Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.4.7
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiProxy 7.4.7 Release Notes
    7.4.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.13
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.16
    7.2.15
    7.2.14
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.23
    7.0.22
    7.0.21
    7.0.20
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    2.0.14
    2.0.13
    2.0.12
    2.0.11
    2.0.10
    2.0.9
    2.0.8
    2.0.7
    2.0.6
    2.0.5
    2.0.4
    2.0.3
    2.0.2
    2.0.1
    2.0.0
    1.2.13
    1.2.12
    1.2.11
    1.2.10
    1.2.9
    1.2.8
    1.2.7
    1.2.6
    1.2.5
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2.0
    1.1.6
    1.1.5
    1.1.4
    1.1.3
    1.1.2
    1.1.1
    1.1.0
    1.0.7
    1.0.6
    1.0.5
    1.0.4
    1.0.3
    1.0.2
    1.0.1
    1.0.0

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.4.7:

    Use a static client certificate for SSL/SSH inspection

    When configuring an SSL/SSH inspection profile, you can now configure FortiProxy to use a static client certificate for mTLS authentication on behalf of all users using the new Static option of SSL Client Certificate. You can then select the client certificate to use.

    Alternatively use the new static status option of the config ssl-client-certificate subcommand under config firewall ssl-ssh-profile. You can then configure the client certificate using the new set cert subcommand.

    Header replacement in web-proxy profile

    In web-proxy profiles, the header can be replaced.

    config web-proxy profile
			edit my_profile
			config headers
			edit 1
			set name "server"
			set action add-to-response
			set add-option {replace | replace-when-match}
			set content "content_changed"
			next
			end
			next
		end

    replace

    Replace content to existing HTTP header or create new header if HTTP header is not found.

    replace-when-match

    Replace content to existing HTTP header.

    Support for Securosys Primus HSM

    FortiProxy 7.4.7 adds support for Securosys Primus HSM.

    • Under config system nethsm, you can now configure the HSM vendor to be Securosys Primus and then configure the Primus-related settings:

      config system nethsm

      set status enable

      set vendor primus

      set primus-cfg <primus.cfg file content>

      set secret-content <Encrypted Config>

      config partitions

      edit "PRIMUSDEV270"

      set slot-id 1

      set pkcs11-pin <Encrypted password>

      next

      end

    • When configuring local keys and certificates using the config vpn certificate localcommand, you can now configure the HSM vendor to be Securosys Primus HSM and configure the HSM key type.

    • You can perform operations on Primus HSM using the new execute nethsm primus command.

    Add license information in SNMP

    FortiProxy 7.4.7 adds license information to SNMP with the following OIDs:

    • FortiProxy license related: 3.6.1.4.1.12356.101.10.117.*

    • SWG Bundle (FURL): 3.6.1.4.1.12356.101.10.117.1.*

      • Licensed sessions: 3.6.1.4.1.12356.101.10.117.1.1

      • Active sessions (licensing limit): 3.6.1.4.1.12356.101.10.117.1.2

      • Purchased seats: 3.6.1.4.1.12356.101.10.117.1.3

    • Browser Isolation (FNBI): 3.6.1.4.1.12356.101.10.117.2.*

    • Content Analysis (FCAS): 3.6.1.4.1.12356.101.10.117.3.*

    SR-IOV support on Hyper-V

    FortiProxy 7.4.7 adds support for SR-IOV on Hyper-V to optimize FortiProxy-VM performance.

    CLI changes

    FortiProxy 7.4.7 includes the following CLI changes:

    • config vpn certificate local—This command adds support for Securosys Primus HSM with the following changes:

      • Use the new hsm-vendor subcommand to configure the HSM vendor.

        safenet

        Safenet HSM.

        primus

        		Securosys Primus HSM.

      • Use the new hsm-keytype subcommand to configure the HSM key type.

        rsa RSA key type.
        ec

        EC key type.

      • The nethsm-slot command is renamed hsm-slot.

    • The execute nethsm command is renamed execute nethsm safenet.

      Use the new execute nethsm primus command to perform operations on Primus HSM with the following options:

      # execute nethsm primus

      clear-pkcs-provider-log Clear logs from /tmp/pkcs11.log, generated by pkcs11.so, the OpenSSL provider.

      clear-primus-log Clear logs from /tmp/primus.log, generated by libprimusP11.so.

      delete-object Delete Hardware Security Module object(s).

      dump-pkcs-provider-log Dump logs from /tmp/pkcs11.log, generated by pkcs11.so, the OpenSSL provider.

      dump-primus-log Dump logs from /tmp/primus.log, generated by libprimusP11.so.

      inspect-primus-library-info Display information about the integrated libprimusP11.so library.

      list-objects List Hardware Security Module objects.

      upload-primus-cfg Upload nethsm primus.cfg file.

      upload-primus-cfg-raw Upload nethsm primus.cfg file.

    • config system nethsm—The set vendor parameter includes the new primus option to configure the HSM vendor to be Securosys Primus. You can then configure the Primus-related settings:

      config system nethsm

      set status enable

      set vendor primus

      set primus-cfg <primus.cfg file content>

      set secret-content <Encrypted Config>

      config partitions

      edit "PRIMUSDEV270"

      set slot-id 1

      set pkcs11-pin <Encrypted password>

      next

      end

    • config firewall ssl-ssh-profile—The set client-certificate subcommand adds the new bypass-on-cert-req option to configure FortiProxy to bypass on certificate requests.

