Fortinet white logo
Fortinet white logo

What's new

What's new

The following sections describe new features, enhancements, and changes in FortiProxy 7.4.1:

HTTP3 deep inspection, QUIC certificate inspection, DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes

FortiProxy 7.4.1 can handle the QUIC/TLS handshake and perform deep inspection for HTTP3 and QUIC traffic, including certificate inspection. This allows for faster and more secure DNS resolution, with improved privacy and reduced latency.

The FortiProxy also adds support for DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) in proxy mode inspection for transparent and local-in explicit modes. With DoQ and DoH3, connections can be established faster than with DNS over TLS (DoT) or DNS over HTTPS (DoH).

In transparent mode, the FortiProxy is acting as a proxy, forwarding DNS queries, and not as a DNS server. In local-in DNS mode, the FortiProxy acts as the DNS server and a DNS filter profile is applied in the system DNS server.

DoQ transparent and local-in query can be achieved using tools or applications in Linux, such as the q tiny command line DNS client from Natesales.

DoH3 transparent and local-in query can be achieved in Linux using q or Curl. In Windows, change the client network DNS server to the FortiProxy and treat the FortiProxy as a HTTP3 DNS server listening for DoH3 connections.

Refer to the DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes topic in the FortiProxy 7.4.1 Administration Guide for configuration details.

Forwarding FTP and SOCKS traffic to a forwarding server

FortiProxy 7.4.1 can now forward FTP and SOCKS traffic (on top of the existing support for HTTP traffic) to a forwarding server. When creating a forward server, you can configure the proxy protocol using the new set protocol option under config web-proxy forward-server. The default value is http socks, which means both HTTP and SOCKS traffic is forwarded.

config web-proxy forward-server

edit "fpx221"

set ip 10.60.1.221

set port 1080

set protocol http

next

end

Traffic with an unsupported protocol will not be forwarded. For example, when the forward server is configured with HTTP as supported protocol, SOCKS or FTP traffic will not be forwarded. You can configure a forward server group with different types of SOCKS/HTTP/FTP servers so that the load balancing algorithm can pick a server that supports the protocol within the group automatically. If none of the configured servers supports the protocol of incoming traffic, the forward server group is ignored.

Similar to the existing HTTP forwarding server, you can configure a nested SOCKS or explicit FTP proxy server so that all incoming FTP traffic to the FortiProxy is forwarded to the next SOCKS or explicit FTP proxy server, which can be an external FortiProxy or another SOCKS or explicit FTP proxy server.

You can also configure the URLs to be exempted from caching and/or to be redirected to the forward server for SOCKS or FTP traffic using the config web-proxy url-match command. The set forward-server option adds support for SOCKS. For FTP, use the new set ftp-forward-server option.

Inline CASB security profile

FortiProxy 7.4.1 adds the inline CASB security profile which enables the FortiProxy to perform granular control over SaaS applications directly on policies. Administrators can customize their own SaaS applications, matching conditions, and custom controls and actions.

Refer to the Inline CASB topic in the FortiProxy 7.4.1 Administration Guide for more details and configuration examples.

Inline IPS support

FortiProxy 7.4.1 adds support for inline IPS in traffic proxy with the following features:

  • Faster IPS/Application detection

  • Traffic protocol detection

  • Application-based policy matching

  • Application logging for HTTP/HTTPs traffic

Use the new config proxy-redirect sub-command under config firewall profile-protocol-options to enable/disable the scanning of this protocol and configure the ports to inspect all for content.

Use the new set inspect-all sub-command under config firewall ssl-ssh-profile to define the level of SSL inspection.

ISDB-based policy routing

FortiProxy 7.4.1 supports ISDB-based policy routing to selectively route cloud SaaS application over a dedicated ISP link based on Internet Services that are maintained by FortiGuard without manually configuring and maintaining static routes based on destination IP addresses. Doing so ensures that critical SaaS applications are always routed to a dedicated and reliable ISP link. For example, you can route Office 365 traffic over a dedicated interface (port1) and remaining traffic over another interface (port2).

To configure an ISDB-based policy route in the GUI, use the new Internet service option under Network > Policy Routes > Create New.

To configure an ISDB-based policy route in the CLI, use the following new sub-commands under config router policy:

  • set internet-service-id—Configure the destination Internet service ID.

  • set internet-service-custom—Configure the custom destination Internet service name.

