Fortinet black logo

Release Notes

Home FortiProxy 7.0.7 Release Notes

What’s new

7.0.7
7.4.3
7.4.2
7.4.1
7.4.0
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.17
7.0.16
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0
Copy Link
Copy Doc ID 56eff3ff-3e96-11ed-9d74-fa163e15d75b:987706
Download PDF

What’s new

The following sections describe new features and enhancements:

Certificate validation for external resources

Certification is verified before fetching data from the external connectors that have SSL enabled.

To configure certificate verification:
config system external-resource
    edit "test"
        set server-identity-check {none | basic | full}
    next
end

none

No certificate verification (default).

basic

Check server certificate only.

full

Check server certificate and domain match server certificate.

Detect HTTPS in HTTP request

In an explicit web proxy, you can enable detecting SSL in the HTTP request line. When enabled, HTTP get/post requests sent to the FortiProxy will be passed instead of blocked.

To enable detecting SSL in the HTTP request line:
config web-proxy explicit-proxy
    edit "web-proxy"
        set status enable
        set interface "any"
        set http-incoming-port 8080
        set detect-https-in-http-request enable
    next
end

Auto-script password encryption

When configuring an automatic script, the new password attribute can be set. It will replace the password in the script when the script uses the %%PASSWD%% tag. When the configuration is downloaded or viewed in the CLI, the password is encrypted.

To configure then view an automatic script with a password:

  1. Configure the automatic script:

    config system auto-script
    edit "autobackup"
        set interval 60
        set repeat 0
        set start auto
        set script "execute backup config sftp 10.0.0.1 admin <b>%%PASSWD%%</b> /home/user/proxy.config"
        set password 1234567890
    next
end

  2. View the script:

    # show system auto-script
config system auto-script
    edit "autobackup"
        set interval 60
        set repeat 0
        set start auto
        set script "execute backup config sftp 10.0.0.1 admin <b>%%PASSWD%%</b> /home/user/proxy.config"
        set password ENC Dz6s2235D+GkaND0zptzOUQH2ptR2M4v5VEP3v3/NvB2So/yBat/tUGEavP71pUdn38HKFXUPeZ802C8+exOjDatMSo5YVebkkDnL01J4EtGzcrJuQKl97+ekrHXMzkyxA/yxtkKURuVBlhKRqBFn03DleaR7vcbj4HnLLIY73WRI018NDfPgOS3non02OqfFv9Oew==
    next
end

    The password is encrypted.

Remove quotes from external resource

When a URL is entered for an external resource, the leading and tailing quote strings are automatically removed from the URL. This includes the following characters: &quot;, &apos;, &39;, &34;, and &96;.

For example: "https://docs.fortinet.com" will be changed to: https://docs.fortinet.com.

Learn the destination from the SNI

Learning the destination from the SNI in a client hello can be enabled in an explicit web proxy. This allows WAD to handle proxy traffic that sends a TLS client hello directly, without sending an HTTP connect.

config web-proxy explicit-proxy
    edit "web-proxy"
        set status enable
        set interface "any"
        set http-incoming-port 8080
        set https-incoming-port 8443
        set learn-dst-from-sni enable
    next
end
Previous
Next

On This Page

Certificate validation for external resources
Detect HTTPS in HTTP request
Auto-script password encryption
Remove quotes from external resource

What’s new

The following sections describe new features and enhancements:

Certificate validation for external resources

Certification is verified before fetching data from the external connectors that have SSL enabled.

To configure certificate verification:
config system external-resource
    edit "test"
        set server-identity-check {none | basic | full}
    next
end

none

No certificate verification (default).

basic

Check server certificate only.

full

Check server certificate and domain match server certificate.

Detect HTTPS in HTTP request

In an explicit web proxy, you can enable detecting SSL in the HTTP request line. When enabled, HTTP get/post requests sent to the FortiProxy will be passed instead of blocked.

To enable detecting SSL in the HTTP request line:
config web-proxy explicit-proxy
    edit "web-proxy"
        set status enable
        set interface "any"
        set http-incoming-port 8080
        set detect-https-in-http-request enable
    next
end

Auto-script password encryption

When configuring an automatic script, the new password attribute can be set. It will replace the password in the script when the script uses the %%PASSWD%% tag. When the configuration is downloaded or viewed in the CLI, the password is encrypted.

To configure then view an automatic script with a password:

  1. Configure the automatic script:

    config system auto-script
    edit "autobackup"
        set interval 60
        set repeat 0
        set start auto
        set script "execute backup config sftp 10.0.0.1 admin <b>%%PASSWD%%</b> /home/user/proxy.config"
        set password 1234567890
    next
end

  2. View the script:

    # show system auto-script
config system auto-script
    edit "autobackup"
        set interval 60
        set repeat 0
        set start auto
        set script "execute backup config sftp 10.0.0.1 admin <b>%%PASSWD%%</b> /home/user/proxy.config"
        set password ENC Dz6s2235D+GkaND0zptzOUQH2ptR2M4v5VEP3v3/NvB2So/yBat/tUGEavP71pUdn38HKFXUPeZ802C8+exOjDatMSo5YVebkkDnL01J4EtGzcrJuQKl97+ekrHXMzkyxA/yxtkKURuVBlhKRqBFn03DleaR7vcbj4HnLLIY73WRI018NDfPgOS3non02OqfFv9Oew==
    next
end

    The password is encrypted.

Remove quotes from external resource

When a URL is entered for an external resource, the leading and tailing quote strings are automatically removed from the URL. This includes the following characters: &quot;, &apos;, &39;, &34;, and &96;.

For example: "https://docs.fortinet.com" will be changed to: https://docs.fortinet.com.

Learn the destination from the SNI

Learning the destination from the SNI in a client hello can be enabled in an explicit web proxy. This allows WAD to handle proxy traffic that sends a TLS client hello directly, without sending an HTTP connect.

config web-proxy explicit-proxy
    edit "web-proxy"
        set status enable
        set interface "any"
        set http-incoming-port 8080
        set https-incoming-port 8443
        set learn-dst-from-sni enable
    next
end
Previous
Next