Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.5.3
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiSOAR 7.5.3 Release Notes
    7.5.3
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.5.3
    7.5.2
    7.5.1
    7.5.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.2
    7.2.1
    7.2.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.4
    6.4.3
    6.4.1
    6.4.0
    6.0.0

    Special Notices

    Special Notices

    This section highlights some of the operational changes that administrators should be aware of in FortiSOAR release 7.5.3.

    FortiSOAR Release 7.5.3 is an Upgrade-Only Release

    You can only upgrade to FortiSOAR release 7.5.3 from only FortiSOAR release 7.5.0, 7.5.1, or 7.5.2. Fresh installation is not supported for this release. It is highly recommended to upgrade existing FortiSOAR 7.5.0, 7.5.1, or 7.5.2 instances to the 7.5.3 release as it includes important usability and security fixes.

    Administrator Consent required for to create or edit custom connectors and widgets in FortiSOAR 7.5.3 or later [for 7.5.x series] or 7.6.4 or later [for 7.6.x and later series])

    FortiSOAR allows users to create and update custom connectors and widgets, providing flexibility for automated solutions across various use cases. However, this also introduces the risk of malicious or unauthorized code. To mitigate this risk, starting with FortiSOAR 7.5.3 (for 7.5.x series) and 7.6.4 (for 7.6.x and later series), a new Advanced Development Features tab has been added. Administrators must review the associated risks and usage guidelines on this tab, and provide explicit consent before users can create or update custom connectors and widgets. To provide consent the administrator must be assigned the Security Update permission.

    Usage Impact

    Upgrade to 7.5.3 or later [for 7.5.x series] or 7.6.4 or later [for 7.6.x and later series]):

    In upgraded environments where administrator consent has not yet been provided:

    • Existing custom connectors and widgets will remain available in their current state.

    • However, the existing connectors and widgets will not be editable—users cannot modify them or upload new versions (i.e., the Edit and Add Versions options will be disabled).

    For details, see the Advanced Development Features topic in the System Configuration chapter of the "Administration Guide."

    Changes to the iFrame Widget

    • Updated behavior: Release 7.5.3 updates the behavior of the iFrame widget to enhance security and prevent stored cross-site scripting (XSS) attacks. By default, the widget now operates in a sandboxed environment, which restricts the loading of external content within the embedded <iframe> element. In previous versions, the iFrame widget displayed embedded content from both internal and external sources without sandbox restrictions.
      This new security behavior is configurable. If your use case requires loading external content, you can disable the 'sandbox' feature. Instructions for modifying this setting are provided in the iFrame topic the Dashboards, Templates, and Widgets chapter in the "User Guide."
    • Enhanced Security for iFrame Content: After upgrading to release 7.5.3 or later (for 7.5.x series or 7.6.5 (for 7.6.x and later series), iFrame content may no longer display. Instead, the following message appears: This domain is not added in the 'Allowed Domains list' and cannot be accessed. Please contact your administrator for further assistance.
      This behavior occurs because release 7.5.3 (for 7.5.x series) and 7.6.5 (for 7.6.x series) introduce enhanced iFrame security controls that affect how external content is embedded in the application. Sandbox restrictions are enabled by default, and all domains are blocked unless explicitly added to the 'Allowed Domains' list. To enable iFrame content from specific external domains, update the 'iFrame Settings'. For details on how to change these settings, see the iFrame Settings topic in the System Configuration chapter of the "Administration Guide."
    • Change in Sandbox Restriction Settings: In release 7.5.2, users could remove sandbox restrictions for external content embedded in iFrames by setting the sandbox parameter to 'false' in the config.json file (/opt/cyops-ui/vendor/config.json):
      "iframe":{
          "sandbox": false
    }
      After upgrading to release 7.5.3, this setting is automatically set to 'true'. As a result, sandbox restrictions are always enabled for external iFrame content.
      From release 7.5.3 onward, the sandbox can be enabled or disabled using the Enable Sandbox option in iFrame Settings on the Application Configuration tab of the System Configuration page. For details on how to change this setting, see the iFrame Settings topic in the System Configuration chapter of the "Administration Guide."

    Enhanced Security Validation for Connector Configuration Updates

    Starting with release 7.5.3 (for the 7.5.x series) and 7.6.5 (for the 7.6.x series), changing any connector configuration fields (e.g., Server URL, Hostname, Address, or Server IP) now requires users to re-enter all password-type fields before saving or applying the configuration. This change strengthens security by ensuring that updated host or endpoint details are always paired with reconfirmed credentials, reducing the risk of misconfiguration or unintended access.

    User Impact: Prior to this update, password re-entry was not required after updating the connector configuration fields. Users will now encounter an additional validation step, specifically a prompt to re-enter password-type fields before completing the update.