New FortiGuard web filter categories for AI and Cryptocurrency

FortiProxy 7.4.1 adds the following new FortiGuard web filter categories:

  • Artificial intelligence technology (category 100): sites that offer solutions, insights, and resources related to artificial intelligence (AI).

  • Cryptocurrency (category 101): sites that specialize in digital or virtual currencies that are secured by cryptography and operate on decentralized networks.

To configure a web filter profile to block the AI and cryptocurrency categories in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New.

  2. Enter a name for the web filter profile.

  3. In the category table, locate the General Interest - Business section. Select the Artificial Intelligence Technology and Cryptocurrency categories, and set the Action to Block.

  4. Configure the remaining settings as needed.

  5. Click OK.

New DLP license for scanning HTTP and FTP over HTTP traffic

FortiProxy 7.4.1 add the DLP license, which is required for DLP scan for HTTP and FTP over HTTP traffic.

Reuse incoming port to connect to server

In FortiProxy 7.4.1, when configuring explicit web proxy, you can reuse web proxy HTTPS incoming port to connect to server using the new set dstport-from-incoming sub-command under config web-proxy explicit-proxy.

JSON log support

FortiProxy 7.4.1 supports sending JSON logs to the remote syslog server.

To configure the log format as JSON:
config log syslogd setting
  set format json
end

GUI support for VDOM links

FortiProxy 7.4.1 adds GUI support for VDOM links, which allows VDOMs to communicate internally without using additional physical interfaces. When VDOM is enabled, you can configure VDOM link settings in the GUI.

To configure a VDOM link in the GUI:
  1. In the Global VDOM, go to Network > Interfaces.
  2. Click Create New > VDOM Link.
  3. Configure the fields, including the Name, Virtual Domain, IP information, Administrative Access, and so on, then click OK.
To delete a VDOM link in the GUI:
  1. In the Global VDOM, go to Network > Interfaces.
  2. Select a VDOM Link and click Delete.

Refer to VDOM configuration in the FortiProxy 7.4.1 Administration Guide for more details about VDOM configuration.

License sharing enhancements

FortiProxy 7.4.1 includes the following enhancements and changes to license sharing:

  • Support sharing of the new DLP license type. A DLP license provides support for DLP scan for HTTP and FTP over HTTP traffic.

  • When configuring seats distribution under config system csf, use the new set preferred-seats sub-command (which replaces the old set guaranteed-seats sub-command) to set the desired number of seats to allocate to the member. The number of guaranteed seats is the minimum of the number of local purchased seats and the number of preferred seats. When the preferred number of seat request fails or is only partially fulfilled due to lack of seats in the pool, the remaining preferred seats will be allocated from shared pool at higher priority.

  • The number of seats that members can request is changed to be (used / 0.9 + min_alloc) to avoid oscillating between request and release.

  • Offline members can now keep the allocated number of seats or locally purchased seats, whichever is greater, for eight hours before falling back to locally purchased seats.

  • Conserve mode is disabled.

Improvements to ICAP logs

FortiProxy 7.4.1 improves the way ICAP errors are presented in the log by categorizing ICAP errors and showing detailed messages for each error in the log.

Adding rating information in REST API responses

FortiProxy 7.4.1 adds rating information for subcategory in POST call. See example response below:

{

"url": "facebook.com",

"category": "General Interest - Personal",

"subcategory": "Social Networking",

"rating": "G"

},

{

"url": "dropbox.com",

"category": "Bandwidth Consuming",

"subcategory": "File Sharing and Storage"

"rating": "PG-13",

}

Remove Active Sessions for global resources and VDOM

The Active Sessions information is no longer available in the table under System > Global Resources and System > VDOM > Edit > Resource Usage.

FNBI enhancements

FortiProxy 7.4.1 includes the following Browser Isolation (FortiNBI) enhancements:

  • Support for communication with client-side FNBI application using TLS

  • Support for multiple FNBI extensions

  • Microsoft Edge support

  • More exempted URLs

  • Isolator module download through HTTPS

  • State reset of the Isolator file system on startup

  • Validation of rating server addresses that you enter

  • Modernized GUI with new FortiNBI logo and graphics

Refer to the FortiProxy 7.4.1 Browser Isolation Deployment Guide for more detailed information about deploying and using the FortiNBI.

CLI changes

FortiProxy 7.4.1 includes the following CLI changes:

  • config web-proxy redirect-profile—Use this new command to configure a URL redirect profile.

