Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiProxy 7.6.6 Release Notes
    7.6.6
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.13
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.16
    7.2.15
    7.2.14
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.23
    7.0.22
    7.0.21
    7.0.20
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    2.0.14
    2.0.13
    2.0.12
    2.0.11
    2.0.10
    2.0.9
    2.0.8
    2.0.7
    2.0.6
    2.0.5
    2.0.4
    2.0.3
    2.0.2
    2.0.1
    2.0.0
    1.2.13
    1.2.12
    1.2.11
    1.2.10
    1.2.9
    1.2.8
    1.2.7
    1.2.6
    1.2.5
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2.0
    1.1.6
    1.1.5
    1.1.4
    1.1.3
    1.1.2
    1.1.1
    1.1.0
    1.0.7
    1.0.6
    1.0.5
    1.0.4
    1.0.3
    1.0.2
    1.0.1
    1.0.0

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.6.6:

    LLM security gateway as HTTP proxy

    FortiProxy 7.6.6 supports LLM security gateway as HTTP proxy with the following features:

    • Seamless user access via PAC file or explicit proxy settings—Users can configure their browsers or devices with a PAC file (or manual proxy setting) to direct traffic for known LLM endpoints (for example, api.openai.com, claude.ai, gemini.google.com) through FortiProxy, removing the need for a dedicated access portal.

    • Automatic LLM traffic detection and classification—FortiProxy inspects outbound HTTPS traffic and automatically classifies LLM API requests based on domain, URL patterns, and TLS fingerprinting, enabling vendor and model awareness without user intervention.

    • Inline policy enforcement on prompts & responses—Requests and responses are scanned inline, allowing FortiProxy to apply DLP, keyword-based allow/deny lists, language filters, and rate limiting transparently during real-time usage.

    • Per-user attribution and API key control—FortiProxy maps each request to a user identity (via FSSO or other authentication methods) and enforces API key usage policies (e.g., inject shared key, block if no key, per-user quota), maintaining traceability even without a web portal.

    • Real-time logging & analytics—All interactions are logged with full context (user, time, model, prompt, response), feeding into FortiAnalyzer, FortiSIEM, or other logging systems for auditing, AI usage metrics, and compliance.

    • Optional redirect to policy page on first use or violation—On first LLM use or policy violation, FortiProxy can redirect the user to a policy awareness page or disclaimer, replicating the portal’s policy visibility while keeping access frictionless.

    Configuration example

    config ztna web-portal

    edit "ztna_portal_fqdn"

    set vip "ztna_portal_fqdn"

    set host "10.20.20.220.xx.xx"

    set auth-rule "ztna"

    set cookie-age 50

    set llm-proxy enable

    set llm-profile "llm-profile-2"

    set ak-manager enable

    next

    end

    config firewall proxy-address

    edit "src-adv"

    set type src-advanced

    set host "all"

    config header-group

    edit 1

    set header-name "Authorization"

    set header ".*"

    next

    end

    next

    end

    config authentication scheme

    edit "bearer-scheme"

    set method bearer

    set user-database "ldap"

    set bearer-type access-token

    next

    edit "fac_ldap_scheme"

    set method basic

    set user-database "ldap"

    next

    end

    config authentication rule

    edit "bearer-session"

    set srcaddr "src-adv"

    set ip-based disable

    set active-auth-method "bearer-scheme" <--- new option

    next

    edit "ztna"

    set protocol ztna-portal

    set ip-based disable

    set active-auth-method "fac_ldap_scheme"

    set web-auth-cookie enable

    next

    end

    config user ldap

    edit "ldap"

    set server "10.120.1.120"

    set cnid "cn"

    set dn "dc=qa,dc=domaintest,dc=com"

    set type regular

    set username "qa\\administrator"

    set password ENC a2luZ8wb8C2sNYzMPmlPpntA2h3vFgz/F092WGNpwaoB7esnzD8G/Whg/Ph/VswTZ3OvFRWyNysni6sOp4kcWPTwQo6k6iNzQFOEMAROqeV4+lFJ4JzYR1VQ8P6EC7kqJ2B3cZYmvU0o1DBr843pLe9+k4miy4pPHmg2qvPqmSThqF9dLjYa33JTrgHHsygbGkACcVlmMjY3dkVA