    • diagnose debug kernel log—Use this new command to show or clear kernel log.

      show

      Dump the kernel log.

      clear

      Clear the kernel log.
    Previous
    Next

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.4.7:

    Use a static client certificate for SSL/SSH inspection

    When configuring an SSL/SSH inspection profile, you can now configure FortiProxy to use a static client certificate for mTLS authentication on behalf of all users using the new Static option of SSL Client Certificate. You can then select the client certificate to use.

    Alternatively use the new static status option of the config ssl-client-certificate subcommand under config firewall ssl-ssh-profile. You can then configure the client certificate using the new set cert subcommand.

    Header replacement in web-proxy profile

    In web-proxy profiles, the header can be replaced.

    config web-proxy profile
			edit my_profile
			config headers
			edit 1
			set name "server"
			set action add-to-response
			set add-option {replace | replace-when-match}
			set content "content_changed"
			next
			end
			next
		end

    replace

    Replace content to existing HTTP header or create new header if HTTP header is not found.

    replace-when-match

    Replace content to existing HTTP header.

    Support for Securosys Primus HSM

    FortiProxy 7.4.7 adds support for Securosys Primus HSM.

    • Under config system nethsm, you can now configure the HSM vendor to be Securosys Primus and then configure the Primus-related settings:

      config system nethsm

      set status enable

      set vendor primus

      set primus-cfg <primus.cfg file content>

      set secret-content <Encrypted Config>

      config partitions

      edit "PRIMUSDEV270"

      set slot-id 1

      set pkcs11-pin <Encrypted password>

      next

      end

    • When configuring local keys and certificates using the config vpn certificate localcommand, you can now configure the HSM vendor to be Securosys Primus HSM and configure the HSM key type.

    • You can perform operations on Primus HSM using the new execute nethsm primus command.

    Add license information in SNMP

    FortiProxy 7.4.7 adds license information to SNMP with the following OIDs:

    • FortiProxy license related: 3.6.1.4.1.12356.101.10.117.*

    • SWG Bundle (FURL): 3.6.1.4.1.12356.101.10.117.1.*

      • Licensed sessions: 3.6.1.4.1.12356.101.10.117.1.1

      • Active sessions (licensing limit): 3.6.1.4.1.12356.101.10.117.1.2

      • Purchased seats: 3.6.1.4.1.12356.101.10.117.1.3

    • Browser Isolation (FNBI): 3.6.1.4.1.12356.101.10.117.2.*

    • Content Analysis (FCAS): 3.6.1.4.1.12356.101.10.117.3.*

    SR-IOV support on Hyper-V

    FortiProxy 7.4.7 adds support for SR-IOV on Hyper-V to optimize FortiProxy-VM performance.

    CLI changes

    FortiProxy 7.4.7 includes the following CLI changes:

    • config vpn certificate local—This command adds support for Securosys Primus HSM with the following changes:

      • Use the new hsm-vendor subcommand to configure the HSM vendor.

        safenet

        Safenet HSM.

        primus

        		Securosys Primus HSM.

      • Use the new hsm-keytype subcommand to configure the HSM key type.

        rsa RSA key type.
        ec

        EC key type.

      • The nethsm-slot command is renamed hsm-slot.

    • The execute nethsm command is renamed execute nethsm safenet.

      Use the new execute nethsm primus command to perform operations on Primus HSM with the following options:

      # execute nethsm primus

      clear-pkcs-provider-log Clear logs from /tmp/pkcs11.log, generated by pkcs11.so, the OpenSSL provider.

      clear-primus-log Clear logs from /tmp/primus.log, generated by libprimusP11.so.

      delete-object Delete Hardware Security Module object(s).

      dump-pkcs-provider-log Dump logs from /tmp/pkcs11.log, generated by pkcs11.so, the OpenSSL provider.

      dump-primus-log Dump logs from /tmp/primus.log, generated by libprimusP11.so.

      inspect-primus-library-info Display information about the integrated libprimusP11.so library.

      list-objects List Hardware Security Module objects.

      upload-primus-cfg Upload nethsm primus.cfg file.

      upload-primus-cfg-raw Upload nethsm primus.cfg file.

    • config system nethsm—The set vendor parameter includes the new primus option to configure the HSM vendor to be Securosys Primus. You can then configure the Primus-related settings:

      config system nethsm

      set status enable

      set vendor primus

      set primus-cfg <primus.cfg file content>

      set secret-content <Encrypted Config>

      config partitions

      edit "PRIMUSDEV270"

      set slot-id 1

      set pkcs11-pin <Encrypted password>

      next

      end

    • config firewall ssl-ssh-profile—The set client-certificate subcommand adds the new bypass-on-cert-req option to configure FortiProxy to bypass on certificate requests.

    • diagnose debug kernel log—Use this new command to show or clear kernel log.

      show

      Dump the kernel log.

      clear

      Clear the kernel log.
    Previous
    Next