  • config web-proxy global—Use the new set policy-category-deep-inspect sub-command to enable/disable application level category policy matching for deep inspection (default = enable).
  • config firewall profile-protocol-options—Use the new config proxy-redirect sub-command to enable/disable the scanning of this protocol and configure the ports to inspect all for content.

  • config firewall ssl-ssh-profile—Use the new set inspect-all sub-command to define the level of SSL inspection.

  • config web-proxy explicit-proxy—This command has the following changes:

    • Use the new set dstport-from-incoming sub-command to enable/disable reusing incoming port to connect to server for explicit web proxy.

    • The detect-https-in-http-request sub-command is moved under config firewall policy with the following changes:

      • New support for forward servers

      • New support for HTTP multiplexing

  • config web-proxy forward-server—Use the new set protocol sub-command to configure the proxy protocol for the forward server. The default value is http socks, which means both HTTP and SOCKS traffic is forwarded.

  • config web-proxy url-match—The set forward-server sub-command adds support for SOCKS traffic. Use the new set ftp-forward-server option to configure the URLs to be exempted from caching and/or to be redirected to the forward server for FTP traffic.

  • config log syslogd setting—The set format sub-command includes a new option json for setting the log format as JSON.

  • config firewall policy—Use the new set redirect-profile sub-command to configure the URL redirect profile to use in the policy.

  • config router policy—This command has the following changes:

    • Use the new set internet-service-id sub-command to configure the destination Internet service ID.

    • Use the new set internet-service-custom sub-command to configure the custom destination Internet service name.

    • The maximum value of seq-num is changed from 65535 to 2048, which means you can now only create a maximum of 2048 policy routes.

  • config system csf—Use the new set preferred-seats sub-command (which replaces the old set guaranteed-seats sub-command) to configure the desired number of seats to allocate to the member. The number of guaranteed seats is the minimum of the number of local purchased seats and the number of preferred seats. When the preferred number of seat request fails or is only partially fulfilled due to lack of seats in the pool, the remaining preferred seats will be allocated from shared pool at higher priority.

  • diag wad—Use the new filter process-id-by-src option to filter processes with source IPs. For example, diag wad filter process-id-by-src 10.2.2.2.

  • config firewall internet-service-custom—You can no longer edit the id field.

What's new

What's new

The following sections describe new features, enhancements, and changes in FortiProxy 7.4.1:

HTTP3 deep inspection, QUIC certificate inspection, DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes

FortiProxy 7.4.1 can handle the QUIC/TLS handshake and perform deep inspection for HTTP3 and QUIC traffic, including certificate inspection. This allows for faster and more secure DNS resolution, with improved privacy and reduced latency.

The FortiProxy also adds support for DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) in proxy mode inspection for transparent and local-in explicit modes. With DoQ and DoH3, connections can be established faster than with DNS over TLS (DoT) or DNS over HTTPS (DoH).

In transparent mode, the FortiProxy is acting as a proxy, forwarding DNS queries, and not as a DNS server. In local-in DNS mode, the FortiProxy acts as the DNS server and a DNS filter profile is applied in the system DNS server.

DoQ transparent and local-in query can be achieved using tools or applications in Linux, such as the q tiny command line DNS client from Natesales.

DoH3 transparent and local-in query can be achieved in Linux using q or Curl. In Windows, change the client network DNS server to the FortiProxy and treat the FortiProxy as a HTTP3 DNS server listening for DoH3 connections.

Refer to the DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes topic in the FortiProxy 7.4.1 Administration Guide for configuration details.

Forwarding FTP and SOCKS traffic to a forwarding server

FortiProxy 7.4.1 can now forward FTP and SOCKS traffic (on top of the existing support for HTTP traffic) to a forwarding server. When creating a forward server, you can configure the proxy protocol using the new set protocol option under config web-proxy forward-server. The default value is http socks, which means both HTTP and SOCKS traffic is forwarded.

config web-proxy forward-server

edit "fpx221"

set ip 10.60.1.221

set port 1080

set protocol http

next

end

Traffic with an unsupported protocol will not be forwarded. For example, when the forward server is configured with HTTP as supported protocol, SOCKS or FTP traffic will not be forwarded. You can configure a forward server group with different types of SOCKS/HTTP/FTP servers so that the load balancing algorithm can pick a server that supports the protocol within the group automatically. If none of the configured servers supports the protocol of incoming traffic, the forward server group is ignored.

