Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

What's new

21.4.a released on October 8, 2021

  • URL Redirection enhancement

    When redirecting clients to a new host or IP address in a “301 Permanently” response, you can now keep the URL path while executing redirection. For example, clients visiting "www.aaa.com/test.html" can be redirected to "www.bbb.com/test.html".

  • CDN enhancement

    CDN feature is enhanced to allow selecting a specific continent instead of caching globally. This can help address compliance requirements that mandate application traffic must be served from a specific continent.

  • New scrubbing centers

    Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

    • AWS ap-southeast-1 (Singapore)

      • 18.136.170.71

      • 2406:da18:ad1:1101:b6ad:34de:de05:5ef3

      • 13.214.45.126

      • 2406:da18:ad1:1102:9a1c:767e:1e67:4763

      • 13.250.74.198(Offline)

      • 2406:da18:ad1:1101:1fb2:25ab:77f1:42e4(Offline)

    • AWS ca-central-1 (Canada)

      • 3.97.158.98

      • 2600:1f11:8c:9101:eb3:39f1:1815:884e

      • 3.97.249.50

      • 2600:1f11:8c:9102:411d:63f2:e5b4:5209

      • 3.98.118.237(Offline)

      • 2600:1f11:8c:9101:62aa:927:70dd:acfa(Offline)

    • AWS us-west-1 (N.California)

      • 52.8.219.206

      • 2600:1f1c:b97:d801:ff83:8b03:7a29:5981

      • 52.9.219.121

      • 2600:1f1c:b97:d802:fe8f:1a5d:5d1:1c6b

      • 54.215.20.148(Offline)

      • 2600:1f1c:b97:d801:fd1b:8346:e92e:466b(Offline)

    • AWS us-west-2 (Oregon)

      • 35.160.55.58

      • 2600:1f14:b5a:da01:a32:4cac:f337:9c00

      • 44.241.247.81

      • 2600:1f14:b5a:da02:5a8e:d30:ff37:18a9

      • 52.37.161.224(Offline)

      • 2600:1f14:b5a:da01:c9ac:e531:128b:ae2c(Offline)

21.3.b patch2 released on September 24, 2021

Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS eu-west-1 (Ireland)

    • 54.78.90.129

    • 2a05:d018:77c:d901:4f37:924f:6ea2:5952

    • 54.217.132.119

    • 2a05:d018:77c:d902:6605:9bef:2ca3:f220

    • 52.18.74.99 (offline)

    • 2a05:d018:77c:d901:550f:2833:9dbd:362c (offline)

  • AWS eu-west-2 (London)

    • 18.134.173.119

    • 2a05:d01c:64d:7001:7f27:28fe:f43b:e55b

    • 52.56.112.105

    • 2a05:d01c:64d:7002:a0b0:a076:53b2:31e3

    • 35.178.16.146 (offline)

    • 2a05:d01c:64d:7001:b99d:28b6:db62:e2bd (offline)

  • AWS eu-south-1 (Milan)

    • 15.161.215.247

    • 2a05:d01a:9f2:1701:4d5b:f1a8:d291:5a84

    • 15.161.76.114

    • 2a05:d01a:9f2:1702:8e71:e939:c954:1608

    • 15.160.42.32 (offline)

    • 2a05:d01a:9f2:1701:75ab:6622:8788:fdb2 (offline)

21.3.b released on September 3, 2021

  • Know Bots module

    Known bad bots and known search engines configuration is moved from Threshold Based Detection to a new module named Known Bots. See Known Bots for more information.

  • User Management enhancement

    Tighter and stricter integration with FortiCloud is introduced. FortiCloud sub users and IAM users are automatically assigned certain permissions on FortiWeb Cloud. See Admin management.

  • SQL and XSS Syntax Based Detection Enhancements

    Additional granularity is available for SQL and XSS Syntax Based Detection. You can specify the SQL injection types and XSS attack types to parse against. See Known Attacks for more information.

  • Alert notification upon certificate renewal failure

    When FortiWeb Cloud fails to renew or retrieve a certificate, a notification message will be displayed on the Web UI. An alert email will be sent as well.

  • Block page layout enhancement

    The layout of the "Server Unavailable Message" and "Attack Block Page" displayed to your application users is enhanced. Go to Global > Custom Block Pages to view the updated pages.

  • Filter type changes in Custom Rule

    The filter type "Security Rules" in Custom Rule is now renamed to Known Attacks. "Information Disclosure" and "Known Bad Bots" are no longer available when Known Attacks is chosen.

