Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.4.11
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiProxy 7.4.11 Release Notes
    7.4.11
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.14
    7.4.13
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.16
    7.2.15
    7.2.14
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.23
    7.0.22
    7.0.21
    7.0.20
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    2.0.14
    2.0.13
    2.0.12
    2.0.11
    2.0.10
    2.0.9
    2.0.8
    2.0.7
    2.0.6
    2.0.5
    2.0.4
    2.0.3
    2.0.2
    2.0.1
    2.0.0
    1.2.13
    1.2.12
    1.2.11
    1.2.10
    1.2.9
    1.2.8
    1.2.7
    1.2.6
    1.2.5
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2.0
    1.1.6
    1.1.5
    1.1.4
    1.1.3
    1.1.2
    1.1.1
    1.1.0
    1.0.7
    1.0.6
    1.0.5
    1.0.4
    1.0.3
    1.0.2
    1.0.1
    1.0.0

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.4.11:

    New connection policy types Explicit Web Connect and Transparent Connect for HTTPS

    FortiProxy7.4.11 introduces the Explicit Web Connect and Transparent Connectpolicy types to handle forward server and SSL deep inspection in HTTPS CONNECT/SNI state. See Create or edit a policy.

    The connection policies have higher priority than regular transparent and explicit policies. When a connection policy is configured, HTTPS requests will first match the connection policy before proceeding to the regular transparent and explicit policies. Content scan related UTM profiles are not available for connection policies.

    Plain-text HTTP or decrypted HTTPS traffic will only match regular transparent and explicit policies.

    The new policy types are also added to the config firewall policy command:

    config firewall policy

    edit <id>

    set type <explicit-web-connect/transparent-connect>

    next

    end

    Enhancements to traffic shaping based on HTTP response

    FortiProxy 7.4.11 includes the following enhancements to traffic shaping based on HTTP response:

    • DSCP support

    • Response policy matching based on matched shaping policy

    To configure DSCP-related settings and matched shaping policies:

    Use the following new fields in the config firewall response-shaping-policy command:

    config firewall response-shaping-policy

    edit 1

    set uuid a0edf572-0378-51f0-f0f6-8f924dccfd53

    set dstaddr "resp-content-length"

    set class-id 10

    set diffserv-forward enable

    set diffservcode-forward 000000

    set diffserv-reverse enable

    set diffservcode-rev 000000

    set matched-shaping-policies 2 1 3

    set srcaddr "all"

    License sharing enhancements

    FortiProxy 7.4.11 improves license sharing stability in the following ways:

    • Additional layer of root nodes for better redundancy and recovery

      You can now add a layer of child root nodes between the security fabric root node and downstream members. A security fabric root node can have multiple child root nodes, each with a different set of downstream nodes. In the following example, root is the security fabric root. m1 and m2 are the child root nodes with two and three downstream nodes respectively.

      • When the security fabric root is working as expected, the child root nodes act like regular downstream nodes, contributing and claiming licenses from the pool managed by the security fabric root node.

      • When the security fabric root node is down ( e.g., due to a failure or network disconnection) for a specified period of time (10 minutes), the child root nodes take over license sharing responsibilities and coordinate seat allocation for downstream members to ensures the continuity of license sharing.

        • For the first 7 days of grace period, each child root node is entitled to the whole license pool that the security fabric root node used to manage. In the example above, if the purchased seats for each node is 100, both m1 and m2 will have a license pool of 800 during the first 7 days after root becomes available.

        • After 7 days, the license pool of each child root node is limited to licenses from itself and its downstream members. In the example above, if the purchased seats for each node is 100, m1 and m2 will have a license pool of 300 and 400 respectively after 7 days of root being unavailable.

      • When the security fabric root is restored, it re-claims license sharing responsibilities from the child root nodes and restores license sharing to the original state where all child root nodes and downstream members contribute and claim licenses from the security fabric root node.

    • License sharing grace period for offline operation extended from 8 hours to 7 days

      In case of disconnection from the root, a security fabric member node can now retain its eligible seats ( last allocated or locally purchased seats, whichever is greater) for 7 days before falling back to locally purchased seats . The seats are released back into the pool when the connection to the root recovers.

    See the License Sharing Deployment Guide for more details.

    Negate user group as source in policy match

    When creating or editing a user group, you can now configure negate user group as source in policy match using the new negate option:

    Alternatively use the new negate option in the config user group command:

    config user group

    edit <name>

    set negate <enable/disable>

    end

    Authentication based on custom HTTP header

    In FortiProxy 7.4.11, you can configure authentication based on custom HTTP headers in the authentication scheme if the method is x-auth-user using the new auth-user-header option in the config authentication scheme command:

    config authentication scheme

    edit "1"

    set method x-auth-user

    set auth-user-header "custom-header1"

    set user-database "ldap1"

    next

    end

    If auth-user-header is not specified, the default value x-authenticated-user is used as the header name instead.