Similar to the existing HTTP forwarding server, you can configure a nested SOCKS or explicit FTP proxy server so that all incoming FTP traffic to the FortiProxy is forwarded to the next SOCKS or explicit FTP proxy server, which can be an external FortiProxy or another SOCKS or explicit FTP proxy server.

You can also configure the URLs to be exempted from caching and/or to be redirected to the forward server for SOCKS or FTP traffic using the config web-proxy url-match command. The set forward-server option adds support for SOCKS. For FTP, use the new set ftp-forward-server option.

Inline CASB security profile

FortiProxy 7.4.1 adds the inline CASB security profile which enables the FortiProxy to perform granular control over SaaS applications directly on policies. Administrators can customize their own SaaS applications, matching conditions, and custom controls and actions.

Refer to the Inline CASB topic in the FortiProxy 7.4.1 Administration Guide for more details and configuration examples.

Inline IPS support

FortiProxy 7.4.1 adds support for inline IPS in traffic proxy with the following features:

  • Faster IPS/Application detection

  • Traffic protocol detection

  • Application-based policy matching

  • Application logging for HTTP/HTTPs traffic

Use the new config proxy-redirect sub-command under config firewall profile-protocol-options to enable/disable the scanning of this protocol and configure the ports to inspect all for content.

Use the new set inspect-all sub-command under config firewall ssl-ssh-profile to define the level of SSL inspection.

ISDB-based policy routing

FortiProxy 7.4.1 supports ISDB-based policy routing to selectively route cloud SaaS application over a dedicated ISP link based on Internet Services that are maintained by FortiGuard without manually configuring and maintaining static routes based on destination IP addresses. Doing so ensures that critical SaaS applications are always routed to a dedicated and reliable ISP link. For example, you can route Office 365 traffic over a dedicated interface (port1) and remaining traffic over another interface (port2).

To configure an ISDB-based policy route in the GUI, use the new Internet service option under Network > Policy Routes > Create New.

To configure an ISDB-based policy route in the CLI, use the following new sub-commands under config router policy:

  • set internet-service-id—Configure the destination Internet service ID.

  • set internet-service-custom—Configure the custom destination Internet service name.

New FortiGuard web filter categories for AI and Cryptocurrency

FortiProxy 7.4.1 adds the following new FortiGuard web filter categories:

  • Artificial intelligence technology (category 100): sites that offer solutions, insights, and resources related to artificial intelligence (AI).

  • Cryptocurrency (category 101): sites that specialize in digital or virtual currencies that are secured by cryptography and operate on decentralized networks.

To configure a web filter profile to block the AI and cryptocurrency categories in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New.

  2. Enter a name for the web filter profile.

  3. In the category table, locate the General Interest - Business section. Select the Artificial Intelligence Technology and Cryptocurrency categories, and set the Action to Block.

  4. Configure the remaining settings as needed.

  5. Click OK.

New DLP license for scanning HTTP and FTP over HTTP traffic

FortiProxy 7.4.1 add the DLP license, which is required for DLP scan for HTTP and FTP over HTTP traffic.

Reuse incoming port to connect to server

In FortiProxy 7.4.1, when configuring explicit web proxy, you can reuse web proxy HTTPS incoming port to connect to server using the new set dstport-from-incoming sub-command under config web-proxy explicit-proxy.

JSON log support

FortiProxy 7.4.1 supports sending JSON logs to the remote syslog server.

To configure the log format as JSON:
config log syslogd setting
  set format json
end

GUI support for VDOM links

FortiProxy 7.4.1 adds GUI support for VDOM links, which allows VDOMs to communicate internally without using additional physical interfaces. When VDOM is enabled, you can configure VDOM link settings in the GUI.

To configure a VDOM link in the GUI:
  1. In the Global VDOM, go to Network > Interfaces.
  2. Click Create New > VDOM Link.
  3. Configure the fields, including the Name, Virtual Domain, IP information, Administrative Access, and so on, then click OK.
To delete a VDOM link in the GUI:
  1. In the Global VDOM, go to Network > Interfaces.
  2. Select a VDOM Link and click Delete.

Refer to VDOM configuration in the FortiProxy 7.4.1 Administration Guide for more details about VDOM configuration.

License sharing enhancements

FortiProxy 7.4.1 includes the following enhancements and changes to license sharing:

  • Support sharing of the new DLP license type. A DLP license provides support for DLP scan for HTTP and FTP over HTTP traffic.