  • DNSSEC support on AWS

    DNS Security Extensions (DNSSEC) has been enabled for CNAMEs associated with applications hosted on AWS to protect against DNS spoofing, cache poisoning, or other DNS-related man-in-the-middle attacks.

  • DevOps tools configuration file update

    The configuration file for Ansible and Terraform is updated so that the API token is not exposed in yml file. See Using FortiWeb Cloud with DevOps tools.

21.3.a released on July 24, 2021

  • API Discovery (Beta)

    Use Machine Learning Based API discovery to learn the REST API data structure from user traffic. By studying the samples, a Swagger file will be generated describing the data structure such as the URL pattern and schema of endpoint data. See API Discovery (Beta) for more information.

  • Bot Detection (Beta)

    The AI-based machine learning bot detection model is introduced to complement the existing signature and threshold based rules. It detects sophisticated bots that can sometimes go undetected. See ML Based Detection (Beta) for more information.

  • Syntax based Cross Site Scripting detection

    Syntax Based Cross Site Scripting detection is introduced in the Known Attacks module to detect the XSS injection attacks using a sophisticated, non-signature based module that analyzes HTML/JavaScript syntax. See Known Attacks for more information.

  • Caching and Compression enhancements

    Additional granularity available for Caching and Compression. You can configure HTTP Method, Allow Return Code, Allow File Type, and Key Generation Factor to define the content to be cached. Resources cached on FortiWeb Cloud can now be purged. See Caching and Compression for more information.

  • DNS and HTTP challenges for Automatic Certificate

    It's now allowed to select whether to use DNS or HTTP challenge to validate your ownership of the domains. See Endpoints for more information.

  • Wildcard in domain names

    You can use wildcard to match multiple domains when onboarding an application. SeeEndpoints for more information.

  • HTTP only flag

    You can configure the Endpoints settings to add "HTTP Only" flag to internal cookies, which prevents client-side scripts from accessing the cookie. SeeEndpoints for more information.

  • Server certificate verification for log exporting

    FortiWeb Cloud by default enforces server certificate verification before it sends logs to the log server. See for more information.

  • Customizing HTTP Response Code

    It's now allowed to change the HTTP Response Code of Attack Block Page in custom block message.

21.2.c released on June 11, 2021

  • Sensitive Data Masking

    Sensitive Data Masking allows masking certain data types such as user names, passwords and other PII information that could appear in the packet payloads accompanying a log message. See Sensitive Data Masking for more information.

  • Parameter Validation

    A new security module named Parameter Validation is introduced in this release. It validates parameter input such as whether they’re required, maximum allowed length or whether they match pre-defined/customized patterns. See Parameter Validation for more information.

  • New scrubbing center

    A New scrubbing center has been deployed on Azure. Please allow access to your application from the IP addresses of these scrubbing centers.

    • Brazil South (São Paulo State)

      • 20.195.163.139

      • 20.197.225.122

      • 20.197.226.167 (Offline)

  • Origin Server Lock

    Origin Server Lock protects your application from attackers that try to bypass FortiWeb Cloud security measures by pointing their onboarded application to your origin server. See Origin Server Lock for more information.

  • Full support of HTTP/2

    HTTP/2 was supported only in certain security modules previously. Now FortiWeb Cloud fully supports HTTP/2 across all security modules.

  • Customized SSL/TLS Encryption Level

    You can customize the SSL/TLS Encryption Level by selecting the ciphers from the available ciphers list. See SSL/TLS and Supported cipher suites & protocol versions for more information.

  • Alerts for soon to expire certificates

    FortiWeb Cloud can now send an email alert when local certificates in Endpoints are about to expire.

  • Third Party IdP initiated SAML support

    Third Party IdP initiated SAML is now supported allowing to automatically access FortiWeb Cloud admin interface using your organization’s user credentials via a third party ID provider. See Managing External IdP roles in FortiCloud IAM for more information.

21.2.b released on May 26, 2021

  • It is now possible to enable sub categories and allow or deny specific bots in Threshold Based Detection’s Known Bad Bots, replacing the exception rules. If you had known bad bots exception rules configured make sure you enable/disable the bad bots via the new interface.

  • Syntax Based Detection exceptions are now based on attack types instead of signature IDs. Exceptions are configured separately from Signature Based Detection exceptions.

