Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Release Notes

    Home FortiProxy 7.4.5 Release Notes
    7.4.5
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    2.0.14
    2.0.13
    2.0.12
    2.0.11
    2.0.10
    2.0.9
    2.0.8
    2.0.7
    2.0.6
    2.0.5
    2.0.4
    2.0.3
    2.0.2
    2.0.1
    2.0.0
    1.2.13
    1.2.12
    1.2.11
    1.2.10
    1.2.9
    1.2.8
    1.2.7
    1.2.6
    1.2.5
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2.0
    1.1.6
    1.1.5
    1.1.4
    1.1.3
    1.1.2
    1.1.1
    1.1.0
    1.0.7
    1.0.6
    1.0.5
    1.0.4
    1.0.3
    1.0.2
    1.0.1
    1.0.0

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.4.5:

    Policy matching and web filtering based on risk level

    You can now use risk level as a parameter for policy matching and web filtering. The policy or web filter action applies when the risk score of the URL is within the score range of the specified risk level. For example, you can create a risk level Good with a score range of 10-30 and use it in a policy. FortiProxy will then apply the policy for URLs with a risk score between 10-30.

    FortiProxy provides the following predefined risk levels:

    Risk level

    Score range

    Description
    high

    91-100

    		 Strong confidence of malicious intent.
    suspicious

    71-90

    		 Medium confidence of malicious intent.
    moderate

    51-70

    		 Generally benign with a potential risk of attack.
    low

    21-50

    		 Low predictive risk of attack.
    trustworthy

    1-20

    		 Very low predictive risk of attack.
    unrated

    0

    The URL does not exist in FortiGuard DB or the risk score of the URL is unknown.
    To create a risk level with a desired score range:

    Go to the new Security Profiles > Web Filter Risk Level page and click Create New.

    Alternatively, use the new config webfilter ftgd-risk-level command in the CLI.

    To define the risk score of a specific website:

    Go to the new Security Profiles > Web Risk Overrides page and click Create New.

    Alternatively, use the new config webfilter ftgd-local-risk command in the CLI.

    To add a risk level for policy matching:

    Use the new URL Risk option when you create or edit a policy:

    Alternatively, use the set url-risk subcommand under config firewall policy in the CLI.

    To define the web filtering behavior for different risk levels:

    Use the new Risk Level Settings section when you create or edit a web filter profile. You can configure whether to block or monitor URLs for each risk level and whether to allow logging of the activity.

    Alternatively, use the config risk subcommand under config webfilter profile in the CLI.

    SNMP trap for local certificate expiration

    You can configure FortiProxy to send an SNMP trap when a local certificate is near expiration using the Local certificate is near expiry option when creating or editing an SNMP community or SNMP user under System > SNMP .

    Alternatively, use the cert-expiry subcommand under config system snmp community in the CLI.

    Forward traffic to an explicit port to upstream proxy without DNS resolve

    You can now configure FortiProxy to forward traffic to an explicit port to upstream proxy without DNS resolve using the new Explicit Web Proxy option when creating or editing a URL match entry.

    Alternatively, use the new set explicit-web-proxy subcommand under config web-proxy url-match in the CLI.

    New IP Tables Events under System Events

    FortiProxy 7.4.5 adds the IP Tables Events type under System Events that records IP table related events, such as IP tables generation, failure in generating rules for a specific policy, and invalid configuration.

    In the CLI, use the following new commands for IP tables event logging:

    • set iptables subcommand under config log eventfilter—Enable or disable IP tables event logging.

    • dia de application iptables—This commands provides the following log levels:

      • Error 0x00000001

      • Warning 0x00000002

      • Info 0x00000004

      • Trace 0x00000008

      • Verbose 0x00000010

    OCR enhancements

    FortiProxy 7.4.5 includes the following enhancements to OCR:

    • Support for HTTP POST/PUT (on the top of existing HTTP POST support)

    • Support for ICAP clients:

      • To enable image scan and OCR in ICAP service on the ICAP server, use the new set image-analyzer-profile option under the config icap-service subcommand of config icap local-server.

      • To only send OCR request to ICAP server, use the new set ocr_only subcommand under config icap profile.

    Failover support for multiple proxy chain servers

    FortiProxy 7.4.5 adds failover support for multiple proxy chain servers. For example, for a proxy chain with two servers 1 and 2, when server 1 stops responding, instead of bypassing the forwarding server or blocking the connection, FortiProxy can now direct traffic to server 2 and falls back to server 1 when server 1 comes back.

    Application and URL category information in policy table

    FortiProxy 7.4.5 adds the following columns in the policy table:

    • Applications—Displays the application name, application category, and application group information.

    • URL Category—Displays URL category information.

    By default, the two columns are hidden. To display them, click the Configure Table icon at the top left of the table and select the columns.