    next

    end

    config firewall policy

    edit 13

    set type ztna-proxy

    set ztna-proxy "ztna_portal_fqdn"

    next

    edit 16

    set name "test"

    set llm-profile "llm-profile-2"

    next

    end

    config llm profile

    edit "llm-profile-2"

    config chat

    set system-prompt-mode append

    set system-prompt "using emoji"

    end

    config response

    end

    next

    end

    Replacing iptables and ipset with netlink

    FortiProxy 7.6.6 replace iptables and ipset with netlink to reduce dependency on third-party programs. As a result, the old diagnose iptables commands are replaced with the new diagnose nft commands with improved performance and scalability. See CLI changes for more details.

    Logging for license sharing events

    FortiProxy7.6.6 adds logging for the following license sharing events:

    • When a member becomes stale and recovers from stale status, the event is recorded on the root node.

    • When a member node is promoted as root or reverts back as a member, the event is recorded on the member node.

    • When the effective root node changes, the event is recorded on each member node.

    See the License Sharing Deployment Guide for more details.

    HTTP QUERY method support

    FortiProxy 7.6.6 adds support for the HTTP QUERY method. You can now redirect to captive portal for QUERY, similar to a POST request. You can also use the new QUERY method in config firewall proxy-address, config waf profile, and config icap profile.

    CLI changes

    FortiProxy 7.6.6 includes the following CLI changes:

    • diag sys saml metadata—Use this new command to test SAML metadata.

    • diagnose sys disk—Use this new command to enable and view SMART support information for FPX-2000G/4000G/400G.

    • config firewall proxy-address—The set method subcommand includes the new query option.

    • config waf profile—The config method > default-allowed-methods and config method-policy > allowed-methods subcommands includes the new query option.
    • config icap profile—The set methods subcommand includes the new query option.

    • The old diagnose iptables commands are replaced with the new diagnose nft commands with improved performance and scalability:

      Old New
      iptables list

      nft show
      iptables list6

      ipset list

      iptables refresh

      nft update
      iptables dry-run

      nft set log-show-ruledump enable', then 'update'
      iptables shaper

      firewall shaper reapply
      iptables shaper-stats

      firewall shaper
      debug app iptables

      nft log
    Previous
    Next

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.6.6:

    LLM security gateway as HTTP proxy

    FortiProxy 7.6.6 supports LLM security gateway as HTTP proxy with the following features:

    • Seamless user access via PAC file or explicit proxy settings—Users can configure their browsers or devices with a PAC file (or manual proxy setting) to direct traffic for known LLM endpoints (for example, api.openai.com, claude.ai, gemini.google.com) through FortiProxy, removing the need for a dedicated access portal.

    • Automatic LLM traffic detection and classification—FortiProxy inspects outbound HTTPS traffic and automatically classifies LLM API requests based on domain, URL patterns, and TLS fingerprinting, enabling vendor and model awareness without user intervention.

    • Inline policy enforcement on prompts & responses—Requests and responses are scanned inline, allowing FortiProxy to apply DLP, keyword-based allow/deny lists, language filters, and rate limiting transparently during real-time usage.

    • Per-user attribution and API key control—FortiProxy maps each request to a user identity (via FSSO or other authentication methods) and enforces API key usage policies (e.g., inject shared key, block if no key, per-user quota), maintaining traceability even without a web portal.

    • Real-time logging & analytics—All interactions are logged with full context (user, time, model, prompt, response), feeding into FortiAnalyzer, FortiSIEM, or other logging systems for auditing, AI usage metrics, and compliance.

    • Optional redirect to policy page on first use or violation—On first LLM use or policy violation, FortiProxy can redirect the user to a policy awareness page or disclaimer, replicating the portal’s policy visibility while keeping access frictionless.