    Note: This requirement does not apply to fields that are dynamically populated from the vault.

    Previous
    Next

    Special Notices

    Special Notices

    This section highlights some of the operational changes that administrators should be aware of in FortiSOAR release 7.5.3.

    FortiSOAR Release 7.5.3 is an Upgrade-Only Release

    You can only upgrade to FortiSOAR release 7.5.3 from only FortiSOAR release 7.5.0, 7.5.1, or 7.5.2. Fresh installation is not supported for this release. It is highly recommended to upgrade existing FortiSOAR 7.5.0, 7.5.1, or 7.5.2 instances to the 7.5.3 release as it includes important usability and security fixes.

    Administrator Consent required for to create or edit custom connectors and widgets in FortiSOAR 7.5.3 or later [for 7.5.x series] or 7.6.4 or later [for 7.6.x and later series])

    FortiSOAR allows users to create and update custom connectors and widgets, providing flexibility for automated solutions across various use cases. However, this also introduces the risk of malicious or unauthorized code. To mitigate this risk, starting with FortiSOAR 7.5.3 (for 7.5.x series) and 7.6.4 (for 7.6.x and later series), a new Advanced Development Features tab has been added. Administrators must review the associated risks and usage guidelines on this tab, and provide explicit consent before users can create or update custom connectors and widgets. To provide consent the administrator must be assigned the Security Update permission.

    Usage Impact

    Upgrade to 7.5.3 or later [for 7.5.x series] or 7.6.4 or later [for 7.6.x and later series]):

    In upgraded environments where administrator consent has not yet been provided:

    • Existing custom connectors and widgets will remain available in their current state.

    • However, the existing connectors and widgets will not be editable—users cannot modify them or upload new versions (i.e., the Edit and Add Versions options will be disabled).

    For details, see the Advanced Development Features topic in the System Configuration chapter of the "Administration Guide."

    Changes to the iFrame Widget

    • Updated behavior: Release 7.5.3 updates the behavior of the iFrame widget to enhance security and prevent stored cross-site scripting (XSS) attacks. By default, the widget now operates in a sandboxed environment, which restricts the loading of external content within the embedded <iframe> element. In previous versions, the iFrame widget displayed embedded content from both internal and external sources without sandbox restrictions.
      This new security behavior is configurable. If your use case requires loading external content, you can disable the 'sandbox' feature. Instructions for modifying this setting are provided in the iFrame topic the Dashboards, Templates, and Widgets chapter in the "User Guide."
    • Enhanced Security for iFrame Content: After upgrading to release 7.5.3 or later (for 7.5.x series or 7.6.5 (for 7.6.x and later series), iFrame content may no longer display. Instead, the following message appears: This domain is not added in the 'Allowed Domains list' and cannot be accessed. Please contact your administrator for further assistance.
      This behavior occurs because release 7.5.3 (for 7.5.x series) and 7.6.5 (for 7.6.x series) introduce enhanced iFrame security controls that affect how external content is embedded in the application. Sandbox restrictions are enabled by default, and all domains are blocked unless explicitly added to the 'Allowed Domains' list. To enable iFrame content from specific external domains, update the 'iFrame Settings'. For details on how to change these settings, see the iFrame Settings topic in the System Configuration chapter of the "Administration Guide."
    • Change in Sandbox Restriction Settings: In release 7.5.2, users could remove sandbox restrictions for external content embedded in iFrames by setting the sandbox parameter to 'false' in the config.json file (/opt/cyops-ui/vendor/config.json):
      "iframe":{
          "sandbox": false
    }
      After upgrading to release 7.5.3, this setting is automatically set to 'true'. As a result, sandbox restrictions are always enabled for external iFrame content.
      From release 7.5.3 onward, the sandbox can be enabled or disabled using the Enable Sandbox option in iFrame Settings on the Application Configuration tab of the System Configuration page. For details on how to change this setting, see the iFrame Settings topic in the System Configuration chapter of the "Administration Guide."

    Enhanced Security Validation for Connector Configuration Updates

    Starting with release 7.5.3 (for the 7.5.x series) and 7.6.5 (for the 7.6.x series), changing any connector configuration fields (e.g., Server URL, Hostname, Address, or Server IP) now requires users to re-enter all password-type fields before saving or applying the configuration. This change strengthens security by ensuring that updated host or endpoint details are always paired with reconfirmed credentials, reducing the risk of misconfiguration or unintended access.

    User Impact: Prior to this update, password re-entry was not required after updating the connector configuration fields. Users will now encounter an additional validation step, specifically a prompt to re-enter password-type fields before completing the update.

    Note: This requirement does not apply to fields that are dynamically populated from the vault.

    Previous
    Next