    Changed options for Log HTTP Transaction

    The options for Log HTTP Transaction changed from All, Security Profiles, Disable to Enable and Disable in the following locations:

    Changes to logging behavior for HTTP CONNECT

    In FortiProxy 7.4.5, HTTP transaction log no longer exists for HTTP CONNECT. UA, rawdata, and status code information is now merged into the HTTPS log for cert-inspect HTTPS traffic.

    New limit for authentication rules

    FortiProxy 7.4.5 increases the maximum number of authentication rules from 256 to 512.

    FortiNBI enhancement

    FortiProxy 7.4.5 automatically installs the FortiNBI application after a new FortiNBI installer is uploaded from the cloud into FortiProxy. You no longer need to manually download or install the FortiNBI application for an upgrade.

    Refer to the FortiNBI Deployment Guide for general information about deploying and using FortiNBI.

    CLI changes

    FortiProxy 7.4.5 includes the following CLI changes:

    • config webfilter ftgd-risk-level—Use this new command to create a risk level with a desired score range.

    • config webfilter ftgd-local-risk—Use this new command to define the risk score for a URL.

    • config firewall policy:

      • Use the new set url-risk subcommand to add a risk level for policy matching.

      • The values of the set http-transaction-log option changed from [all | utm | disable] to [enable | disable].

    • config webfilter profile—Use the new config risk subcommand to configure whether to block or monitor URLs for each risk level and whether to allow logging of the activity.

    • config system automation-action—Use the new set password subcommand to script password to replace %%PASSWD%% tag in the script. Use cases include replacing a password tag for sftp/ftp server password.

    • config authentication setting—Use the new set log-auth-request [enable|disable] subcommand to configure whether to enable logging of authentication requests.

    • config system snmp community—Use the new cert-expiry subcommand to configure FortiProxy to send an SNMP trap when a local certificate is near expiration.

    • config web-proxy url-match—Use the new set explicit-web-proxy subcommand to configure FortiProxy to forward traffic to an explicit port to upstream proxy without DNS resolve.

    • config log eventfilter—Use the new set iptables subcommand to enable or disable IP tables event logging.

    • config icap local-server—Use the new set image-analyzer-profile option under the config icap-service subcommand to enable image scan and OCR in ICAP service on the ICAP server.

    • config icap profile— Use the new set ocr_only subcommand to only send OCR request to ICAP server.

    • config web-proxy explicit-proxy—Use the new set header-proxy-agent subcommand to enable or disable http connect response header proxy-agent.

    • dia de application iptables—Use this new command to configure IP tables log levels using the following options:

      • Error 0x00000001

      • Warning 0x00000002

      • Info 0x00000004

      • Trace 0x00000008

      • Verbose 0x00000010

    • diagnose hardware deviceinfo disk—This command now also displays disk firmware revision information.

    • diag wad memory report—This command adds output information from diag wad memory track.

    Previous
    Next

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.4.5:

    Policy matching and web filtering based on risk level

    You can now use risk level as a parameter for policy matching and web filtering. The policy or web filter action applies when the risk score of the URL is within the score range of the specified risk level. For example, you can create a risk level Good with a score range of 10-30 and use it in a policy. FortiProxy will then apply the policy for URLs with a risk score between 10-30.

    FortiProxy provides the following predefined risk levels:

    Risk level

    Score range

    Description
    high

    91-100

    		 Strong confidence of malicious intent.
    suspicious

    71-90

    		 Medium confidence of malicious intent.
    moderate

    51-70

    		 Generally benign with a potential risk of attack.
    low

    21-50

    		 Low predictive risk of attack.
    trustworthy

    1-20

    		 Very low predictive risk of attack.
    unrated

    0

    The URL does not exist in FortiGuard DB or the risk score of the URL is unknown.
    To create a risk level with a desired score range:

    Go to the new Security Profiles > Web Filter Risk Level page and click Create New.

    Alternatively, use the new config webfilter ftgd-risk-level command in the CLI.

    To define the risk score of a specific website:

    Go to the new Security Profiles > Web Risk Overrides page and click Create New.

    Alternatively, use the new config webfilter ftgd-local-risk command in the CLI.

    To add a risk level for policy matching:

    Use the new URL Risk option when you create or edit a policy:

    Alternatively, use the set url-risk subcommand under config firewall policy in the CLI.

    To define the web filtering behavior for different risk levels:

    Use the new Risk Level Settings section when you create or edit a web filter profile. You can configure whether to block or monitor URLs for each risk level and whether to allow logging of the activity.

    Alternatively, use the config risk subcommand under config webfilter profile in the CLI.

    SNMP trap for local certificate expiration

    You can configure FortiProxy to send an SNMP trap when a local certificate is near expiration using the Local certificate is near expiry option when creating or editing an SNMP community or SNMP user under System > SNMP .

    Alternatively, use the cert-expiry subcommand under config system snmp community in the CLI.

