination from the SNI
Learning the destination from the SNI in a client hello can be enabled in an explicit web proxy. This allows WAD to handle proxy traffic that sends a TLS client hello directly, without sending an HTTP connect.
config web-proxy explicit-proxy edit "web-proxy" set status enable set interface "any" set http-incoming-port 8080 set https-incoming-port 8443 set learn-dst-from-sni enable next end