Fortinet black logo

Release Notes

Home FortiProxy 7.0.9 Release Notes
7.0.9
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.17
7.0.16
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0

What's new

What's new

The following sections describe new features, enhancements, and changes:

Health check on ICAP remote servers

Under Content Analyses > ICAP Remote Servers, you can now configure whether to enable health check of the ICAP remote server using the Health Check button. When enabled, FortiProxy attempts to connect to the ICAP remote server to verify that the server is operating normally and generates an event log each time the ICAP remote server health check fails or goes back online. You must also specify the ICAP service name to use for health check in the Health Check Service field.

In the ICAP remote server table, the Health Check column shows if health check is enabled for the ICAP remote server. The Status column shows the status of ICAP remote server, including Online, Offline, and Unknown.

Refer to Create or edit an ICAP remote server in the Admin Guide for more details about creating or editing an ICAP remote server.

Alternatively, you can configure the health status check via CLI:
config  icap remote-server

edit <name>

set healthcheck [disable|enable]

set healthcheck-service {string}

next

end

Forward server status monitoring

Use the new Forward Server Monitor widget to monitor the forward server status. See Dashboard in the Admin Guide for more information about this widget or other widgets available.

Alternatively, you can use the following new commands to monitor the forward server status:

  • diag wad webproxy forward-server—For monitoring forward servers.

  • diag wad webproxy forward-server-group—For monitoring forward server groups.

Sample output for monitoring forward servers:
VDOM=root group_name=1
lb-alg=weight n_servers=2 affinity=enable
hits=1 weight_total=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fpx-177
hits=1 status=up weight=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fos-136
hits=0 status=down weight=10 weight_gen=0 weight_cur=0
=========================
VDOM=root group_name=my_srv_grp
lb-alg=weight n_servers=1 affinity=enable
hits=0 weight_total=10 weight_gen=1 weight_cur=0
VDOM=root group_name=my_srv_grp server_name=fpx-177
hits=0 status=up weight=10 weight_gen=0 weight_cur=0
Sample output for monitoring forward server groups:
VDOM=root group_name=g1
lb-alg=active-passive n_servers=2 affinity=disable
hits=107 weight_total=0 weight_gen=1 weight_cur=0
VDOM=root group_name=g1 server_name=227
hits=107 status=up weight=10 weight_gen=0 weight_cur=0
VDOM=root group_name=g1 server_name=229
hits=0 status=up weight=10 weight_gen=0 weight_cur=0

New commands to diagnose conntrack

Use the following commands to diagnose conntrack:

  • diag sys session conntrack count

  • diag sys session conntrack list

  • diag sys session conntrack clear

  • diagnose sys session conntrack stats

  • diagnose sys session conntrack list-dying

  • diagnose sys session conntrack list-unconfirmed

New command to diagnose IP set lists

Use the new diagnose ipset list command to diagnose IP set lists in case of policy matching issues on the kernel, which means the IP table is correct while the IP set list might be problematic.

Hold primary config-sync unit for some time before upgrading or rebooting

Under config system ha, use the new primary-hold-before-reboot {time} command to hold primary config-sync unit for some time before upgrading or rebooting. Valid time values are integers within 0 and 600.

Match FQDNs from domain-list against SNI header for HTTPS requests

Under config firewall policy, when setting data source (set dstaddr), you can now reference the "domain" type that you set in config system.external-resource to avoid connection leakage.

To reference the "domain" type data via CLI:
config  firewall policy

edit <policyid>

set dstaddr <external-resource domain list name>

next

end

Add local URL list as data source for firewall

To add local URL list as data source for firewall via CLI:
  1. Define the local URL list in web filter: 
    config  webfilter url-list

    edit <name>

    set uuid {uuid}

    set status [enable|disable]

    set comment {var-string}

    config entries

    edit <url>

    next

    end

    next

    end

  2. Configure the firewall proxy to use the local URL list: 
    config firewall proxy-address

    edit <name>

    set type url-list

    set url-list <External or webfilter URL list>

    next

    end

  3. Reference the local URL list as data source of firewall using the firewall.policy.dstaddr command.

Process file access monitoring

Use the new diag sys iotop command to monitor process file access, which is useful for tracing what causes frequent disk access. By default, the command prints results at an interval of 5 seconds. You can also customize the interval to suit your needs. To print results immediately, press Enter.