21.2.a released on May 1, 2021

  • The number of allowed custom rules per application has been raised to 24.

  • Additional granularity available for Credential based brute force protection. You can configure a target URL and occurrence period.

  • Additional WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

    • AWS

      • eu-central-1 (Frankfurt)

        • 18.192.64.32

        • 2a05:d014:f3c:6c01:99d0:8c50:ae51:99ac

        • 3.125.233.133

        • 2a05:d014:f3c:6c02:58:3e12:a98a:df9f

        • 3.64.105.7 (offline)

        • 2a05:d014:f3c:6c01:55bc:c559:8bb1:11e0 (offline)

      • sa-east-1 (Sao Paulo)

        • 54.207.227.252

        • 2600:1f1e:653:3201:eac8:161d:c0a:6915

        • 177.71.170.92

        • 2600:1f1e:653:3202:3615:6e2c:7b0c:85c9

        • 54.232.72.181 (offline)

        • 2600:1f1e:653:3201:d1a5:34ae:e023:be2d (offline)

    • Azure

      • West Europe

        • 20.86.129.248

        • 20.86.49.155

        • 20.86.49.12 (offline)

21.1.c released on March 1, 2021

The following enhancements are made in Rewriting Requests module:

  • In addition to the connection's source IP, it's now possible to record the connection's source port in the X-Forwarded-For: header.
  • The X-Forwarded-Port: header can be added to record the connection's original destination port.

See Rewriting Requests for more information.

 

21.1.b released on February 9, 2021

  • It's now supported to redirect requests based on host names, for example, redirecting from example.com to www.example.com. See Rewriting Requests.

  • You can now sign in FortiWeb Cloud as IAM users.

  • New scrubbing centers have been deployed on the following regions on OCI. Please allow access to your application from the IP addresses of these scrubbing centers.

    • US West (Phoenix)

      • 158.101.43.252

      • 158.101.43.253

      • 129.146.233.205 (Offline)

    • Germany Central (Frankfurt)

      • 158.101.176.179

      • 193.122.55.66

      • 132.145.248.29 (Offline)

 

21.1.a released on January 11, 2021

  • It is no longer required to have a port 80 HTTP service enabled to successfully generate automatic certificates. The limitation has been removed.
  • Custom ports HTTP 9219 and HTTPS 8181 are now supported.
  • You can now customize the following pages that FortiWeb Cloud displays to your users:
    • Attack Block Page
    • Server Unavailable Page
    • Captcha Enforcement Page

    The old Custom Block Page configurations will be discarded. You need to re-configure it through the new page. See Custom block pages.

  • New scrubbing centers have been deployed on AWS and Azure. Please allow access to your application from the IP addresses of these scrubbing centers.

    East US2 on Azure

    • 20.69.235.177
    • 20.81.153.33
    • 20.81.153.78 (offline)

    Australia East on Azure

    • 20.70.160.47
    • 20.70.152.97
    • 20.70.152.115 (offline)

    Europe (Milan) on AWS

    • 15.161.173.116
    • 15.161.10.152
    • 15.161.24.119 (offline)
    • 2a05:d01a:9f2:1701:bd84:9314:f93:b2f
    • 2a05:d01a:9f2:1702:aca5:5d4d:1995:50d
    • 2a05:d01a:9f2:1701:3e5:91fb:2690:b114 (offline)

20.4.b released on November 23, 2020

  • It is now possible to enable HSTS forcing clients to only use HTTPS with the application.
  • When enabled, FortiWeb Cloud will use the Secure flag for its session management cookie only allowing its use over HTTPS.
  • The logic in which FortiWeb Cloud retrieves automatic certificates has been optimized. Additionally, a new “Retrieve” button is added to allow manual retrieval of automatic certificates.

For more information on the new features, see Endpoints.

20.4.a released on November 10, 2020

  • As the FortiWeb Cloud service is already protected against volumetric DDoS attacks, TCP flood prevention is removed in order to prevent conflicts.
  • Configuration deployment is significantly improved to reduce service disruption.
  • New scrubbing centers are deployed in eu-central-1: EU (Frankfurt) on AWS. See Restricting direct traffic & allowing FortiWeb Cloud IP addresses.

