What's new

The following sections describe new features, enhancements, and changes in FortiProxy 7.4.9:

• Traffic shaping based on HTTP response

• IKEv2 support for IPsec VPN

• Increase proxy-address configuration limit

• CLI changes

Traffic shaping based on HTTP response

FortiProxy 7.4.9 introduces the new response shaping policy, which is a specialized type of traffic shaping policy that works on the top of a traffic shaping policy to further match the traffic based on certain HTTP response header fields. When Http Response Match is enabled in a traffic shaping policy, any traffic that matches the traffic shaping policy is further evaluated against the list of response shaping policies. If a match is found, the traffic will be mapped to the traffic shaper or assigned to the class defined in the response shaping policy instead of the ones defined in the original matching traffic shaping policy.

See Traffic shaping based on HTTP response in the Administration Guide for an end-to-end configuration example.

IKEv2 support for IPsec VPN

FortiProxy7.4.9 adds IKEv2 support for IPsec VPN.

Increase proxy-address configuration limit

FortiProxy 7.4.9 includes the following changes to the proxy-address configuration limit for VM04 and VM08:

Proxy address object	New configuration limit for 7.4.9
Proxy Address Object	80K
Proxy Address Group	4096
Proxy Address Group Member	30K

CLI changes

FortiProxy 7.4.9 includes the following CLI changes:

• config system global—Use the new set tcp-random-source-port subcommand to enable or disable (default) TCP IPv4 random source port.

• config webfilter urlfilter—Use the new set include-subdomains subcommand to enable (default) or disable (default) matching subdomains.

• config firewall policy—Use the new set https-sub-category option to enable or disable HTTPS sub-category policy matching. The default is disable.

• config web-proxy global—The set policy-category-deep-inspect option is removed.

• config system global—Use the new set kernel-panic-on-warn subcommand to configure whether to enable kernel panic and reboot when a kernel warning is issued.

• config system replacemsg http—The msg-type parameter includes the new videofilter-block-text option that you can use to customize the replacement message for video filter.

  Example:

  config system replacemsg http "videofilter-block-text"

  set buffer "Video access blocked by FortiProxy."

  set header 8bit

  set format text

  end

• config firewall access-proxy—Use the new set verify-cert subcommand to configure whether to enable certificate verification.

• config system password-policy—Use the new set login-lockout-upon-downgrade subcommand to configure whether to lock out login of administrative users upon downgrade.

• config router static—Use the new set preferred-source subcommand to configure the preferred source IP for the route.

• diagnose sys filesystem tree—Use this new command to list the top files/folders tree.

• diagnose sys filesystem hash—Use this new command to generate hash for files within the filesystem. See Computing file hashes in the Administration Guide for more details.

• diagnose system filesystem last-modified-files—Use this new command to list the last modified files.

• diagnose sys session list-verbose—Use this new command to list sessions in verbose detail.

• diagnose sys mpstat—Use this new command to diagnose mpstat.