    Configuration example

    config ztna web-portal

    edit "ztna_portal_fqdn"

    set vip "ztna_portal_fqdn"

    set host "10.20.20.220.xx.xx"

    set auth-rule "ztna"

    set cookie-age 50

    set llm-proxy enable

    set llm-profile "llm-profile-2"

    set ak-manager enable

    next

    end

    config firewall proxy-address

    edit "src-adv"

    set type src-advanced

    set host "all"

    config header-group

    edit 1

    set header-name "Authorization"

    set header ".*"

    next

    end

    next

    end

    config authentication scheme

    edit "bearer-scheme"

    set method bearer

    set user-database "ldap"

    set bearer-type access-token

    next

    edit "fac_ldap_scheme"

    set method basic

    set user-database "ldap"

    next

    end

    config authentication rule

    edit "bearer-session"

    set srcaddr "src-adv"

    set ip-based disable

    set active-auth-method "bearer-scheme" <--- new option

    next

    edit "ztna"

    set protocol ztna-portal

    set ip-based disable

    set active-auth-method "fac_ldap_scheme"

    set web-auth-cookie enable

    next

    end

    config user ldap

    edit "ldap"

    set server "10.120.1.120"

    set cnid "cn"

    set dn "dc=qa,dc=domaintest,dc=com"

    set type regular

    set username "qa\\administrator"

    set password ENC a2luZ8wb8C2sNYzMPmlPpntA2h3vFgz/F092WGNpwaoB7esnzD8G/Whg/Ph/VswTZ3OvFRWyNysni6sOp4kcWPTwQo6k6iNzQFOEMAROqeV4+lFJ4JzYR1VQ8P6EC7kqJ2B3cZYmvU0o1DBr843pLe9+k4miy4pPHmg2qvPqmSThqF9dLjYa33JTrgHHsygbGkACcVlmMjY3dkVA

    next

    end

    config firewall policy

    edit 13

    set type ztna-proxy

    set ztna-proxy "ztna_portal_fqdn"

    next

    edit 16

    set name "test"

    set llm-profile "llm-profile-2"

    next

    end

    config llm profile

    edit "llm-profile-2"

    config chat

    set system-prompt-mode append

    set system-prompt "using emoji"

    end

    config response

    end

    next

    end

    Replacing iptables and ipset with netlink

    FortiProxy 7.6.6 replace iptables and ipset with netlink to reduce dependency on third-party programs. As a result, the old diagnose iptables commands are replaced with the new diagnose nft commands with improved performance and scalability. See CLI changes for more details.

    Logging for license sharing events

    FortiProxy7.6.6 adds logging for the following license sharing events:

    • When a member becomes stale and recovers from stale status, the event is recorded on the root node.

    • When a member node is promoted as root or reverts back as a member, the event is recorded on the member node.

    • When the effective root node changes, the event is recorded on each member node.

    See the License Sharing Deployment Guide for more details.

    HTTP QUERY method support

    FortiProxy 7.6.6 adds support for the HTTP QUERY method. You can now redirect to captive portal for QUERY, similar to a POST request. You can also use the new QUERY method in config firewall proxy-address, config waf profile, and config icap profile.

    CLI changes

    FortiProxy 7.6.6 includes the following CLI changes:

    • diag sys saml metadata—Use this new command to test SAML metadata.

    • diagnose sys disk—Use this new command to enable and view SMART support information for FPX-2000G/4000G/400G.

    • config firewall proxy-address—The set method subcommand includes the new query option.

    • config waf profile—The config method > default-allowed-methods and config method-policy > allowed-methods subcommands includes the new query option.
    • config icap profile—The set methods subcommand includes the new query option.

    • The old diagnose iptables commands are replaced with the new diagnose nft commands with improved performance and scalability:

      Old New
      iptables list

      nft show
      iptables list6

      ipset list

      iptables refresh

      nft update
      iptables dry-run

      nft set log-show-ruledump enable', then 'update'
      iptables shaper

      firewall shaper reapply
      iptables shaper-stats

      firewall shaper
      debug app iptables

      nft log
    Previous
    Next