20.3.b released on September 16, 2020

  • A new scrubbing center has been deployed on AWS - ap-south-1:Asia Pacific (Mumbai). See FortiWeb Cloud scrubbing centers on AWS.
  • API Key settings is no longer part of the Global Settings role, allowing to generate an API key for read-only defined roles as well.
  • DNS status changes will now be recorded in the audit log.
  • When a source violates the API Gateway rule, it is possible to automatically block the source IP for a period of 10 minutes.
  • In addition to 443, 7443, and 8443, ports 8081 and 8014 can now be used for HTTPS service.
  • Fabric Connectors is renamed to Cloud Connectors.

20.3.a released on August 10, 2020

  • Optimizations on Reports:
    • Add a new query Applications Traffic Summary for report category.
    • Support adding or removing all applications once.
    • Activate or deactivate report generation for scheduled reports.
    • Weekly reports enabling is removed from Global Settings.
  • A new trustlist module is added to allow trusting specific parameters. Once enabled security enforcement is bypassed for the specified parameters. See Global Trustlist.
  • You can now define a separate Action per security module allowing, for example for some modules to only trigger an alert while others are set to block. Enabled when Advanced Configuration is enabled.
  • The Filter option for Cloud Connector is optimized to show all available options for a selected fabric connector.
  • A new Ansible template is released to allow configuring an endpoint’s certificate configuration. See Configuring FortiWeb Cloud with Ansible.
  • FortiWeb Cloud now supports generating an API key for authentication. See API Key.
  • Advanced Configuration is added in Global Settings. Once enabled a templates tab is introduced together with the ability to configure the Action interface for each security module.
  • Six new predefined templates containing commonly used WAF security configuration for different known applications such as Drupal and WordPress are introduced in this release. See Templates
  • FortiWeb Cloud will keep the data in your account for an additional week after you unsubscribe from FortiWeb Cloud.

20.2.d released on July 1, 2020

  • Cloud Connectors is introduced to support origin servers with dynamically changing IP addresses. See Cloud Connectors.
  • IPv6 is now supported for customers utilizing FortiWeb Cloud on AWS. You can enable IPv6 service in Endpoint, add origin servers with IPv6 addresses, or configure IPv6 addresses in IP Protection and Custom Rule.
  • New report types added together with capability to schedule reports with granularity around application and report time frame.
  • Support for DevOps tools including Jenkins, Ansible, and Terraform has been added. You can use them to automatically onboard or delete applications and change the IP list in IP Protection. Contact support to download the template.

20.2.c released on June 17, 2020

  • Role Management is introduced to offer an easier way to manage access privileges and permissions specific to a job function. See Role management.
  • Manually test in real-time the health status of a origin server. See Origin Servers.
  • You can now insert Content-Security-Policy header to prevent certain types of attacks, including XSS and data injection attacks. See HTTP Header Security.

20.2.b released on May 29, 2020

  • You can now configure Allow Known Search Engines in Threshold Based Detection to accept/deny the traffic from known search engines such as Google, Bing, and Yahoo, etc. This is enabled by default. See Threshold Based Detection.
  • FortiWeb Cloud now supports onboarding applications running on non-standard ports. Certain limitations apply. See Traffic Type.
  • A new scrubbing center has been deployed on AWS - sa-east-1:South America. See FortiWeb Cloud scrubbing centers on AWS.

  • A new protection mechanism is introduced for SQL Injection attacks called Syntax Based Detection. It uses a SQL parser to validate whether the pattern is real SQL language which helps identify true attacks while minimizing false positives. See Known Attacks.

  • Paging is optimized for Attack Logs and Audit Logs. A maximum of 10,000 attack/audit logs are displayed per each filter in Attack/Audit Logs.
  • Audit logs now cover changes in automatic certificates status including: starting to apply, failed to apply, applied successfully, renewed successfully, and failed to renew.

  • Additional health check statuses have been added to the audit log. The Server Status widget display is updated.

20.2.a released on April 27, 2020

  • You can now define an Allow Only list in IP Protection to limit access to the application to specified IP addresses. See IP Protection.
  • You can now send a customized block page to clients triggering WAF rules. See Endpoints.
  • Forwarding attack and event logs to ElasticSearch is now supported. See Log Settings and Audit logs.
  • A new OWASP Top 10 widget together with a new FortiView OWASP Top 10 view have been added.

20.1.b released on March 21, 2020

  • Parameter name is supported when creating a signature exception rule for Known Attacks, Information Leakage, and Threshold Based Detection.
  • It's now supported to add URL and parameter exceptions in attack logs.

20.1.a released on February 29, 2020

  • Three new modules supported for API PROTECTION.