    CLI changes

    FortiProxy 7.4.11 includes the following CLI changes:

    • diag wad user filter—Use this new command to set a filter to query the user by the leading string (case insensitive). You can the use the diag test commands to check the data in ldap-cache and worker.

    • config firewall access-proxy—The default value of svr-pool-multiplex is changed from enable to disable.

    Previous
    Next

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.4.11:

    New connection policy types Explicit Web Connect and Transparent Connect for HTTPS

    FortiProxy7.4.11 introduces the Explicit Web Connect and Transparent Connectpolicy types to handle forward server and SSL deep inspection in HTTPS CONNECT/SNI state. See Create or edit a policy.

    The connection policies have higher priority than regular transparent and explicit policies. When a connection policy is configured, HTTPS requests will first match the connection policy before proceeding to the regular transparent and explicit policies. Content scan related UTM profiles are not available for connection policies.

    Plain-text HTTP or decrypted HTTPS traffic will only match regular transparent and explicit policies.

    The new policy types are also added to the config firewall policy command:

    config firewall policy

    edit <id>

    set type <explicit-web-connect/transparent-connect>

    next

    end

    Enhancements to traffic shaping based on HTTP response

    FortiProxy 7.4.11 includes the following enhancements to traffic shaping based on HTTP response:

    • DSCP support

    • Response policy matching based on matched shaping policy

    To configure DSCP-related settings and matched shaping policies:

    Use the following new fields in the config firewall response-shaping-policy command:

    config firewall response-shaping-policy

    edit 1

    set uuid a0edf572-0378-51f0-f0f6-8f924dccfd53

    set dstaddr "resp-content-length"

    set class-id 10

    set diffserv-forward enable

    set diffservcode-forward 000000

    set diffserv-reverse enable

    set diffservcode-rev 000000

    set matched-shaping-policies 2 1 3

    set srcaddr "all"

    License sharing enhancements

    FortiProxy 7.4.11 improves license sharing stability in the following ways:

    • Additional layer of root nodes for better redundancy and recovery

      You can now add a layer of child root nodes between the security fabric root node and downstream members. A security fabric root node can have multiple child root nodes, each with a different set of downstream nodes. In the following example, root is the security fabric root. m1 and m2 are the child root nodes with two and three downstream nodes respectively.

      • When the security fabric root is working as expected, the child root nodes act like regular downstream nodes, contributing and claiming licenses from the pool managed by the security fabric root node.

      • When the security fabric root node is down ( e.g., due to a failure or network disconnection) for a specified period of time (10 minutes), the child root nodes take over license sharing responsibilities and coordinate seat allocation for downstream members to ensures the continuity of license sharing.

        • For the first 7 days of grace period, each child root node is entitled to the whole license pool that the security fabric root node used to manage. In the example above, if the purchased seats for each node is 100, both m1 and m2 will have a license pool of 800 during the first 7 days after root becomes available.

        • After 7 days, the license pool of each child root node is limited to licenses from itself and its downstream members. In the example above, if the purchased seats for each node is 100, m1 and m2 will have a license pool of 300 and 400 respectively after 7 days of root being unavailable.

      • When the security fabric root is restored, it re-claims license sharing responsibilities from the child root nodes and restores license sharing to the original state where all child root nodes and downstream members contribute and claim licenses from the security fabric root node.

    • License sharing grace period for offline operation extended from 8 hours to 7 days

      In case of disconnection from the root, a security fabric member node can now retain its eligible seats ( last allocated or locally purchased seats, whichever is greater) for 7 days before falling back to locally purchased seats . The seats are released back into the pool when the connection to the root recovers.

    See the License Sharing Deployment Guide for more details.

    Negate user group as source in policy match

    When creating or editing a user group, you can now configure negate user group as source in policy match using the new negate option:

    Alternatively use the new negate option in the config user group command:

    config user group

    edit <name>

    set negate <enable/disable>

    end

    Authentication based on custom HTTP header

    In FortiProxy 7.4.11, you can configure authentication based on custom HTTP headers in the authentication scheme if the method is x-auth-user using the new auth-user-header option in the config authentication scheme command:

    config authentication scheme

    edit "1"

    set method x-auth-user

    set auth-user-header "custom-header1"

    set user-database "ldap1"

    next

    end

    If auth-user-header is not specified, the default value x-authenticated-user is used as the header name instead.

    CLI changes

    FortiProxy 7.4.11 includes the following CLI changes:

    • diag wad user filter—Use this new command to set a filter to query the user by the leading string (case insensitive). You can the use the diag test commands to check the data in ldap-cache and worker.

    • config firewall access-proxy—The default value of svr-pool-multiplex is changed from enable to disable.

    Previous
    Next