    Forward traffic to an explicit port to upstream proxy without DNS resolve

    You can now configure FortiProxy to forward traffic to an explicit port to upstream proxy without DNS resolve using the new Explicit Web Proxy option when creating or editing a URL match entry.

    Alternatively, use the new set explicit-web-proxy subcommand under config web-proxy url-match in the CLI.

    New IP Tables Events under System Events

    FortiProxy 7.4.5 adds the IP Tables Events type under System Events that records IP table related events, such as IP tables generation, failure in generating rules for a specific policy, and invalid configuration.

    In the CLI, use the following new commands for IP tables event logging:

    • set iptables subcommand under config log eventfilter—Enable or disable IP tables event logging.

    • dia de application iptables—This commands provides the following log levels:

      • Error 0x00000001

      • Warning 0x00000002

      • Info 0x00000004

      • Trace 0x00000008

      • Verbose 0x00000010

    OCR enhancements

    FortiProxy 7.4.5 includes the following enhancements to OCR:

    • Support for HTTP POST/PUT (on the top of existing HTTP POST support)

    • Support for ICAP clients:

      • To enable image scan and OCR in ICAP service on the ICAP server, use the new set image-analyzer-profile option under the config icap-service subcommand of config icap local-server.

      • To only send OCR request to ICAP server, use the new set ocr_only subcommand under config icap profile.

    Failover support for multiple proxy chain servers

    FortiProxy 7.4.5 adds failover support for multiple proxy chain servers. For example, for a proxy chain with two servers 1 and 2, when server 1 stops responding, instead of bypassing the forwarding server or blocking the connection, FortiProxy can now direct traffic to server 2 and falls back to server 1 when server 1 comes back.

    Application and URL category information in policy table

    FortiProxy 7.4.5 adds the following columns in the policy table:

    • Applications—Displays the application name, application category, and application group information.

    • URL Category—Displays URL category information.

    By default, the two columns are hidden. To display them, click the Configure Table icon at the top left of the table and select the columns.

    Changed options for Log HTTP Transaction

    The options for Log HTTP Transaction changed from All, Security Profiles, Disable to Enable and Disable in the following locations:

    Changes to logging behavior for HTTP CONNECT

    In FortiProxy 7.4.5, HTTP transaction log no longer exists for HTTP CONNECT. UA, rawdata, and status code information is now merged into the HTTPS log for cert-inspect HTTPS traffic.

    New limit for authentication rules

    FortiProxy 7.4.5 increases the maximum number of authentication rules from 256 to 512.

    FortiNBI enhancement

    FortiProxy 7.4.5 automatically installs the FortiNBI application after a new FortiNBI installer is uploaded from the cloud into FortiProxy. You no longer need to manually download or install the FortiNBI application for an upgrade.

    Refer to the FortiNBI Deployment Guide for general information about deploying and using FortiNBI.

    CLI changes

    FortiProxy 7.4.5 includes the following CLI changes:

    • config webfilter ftgd-risk-level—Use this new command to create a risk level with a desired score range.

    • config webfilter ftgd-local-risk—Use this new command to define the risk score for a URL.

    • config firewall policy:

      • Use the new set url-risk subcommand to add a risk level for policy matching.

      • The values of the set http-transaction-log option changed from [all | utm | disable] to [enable | disable].

    • config webfilter profile—Use the new config risk subcommand to configure whether to block or monitor URLs for each risk level and whether to allow logging of the activity.

    • config system automation-action—Use the new set password subcommand to script password to replace %%PASSWD%% tag in the script. Use cases include replacing a password tag for sftp/ftp server password.

    • config authentication setting—Use the new set log-auth-request [enable|disable] subcommand to configure whether to enable logging of authentication requests.

    • config system snmp community—Use the new cert-expiry subcommand to configure FortiProxy to send an SNMP trap when a local certificate is near expiration.

    • config web-proxy url-match—Use the new set explicit-web-proxy subcommand to configure FortiProxy to forward traffic to an explicit port to upstream proxy without DNS resolve.

    • config log eventfilter—Use the new set iptables subcommand to enable or disable IP tables event logging.

    • config icap local-server—Use the new set image-analyzer-profile option under the config icap-service subcommand to enable image scan and OCR in ICAP service on the ICAP server.

    • config icap profile— Use the new set ocr_only subcommand to only send OCR request to ICAP server.

    • config web-proxy explicit-proxy—Use the new set header-proxy-agent subcommand to enable or disable http connect response header proxy-agent.

    • dia de application iptables—Use this new command to configure IP tables log levels using the following options:

      • Error 0x00000001

      • Warning 0x00000002

      • Info 0x00000004

      • Trace 0x00000008

      • Verbose 0x00000010

    • diagnose hardware deviceinfo disk—This command now also displays disk firmware revision information.

    • diag wad memory report—This command adds output information from diag wad memory track.

    Previous
    Next