For each file access, the following information is displayed: PID, process name, accessed file path, and the number of open, read, write, or close events during the interval. Delete and move information is not included. You can also use blacklists to hide sensitive or irrelevant files.

Sample output:

# diag sys iotop

PID #O #R #W #C PROCESS FILE

1078 1 0 2 0 miglogd /var/log/log/root/alog.65504

1078 1 0 2 0 miglogd /var/log/log/root/dlog.65504

1078 1 0 2 0 miglogd /var/log/log/root/hlog.65504

Detect configuration changes in Windows Active Directory server

To configure FortiProxy to detect configuration changes in Windows Active Directory server via CLI:
config  user domain-controller

edit <name>

set change-detection [enable|disable]

set change-detection-period {integer}

next

end

enable

Enable detection of configuration changes in the Active Directory server.

disable

Disable detection of configuration changes in the Active Directory server (default).

integer

Intervals (in minutes) to detect configuration changes in the Active Directory server. Valid value range is between 5 and 10080. The default is 60.

Diagnose memory of all wad processes

Use the new diagnose wad memory workers command to show all wad processes cmem stats, as opposed to only workers.

Use the diagnose wad memory track command to show all wad processes cmem stats, fmem stats, pool stats, block stats, mmap stats, mallinfo summed up, and then mmap stats, pool stats, block stats, mallinfo, top 6 cmem stats, top 5 fmem stats per process. mallinfo is written to process shm every 30 seconds.

Changes to set domain-fronting configuration

Under config firewall profile-protocol-options, the options for the set domain-fronting configuration change from

[enable|disable] to [allow|block|monitor].

allow Allow domain fronting.
block Block and log domain fronting.
monitor Allow and log domain fronting.

Remove config fabric-device configuration

Under config system csf, the config fabric-device configuration is removed.

Previous
Next

What's new

The following sections describe new features, enhancements, and changes:

Health check on ICAP remote servers

Under Content Analyses > ICAP Remote Servers, you can now configure whether to enable health check of the ICAP remote server using the Health Check button. When enabled, FortiProxy attempts to connect to the ICAP remote server to verify that the server is operating normally and generates an event log each time the ICAP remote server health check fails or goes back online. You must also specify the ICAP service name to use for health check in the Health Check Service field.

In the ICAP remote server table, the Health Check column shows if health check is enabled for the ICAP remote server. The Status column shows the status of ICAP remote server, including Online, Offline, and Unknown.

Refer to Create or edit an ICAP remote server in the Admin Guide for more details about creating or editing an ICAP remote server.

Alternatively, you can configure the health status check via CLI:
config  icap remote-server

edit <name>

set healthcheck [disable|enable]

set healthcheck-service {string}

next

end

Forward server status monitoring

Use the new Forward Server Monitor widget to monitor the forward server status. See Dashboard in the Admin Guide for more information about this widget or other widgets available.

Alternatively, you can use the following new commands to monitor the forward server status:

  • diag wad webproxy forward-server—For monitoring forward servers.

  • diag wad webproxy forward-server-group—For monitoring forward server groups.

Sample output for monitoring forward servers:
VDOM=root group_name=1
lb-alg=weight n_servers=2 affinity=enable
hits=1 weight_total=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fpx-177
hits=1 status=up weight=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fos-136
hits=0 status=down weight=10 weight_gen=0 weight_cur=0
=========================
VDOM=root group_name=my_srv_grp
lb-alg=weight n_servers=1 affinity=enable
hits=0 weight_total=10 weight_gen=1 weight_cur=0
VDOM=root group_name=my_srv_grp server_name=fpx-177
hits=0 status=up weight=10 weight_gen=0 weight_cur=0
Sample output for monitoring forward server groups:
VDOM=root group_name=g1
lb-alg=active-passive n_servers=2 affinity=disable
hits=107 weight_total=0 weight_gen=1 weight_cur=0
VDOM=root group_name=g1 server_name=227
hits=107 status=up weight=10 weight_gen=0 weight_cur=0
VDOM=root group_name=g1 server_name=229
hits=0 status=up weight=10 weight_gen=0 weight_cur=0

