What's new
The following sections describe new features, enhancements, and changes:
-
Hold primary config-sync unit for some time before upgrading or rebooting
-
Match FQDNs from domain-list against SNI header for HTTPS requests
-
Detect configuration changes in Windows Active Directory server
Health check on ICAP remote servers
Under Content Analyses > ICAP Remote Servers, you can now configure whether to enable health check of the ICAP remote server using the Health Check button. When enabled, FortiProxy attempts to connect to the ICAP remote server to verify that the server is operating normally and generates an event log each time the ICAP remote server health check fails or goes back online. You must also specify the ICAP service name to use for health check in the Health Check Service field.
In the ICAP remote server table, the Health Check column shows if health check is enabled for the ICAP remote server. The Status column shows the status of ICAP remote server, including Online, Offline, and Unknown.
Refer to Create or edit an ICAP remote server in the Admin Guide for more details about creating or editing an ICAP remote server.
Alternatively, you can configure the health status check via CLI:
config icap remote-server
edit <name>
set healthcheck [disable|enable]
set healthcheck-service {string}
next
end
Forward server status monitoring
Use the new Forward Server Monitor widget to monitor the forward server status. See Dashboard in the Admin Guide for more information about this widget or other widgets available.
Alternatively, you can use the following new commands to monitor the forward server status:
-
diag wad webproxy forward-server
—For monitoring forward servers. -
diag wad webproxy forward-server-group
—For monitoring forward server groups.
Sample output for monitoring forward servers:
VDOM=root group_name=1
lb-alg=weight n_servers=2 affinity=enable
hits=1 weight_total=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fpx-177
hits=1 status=up weight=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fos-136
hits=0 status=down weight=10 weight_gen=0 weight_cur=0
=========================
VDOM=root group_name=my_srv_grp
lb-alg=weight n_servers=1 affinity=enable
hits=0 weight_total=10 weight_gen=1 weight_cur=0
VDOM=root group_name=my_srv_grp server_name=fpx-177
hits=0 status=up weight=10 weight_gen=0 weight_cur=0
Sample output for monitoring forward server groups:
VDOM=root group_name=g1
lb-alg=active-passive n_servers=2 affinity=disable
hits=107 weight_total=0 weight_gen=1 weight_cur=0
VDOM=root group_name=g1 server_name=227
hits=107 status=up weight=10 weight_gen=0 weight_cur=0
VDOM=root group_name=g1 server_name=229
hits=0 status=up weight=10 weight_gen=0 weight_cur=0
New commands to diagnose conntrack
Use the following commands to diagnose conntrack:
-
diag sys session conntrack count
-
diag sys session conntrack list
-
diag sys session conntrack clear
-
diagnose sys session conntrack stats
-
diagnose sys session conntrack list-dying
-
diagnose sys session conntrack list-unconfirmed
New command to diagnose IP set lists
Use the new diagnose ipset list
command to diagnose IP set lists in case of policy matching issues on the kernel, which means the IP table is correct while the IP set list might be problematic.
Hold primary config-sync unit for some time before upgrading or rebooting
Under config system ha
, use the new primary-hold-before-reboot {time}
command to hold primary config-sync unit for some time before upgrading or rebooting. Valid time values are integers within 0 and 600.
Match FQDNs from domain-list against SNI header for HTTPS requests
Under
, when setting data source (config firewall policy
set dstaddr
), you can now reference the "domain" type that you set in config system.external-resource
to avoid connection leakage.
To reference the "domain" type data via CLI:
config firewall policy
edit <policyid>
set dstaddr <external-resource domain list name>
next
end
Add local URL list as data source for firewall
To add local URL list as data source for firewall via CLI:
- Define the local URL list in web filter:
config webfilter url-list
edit <name>
set uuid {uuid}
set status [enable|disable]
set comment {var-string}
config entries
edit <url>
next
end
next
end
- Configure the
firewall proxy to use the local URL list:
config firewall proxy-address
edit <name>
set type url-list
set url-list <External or webfilter URL list>
next
end
- Reference the local URL list as data source of firewall using the
firewall.policy.dstaddr
command.
Process file access monitoring
Use the new diag sys iotop
command to monitor process file access, which is useful for tracing what causes frequent disk access. By default, the command prints results at an interval of 5 seconds. You can also customize the interval to suit your needs. To print results immediately, press Enter
.
For each file access, the following information is displayed: PID, process name, accessed file path, and the number of open, read, write, or close events during the interval. Delete and move information is not included. You can also use blacklists to hide sensitive or irrelevant files.
Sample output:
# diag sys iotop
PID #O #R #W #C PROCESS FILE
1078 1 0 2 0 miglogd /var/log/log/root/alog.65504
1078 1 0 2 0 miglogd /var/log/log/root/dlog.65504
1078 1 0 2 0 miglogd /var/log/log/root/hlog.65504
Detect configuration changes in Windows Active Directory server
To configure FortiProxy to detect configuration changes in Windows Active Directory server via CLI:
config user domain-controller
edit <name>
set change-detection [enable|disable]
set change-detection-period {integer}
next
end
enable |
Enable detection of configuration changes in the Active Directory server. |
disable |
Disable detection of configuration changes in the Active Directory server (default). |
|
Intervals (in minutes) to detect configuration changes in the Active Directory server. Valid value range is between 5 and 10080. The default is 60. |
Diagnose memory of all wad processes
Use the new diagnose wad memory workers
command to show all wad processes cmem stats, as opposed to only workers.
Use the diagnose wad memory track
command to show all wad processes cmem stats, fmem stats, pool stats, block stats, mmap stats, mallinfo summed up, and then mmap stats, pool stats, block stats, mallinfo, top 6 cmem stats, top 5 fmem stats per process. mallinfo is written to process shm every 30 seconds.
Changes to set domain-fronting
configuration
Under config firewall profile-protocol-options
, the options for the set domain-fronting
configuration change from
[enable|disable]
to [allow|block|monitor]
.
allow
|
Allow domain fronting. |
block
|
Block and log domain fronting. |
monitor
|
Allow and log domain fronting. |
Remove config fabric-device
configuration
Under config system csf
, the config fabric-device
configuration is removed.