    • Mobile API Protection module allows to protect your Mobile APIs from malicious attacks by verifying the mobile device authenticity. See Mobile API Protection.
    • API Gateway module allows to control and secure all access to you APIs. You can define API users, verify API keys, and perform access control, etc. See API Gateway.
    • JSON Protection module allows to verify JSON request limits and JSON request parameters to protect against API attacks. See JSON Protection.
  • WAF configuration template is added for you to push WAF configurations to multiple applications. See Templates.
  • Bot mitigation leverages various detection mechanisms to quickly filter out automated threats.
    • Biometrics Based Detection: FortiWeb Cloud can now verify whether a client is a bot by monitoring events such as mouse movement, keyboard, screen touch, and scroll, etc. See Biometrics Based Detection.
    • Threshold Based Detection: With predefined occurrence, time period, etc. of suspicious behaviors, FortiWeb Cloud judges whether the request comes from a human or a bot. See Threshold Based Detection.

    • Bot Deception: FortiWeb Cloud now provides a deception technique to identify bots. It inserts a hidden link into response pages. Clients that fetch the URL can accurately be classified as bots. See Bot Deception.
  • XML Protection module is moved from Advanced Applications to API Protection. See XML Protection.
  • User and Time Periods filters are added for Custom Rule. See Custom Rule.
  • Three security modes are added in Cookie Security module. See Cookie Security.
  • Applications page is optimized to accelerate the loading.
  • With the Attack Log Alerts feature, FortiWeb Cloud now supports sending attack log alert emails based on threat level or customized alert email rule. See Log Settings.
  • HTTP/2 communications can be protected when the traffic type is HTTPS. It's supported in Known Attacks, Information Leakage, and Cookie Security.

  • FortiWeb Cloud now supports adding exceptions through Anomaly Detection logs.
  • FortiWeb Cloud now supports Server Name Indication (SNI) configuration that identifies the certificate to use by domain. See Custom Certificate.

 

What's new

21.4.a released on October 8, 2021

  • URL Redirection enhancement

    When redirecting clients to a new host or IP address in a “301 Permanently” response, you can now keep the URL path while executing redirection. For example, clients visiting "www.aaa.com/test.html" can be redirected to "www.bbb.com/test.html".

  • CDN enhancement

    CDN feature is enhanced to allow selecting a specific continent instead of caching globally. This can help address compliance requirements that mandate application traffic must be served from a specific continent.

  • New scrubbing centers

    Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

    • AWS ap-southeast-1 (Singapore)

      • 18.136.170.71

      • 2406:da18:ad1:1101:b6ad:34de:de05:5ef3

      • 13.214.45.126

      • 2406:da18:ad1:1102:9a1c:767e:1e67:4763

      • 13.250.74.198(Offline)

      • 2406:da18:ad1:1101:1fb2:25ab:77f1:42e4(Offline)

    • AWS ca-central-1 (Canada)

      • 3.97.158.98

      • 2600:1f11:8c:9101:eb3:39f1:1815:884e

      • 3.97.249.50

      • 2600:1f11:8c:9102:411d:63f2:e5b4:5209

      • 3.98.118.237(Offline)

      • 2600:1f11:8c:9101:62aa:927:70dd:acfa(Offline)

    • AWS us-west-1 (N.California)

      • 52.8.219.206

      • 2600:1f1c:b97:d801:ff83:8b03:7a29:5981

      • 52.9.219.121

      • 2600:1f1c:b97:d802:fe8f:1a5d:5d1:1c6b

      • 54.215.20.148(Offline)

      • 2600:1f1c:b97:d801:fd1b:8346:e92e:466b(Offline)

    • AWS us-west-2 (Oregon)

      • 35.160.55.58

      • 2600:1f14:b5a:da01:a32:4cac:f337:9c00

      • 44.241.247.81

      • 2600:1f14:b5a:da02:5a8e:d30:ff37:18a9

      • 52.37.161.224(Offline)

      • 2600:1f14:b5a:da01:c9ac:e531:128b:ae2c(Offline)

21.3.b patch2 released on September 24, 2021

Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS eu-west-1 (Ireland)

    • 54.78.90.129

    • 2a05:d018:77c:d901:4f37:924f:6ea2:5952

    • 54.217.132.119

    • 2a05:d018:77c:d902:6605:9bef:2ca3:f220

    • 52.18.74.99 (offline)

    • 2a05:d018:77c:d901:550f:2833:9dbd:362c (offline)