New commands to diagnose conntrack

Use the following commands to diagnose conntrack:

  • diag sys session conntrack count

  • diag sys session conntrack list

  • diag sys session conntrack clear

  • diagnose sys session conntrack stats

  • diagnose sys session conntrack list-dying

  • diagnose sys session conntrack list-unconfirmed

New command to diagnose IP set lists

Use the new diagnose ipset list command to diagnose IP set lists in case of policy matching issues on the kernel, which means the IP table is correct while the IP set list might be problematic.

Hold primary config-sync unit for some time before upgrading or rebooting

Under config system ha, use the new primary-hold-before-reboot {time} command to hold primary config-sync unit for some time before upgrading or rebooting. Valid time values are integers within 0 and 600.

Match FQDNs from domain-list against SNI header for HTTPS requests

Under config firewall policy, when setting data source (set dstaddr), you can now reference the "domain" type that you set in config system.external-resource to avoid connection leakage.

To reference the "domain" type data via CLI:
config  firewall policy

edit <policyid>

set dstaddr <external-resource domain list name>

next

end

Add local URL list as data source for firewall

To add local URL list as data source for firewall via CLI:
  1. Define the local URL list in web filter: 
    config  webfilter url-list

    edit <name>

    set uuid {uuid}

    set status [enable|disable]

    set comment {var-string}

    config entries

    edit <url>

    next

    end

    next

    end

  2. Configure the firewall proxy to use the local URL list: 
    config firewall proxy-address

    edit <name>

    set type url-list

    set url-list <External or webfilter URL list>

    next

    end

  3. Reference the local URL list as data source of firewall using the firewall.policy.dstaddr command.

Process file access monitoring

Use the new diag sys iotop command to monitor process file access, which is useful for tracing what causes frequent disk access. By default, the command prints results at an interval of 5 seconds. You can also customize the interval to suit your needs. To print results immediately, press Enter.

For each file access, the following information is displayed: PID, process name, accessed file path, and the number of open, read, write, or close events during the interval. Delete and move information is not included. You can also use blacklists to hide sensitive or irrelevant files.

Sample output:

# diag sys iotop

PID #O #R #W #C PROCESS FILE

1078 1 0 2 0 miglogd /var/log/log/root/alog.65504

1078 1 0 2 0 miglogd /var/log/log/root/dlog.65504

1078 1 0 2 0 miglogd /var/log/log/root/hlog.65504

Detect configuration changes in Windows Active Directory server

To configure FortiProxy to detect configuration changes in Windows Active Directory server via CLI:
config  user domain-controller

edit <name>

set change-detection [enable|disable]

set change-detection-period {integer}

next

end

enable

Enable detection of configuration changes in the Active Directory server.

disable

Disable detection of configuration changes in the Active Directory server (default).

integer

Intervals (in minutes) to detect configuration changes in the Active Directory server. Valid value range is between 5 and 10080. The default is 60.

Diagnose memory of all wad processes

Use the new diagnose wad memory workers command to show all wad processes cmem stats, as opposed to only workers.

Use the diagnose wad memory track command to show all wad processes cmem stats, fmem stats, pool stats, block stats, mmap stats, mallinfo summed up, and then mmap stats, pool stats, block stats, mallinfo, top 6 cmem stats, top 5 fmem stats per process. mallinfo is written to process shm every 30 seconds.

Changes to set domain-fronting configuration

Under config firewall profile-protocol-options, the options for the set domain-fronting configuration change from

[enable|disable] to [allow|block|monitor].

allow Allow domain fronting.
block Block and log domain fronting.
monitor Allow and log domain fronting.

Remove config fabric-device configuration

Under config system csf, the config fabric-device configuration is removed.

Previous
Next