  • When configuring seats distribution under config system csf, use the new set preferred-seats sub-command (which replaces the old set guaranteed-seats sub-command) to set the desired number of seats to allocate to the member. The number of guaranteed seats is the minimum of the number of local purchased seats and the number of preferred seats. When the preferred number of seat request fails or is only partially fulfilled due to lack of seats in the pool, the remaining preferred seats will be allocated from shared pool at higher priority.

  • The number of seats that members can request is changed to be (used / 0.9 + min_alloc) to avoid oscillating between request and release.

  • Offline members can now keep the allocated number of seats or locally purchased seats, whichever is greater, for eight hours before falling back to locally purchased seats.

  • Conserve mode is disabled.

Improvements to ICAP logs

FortiProxy 7.4.1 improves the way ICAP errors are presented in the log by categorizing ICAP errors and showing detailed messages for each error in the log.

Adding rating information in REST API responses

FortiProxy 7.4.1 adds rating information for subcategory in POST call. See example response below:

{

"url": "facebook.com",

"category": "General Interest - Personal",

"subcategory": "Social Networking",

"rating": "G"

},

{

"url": "dropbox.com",

"category": "Bandwidth Consuming",

"subcategory": "File Sharing and Storage"

"rating": "PG-13",

}

Remove Active Sessions for global resources and VDOM

The Active Sessions information is no longer available in the table under System > Global Resources and System > VDOM > Edit > Resource Usage.

FNBI enhancements

FortiProxy 7.4.1 includes the following Browser Isolation (FortiNBI) enhancements:

  • Support for communication with client-side FNBI application using TLS

  • Support for multiple FNBI extensions

  • Microsoft Edge support

  • More exempted URLs

  • Isolator module download through HTTPS

  • State reset of the Isolator file system on startup

  • Validation of rating server addresses that you enter

  • Modernized GUI with new FortiNBI logo and graphics

Refer to the FortiProxy 7.4.1 Browser Isolation Deployment Guide for more detailed information about deploying and using the FortiNBI.

CLI changes

FortiProxy 7.4.1 includes the following CLI changes:

  • config web-proxy redirect-profile—Use this new command to configure a URL redirect profile.

  • config web-proxy global—Use the new set policy-category-deep-inspect sub-command to enable/disable application level category policy matching for deep inspection (default = enable).
  • config firewall profile-protocol-options—Use the new config proxy-redirect sub-command to enable/disable the scanning of this protocol and configure the ports to inspect all for content.

  • config firewall ssl-ssh-profile—Use the new set inspect-all sub-command to define the level of SSL inspection.

  • config web-proxy explicit-proxy—This command has the following changes:

    • Use the new set dstport-from-incoming sub-command to enable/disable reusing incoming port to connect to server for explicit web proxy.

    • The detect-https-in-http-request sub-command is moved under config firewall policy with the following changes:

      • New support for forward servers

      • New support for HTTP multiplexing

  • config web-proxy forward-server—Use the new set protocol sub-command to configure the proxy protocol for the forward server. The default value is http socks, which means both HTTP and SOCKS traffic is forwarded.

  • config web-proxy url-match—The set forward-server sub-command adds support for SOCKS traffic. Use the new set ftp-forward-server option to configure the URLs to be exempted from caching and/or to be redirected to the forward server for FTP traffic.

  • config log syslogd setting—The set format sub-command includes a new option json for setting the log format as JSON.

  • config firewall policy—Use the new set redirect-profile sub-command to configure the URL redirect profile to use in the policy.

  • config router policy—This command has the following changes:

    • Use the new set internet-service-id sub-command to configure the destination Internet service ID.

    • Use the new set internet-service-custom sub-command to configure the custom destination Internet service name.

    • The maximum value of seq-num is changed from 65535 to 2048, which means you can now only create a maximum of 2048 policy routes.

  • config system csf—Use the new set preferred-seats sub-command (which replaces the old set guaranteed-seats sub-command) to configure the desired number of seats to allocate to the member. The number of guaranteed seats is the minimum of the number of local purchased seats and the number of preferred seats. When the preferred number of seat request fails or is only partially fulfilled due to lack of seats in the pool, the remaining preferred seats will be allocated from shared pool at higher priority.

  • diag wad—Use the new filter process-id-by-src option to filter processes with source IPs. For example, diag wad filter process-id-by-src 10.2.2.2.

  • config firewall internet-service-custom—You can no longer edit the id field.