What's new
The following sections describe new features, enhancements, and changes in FortiProxy 7.4.9:
Traffic shaping based on HTTP response
FortiProxy 7.4.9 introduces the new response shaping policy, which is a specialized type of traffic shaping policy that works on the top of a traffic shaping policy to further match the traffic based on certain HTTP response header fields. When Http Response Match is enabled in a traffic shaping policy, any traffic that matches the traffic shaping policy is further evaluated against the list of response shaping policies. If a match is found, the traffic will be mapped to the traffic shaper or assigned to the class defined in the response shaping policy instead of the ones defined in the original matching traffic shaping policy.
See Traffic shaping based on HTTP response in the Administration Guide for an end-to-end configuration example.
IKEv2 support for IPsec VPN
FortiProxy7.4.9 adds IKEv2 support for IPsec VPN.
Increase proxy-address configuration limit
FortiProxy 7.4.9 includes the following changes to the proxy-address configuration limit for VM04 and VM08:
|
Proxy address object |
New configuration limit for 7.4.9 |
|---|---|
| Proxy Address Object | 80K |
| Proxy Address Group | 4096 |
| Proxy Address Group Member | 30K |
CLI changes
FortiProxy 7.4.9 includes the following CLI changes:
-
config system global—Use the newset tcp-random-source-portsubcommand to enable or disable (default) TCP IPv4 random source port. -
config webfilter urlfilter—Use the newset include-subdomainssubcommand to enable (default) or disable (default) matching subdomains. -
config firewall policy—Use the newset https-sub-categoryoption to enable or disable HTTPS sub-category policy matching. The default is disable. -
config web-proxy global—Theset policy-category-deep-inspectoption is removed. -
config system global—Use the newset kernel-panic-on-warnsubcommand to configure whether to enable kernel panic and reboot when a kernel warning is issued. -
config system replacemsg http—Themsg-typeparameter includes the newvideofilter-block-textoption that you can use to customize the replacement message for video filter.Example:
config system replacemsg http "videofilter-block-text"
set buffer "Video access blocked by FortiProxy."
set header 8bit
set format text
end
-
config firewall access-proxy—Use the newset verify-certsubcommand to configure whether to enable certificate verification. -
config system password-policy—Use the newset login-lockout-upon-downgradesubcommand to configure whether to lock out login of administrative users upon downgrade. -
config router static—Use the newset preferred-sourcesubcommand to configure the preferred source IP for the route. -
diagnose sys filesystem tree—Use this new command to list the top files/folders tree. -
diagnose sys filesystem hash—Use this new command to generate hash for files within the filesystem. See Computing file hashes in the Administration Guide for more details. -
diagnose system filesystem last-modified-files—Use this new command to list the last modified files. -
diagnose sys session list-verbose—Use this new command to list sessions in verbose detail. -
diagnose sys mpstat—Use this new command to diagnose mpstat.