Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.4
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiSOAR 7.6.4 Release Notes
    7.6.4
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.5.3
    7.5.2
    7.5.1
    7.5.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.2
    7.2.1
    7.2.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.4
    6.4.3
    6.4.1
    6.4.0
    6.0.0

    Special Notices

    Special Notices

    This section highlights key operational changes in FortiSOAR release 7.6.4 for administrators to consider.

    Administrator Consent required for Custom Connectors and Widgets in FortiSOAR 7.6.4 and later

    FortiSOAR allows users to create and update custom connectors and widgets, providing flexibility for automated solutions across various use cases. However, this also introduces the risk of malicious or unauthorized code. To mitigate this risk, FortiSOAR 7.6.4 introduces a new Advanced Development Features tab. Administrators must review the associated risks and usage guidelines on this tab, and provide explicit consent before users can create or update custom connectors and widgets. To provide consent the administrator must be assigned the Security Update permission.

    Usage Impact:

    Fresh Installation (FortiSOAR 7.6.4 or later):

    Until administrator consent is granted:

    • In Content Hub:
      • Users will not see the Upload Connector or Upload Widget options under the Manage tab.
      • Users will be unable to edit connectors or widgets, i.e., the Edit option will not appear when users click on the connector or widget cards.
      • Users will not see the New Connector or New Widget options under the Create tab, i.e., users will be unable to create new connectors or widgets.
    • In Export and Import Wizards:
      • Users will not be able to export or import custom Connectors or Widgets.

    Upgrade to FortiSOAR 7.6.4 or later:

    In upgraded environments where administrator consent has not yet been provided:

    • Existing custom connectors and widgets will remain available in their current state.
    • However, they will not be editable—users cannot modify them or upload new versions (i.e., the Edit and Add Versions options will be disabled).

    For details, see the Advanced Development Features topic in the System Configuration chapter of the "Administration Guide."

    Change in iFrame Widget Behavior

    Starting with release 7.6.4, the behavior of the iFrame widget has changed to enhance security and prevent stored cross-site scripting (XSS) attacks. By default, the widget now operates in a sandboxed environment, which restricts the loading of external content within the embedded <iframe> element. In previous versions, the iFrame widget directly displayed embedded content from both internal and external sources.

    This new security behavior is configurable. If your use case requires loading external content, you can disable the 'sandbox' feature. Instructions for modifying this setting are provided in the iFrame Widget topic in the "User Guide".

    Change in Field Loading Behavior for Form View Template

    Starting with release 7.6.4, the field loading behavior in form view has changed if a form structure is not defined (i.e., the form view template is not configured) for the records in a module (i.e., widgets are not added or configured as required—see the Dashboards, Templates, and Widgets chapter in the "Administration Guide"):

    • Before release 7.6.4: All fields in the module were automatically included in the form by default, which could result in performance issues. For details on adding fields to a module, see the Module Editor topic in the "Administration Guide".
    • Starting with release 7.6.4: Only fields that are required or required by condition are loaded in the Form View Templates, i.e., in the Add Record form in the List view and the Edit Record form in the Detail view. This improves performance by avoiding the loading of all fields.

    Additions to the Reserved Keywords List

    The keywords task_id and wf_id have been added to the list of reserved keywords. These are variables that cannot be used in playbooks.
    Playbooks that currently use variables with these names will fail silently when attempting to create or reference them.

    To resolve this issue, update the variable names in any affected playbooks.

    Previous
    Next

    Special Notices

    Special Notices

    This section highlights key operational changes in FortiSOAR release 7.6.4 for administrators to consider.

    Administrator Consent required for Custom Connectors and Widgets in FortiSOAR 7.6.4 and later

    FortiSOAR allows users to create and update custom connectors and widgets, providing flexibility for automated solutions across various use cases. However, this also introduces the risk of malicious or unauthorized code. To mitigate this risk, FortiSOAR 7.6.4 introduces a new Advanced Development Features tab. Administrators must review the associated risks and usage guidelines on this tab, and provide explicit consent before users can create or update custom connectors and widgets. To provide consent the administrator must be assigned the Security Update permission.

    Usage Impact:

    Fresh Installation (FortiSOAR 7.6.4 or later):

    Until administrator consent is granted:

    • In Content Hub:
      • Users will not see the Upload Connector or Upload Widget options under the Manage tab.
      • Users will be unable to edit connectors or widgets, i.e., the Edit option will not appear when users click on the connector or widget cards.
      • Users will not see the New Connector or New Widget options under the Create tab, i.e., users will be unable to create new connectors or widgets.
    • In Export and Import Wizards:
      • Users will not be able to export or import custom Connectors or Widgets.

    Upgrade to FortiSOAR 7.6.4 or later:

    In upgraded environments where administrator consent has not yet been provided:

    • Existing custom connectors and widgets will remain available in their current state.
    • However, they will not be editable—users cannot modify them or upload new versions (i.e., the Edit and Add Versions options will be disabled).

    For details, see the Advanced Development Features topic in the System Configuration chapter of the "Administration Guide."

    Change in iFrame Widget Behavior

    Starting with release 7.6.4, the behavior of the iFrame widget has changed to enhance security and prevent stored cross-site scripting (XSS) attacks. By default, the widget now operates in a sandboxed environment, which restricts the loading of external content within the embedded <iframe> element. In previous versions, the iFrame widget directly displayed embedded content from both internal and external sources.

    This new security behavior is configurable. If your use case requires loading external content, you can disable the 'sandbox' feature. Instructions for modifying this setting are provided in the iFrame Widget topic in the "User Guide".

    Change in Field Loading Behavior for Form View Template

    Starting with release 7.6.4, the field loading behavior in form view has changed if a form structure is not defined (i.e., the form view template is not configured) for the records in a module (i.e., widgets are not added or configured as required—see the Dashboards, Templates, and Widgets chapter in the "Administration Guide"):

    • Before release 7.6.4: All fields in the module were automatically included in the form by default, which could result in performance issues. For details on adding fields to a module, see the Module Editor topic in the "Administration Guide".
    • Starting with release 7.6.4: Only fields that are required or required by condition are loaded in the Form View Templates, i.e., in the Add Record form in the List view and the Edit Record form in the Detail view. This improves performance by avoiding the loading of all fields.

    Additions to the Reserved Keywords List

    The keywords task_id and wf_id have been added to the list of reserved keywords. These are variables that cannot be used in playbooks.
    Playbooks that currently use variables with these names will fail silently when attempting to create or reference them.

    To resolve this issue, update the variable names in any affected playbooks.

    Previous
    Next