  • AWS eu-west-2 (London)

    • 18.134.173.119

    • 2a05:d01c:64d:7001:7f27:28fe:f43b:e55b

    • 52.56.112.105

    • 2a05:d01c:64d:7002:a0b0:a076:53b2:31e3

    • 35.178.16.146 (offline)

    • 2a05:d01c:64d:7001:b99d:28b6:db62:e2bd (offline)

  • AWS eu-south-1 (Milan)

    • 15.161.215.247

    • 2a05:d01a:9f2:1701:4d5b:f1a8:d291:5a84

    • 15.161.76.114

    • 2a05:d01a:9f2:1702:8e71:e939:c954:1608

    • 15.160.42.32 (offline)

    • 2a05:d01a:9f2:1701:75ab:6622:8788:fdb2 (offline)

21.3.b released on September 3, 2021

  • Know Bots module

    Known bad bots and known search engines configuration is moved from Threshold Based Detection to a new module named Known Bots. See Known Bots for more information.

  • User Management enhancement

    Tighter and stricter integration with FortiCloud is introduced. FortiCloud sub users and IAM users are automatically assigned certain permissions on FortiWeb Cloud. See Admin management.

  • SQL and XSS Syntax Based Detection Enhancements

    Additional granularity is available for SQL and XSS Syntax Based Detection. You can specify the SQL injection types and XSS attack types to parse against. See Known Attacks for more information.

  • Alert notification upon certificate renewal failure

    When FortiWeb Cloud fails to renew or retrieve a certificate, a notification message will be displayed on the Web UI. An alert email will be sent as well.

  • Block page layout enhancement

    The layout of the "Server Unavailable Message" and "Attack Block Page" displayed to your application users is enhanced. Go to Global > Custom Block Pages to view the updated pages.

  • Filter type changes in Custom Rule

    The filter type "Security Rules" in Custom Rule is now renamed to Known Attacks. "Information Disclosure" and "Known Bad Bots" are no longer available when Known Attacks is chosen.

  • DNSSEC support on AWS

    DNS Security Extensions (DNSSEC) has been enabled for CNAMEs associated with applications hosted on AWS to protect against DNS spoofing, cache poisoning, or other DNS-related man-in-the-middle attacks.

  • DevOps tools configuration file update

    The configuration file for Ansible and Terraform is updated so that the API token is not exposed in yml file. See Using FortiWeb Cloud with DevOps tools.

21.3.a released on July 24, 2021

  • API Discovery (Beta)

    Use Machine Learning Based API discovery to learn the REST API data structure from user traffic. By studying the samples, a Swagger file will be generated describing the data structure such as the URL pattern and schema of endpoint data. See API Discovery (Beta) for more information.

  • Bot Detection (Beta)

    The AI-based machine learning bot detection model is introduced to complement the existing signature and threshold based rules. It detects sophisticated bots that can sometimes go undetected. See ML Based Detection (Beta) for more information.

  • Syntax based Cross Site Scripting detection

    Syntax Based Cross Site Scripting detection is introduced in the Known Attacks module to detect the XSS injection attacks using a sophisticated, non-signature based module that analyzes HTML/JavaScript syntax. See Known Attacks for more information.

  • Caching and Compression enhancements

    Additional granularity available for Caching and Compression. You can configure HTTP Method, Allow Return Code, Allow File Type, and Key Generation Factor to define the content to be cached. Resources cached on FortiWeb Cloud can now be purged. See Caching and Compression for more information.

  • DNS and HTTP challenges for Automatic Certificate

    It's now allowed to select whether to use DNS or HTTP challenge to validate your ownership of the domains. See Endpoints for more information.

  • Wildcard in domain names

    You can use wildcard to match multiple domains when onboarding an application. SeeEndpoints for more information.

  • HTTP only flag

    You can configure the Endpoints settings to add "HTTP Only" flag to internal cookies, which prevents client-side scripts from accessing the cookie. SeeEndpoints for more information.

  • Server certificate verification for log exporting

    FortiWeb Cloud by default enforces server certificate verification before it sends logs to the log server. See for more information.

  • Customizing HTTP Response Code

    It's now allowed to change the HTTP Response Code of Attack Block Page in custom block message.

21.2.c released on June 11, 2021

  • Sensitive Data Masking

    Sensitive Data Masking allows masking certain data types such as user names, passwords and other PII information that could appear in the packet payloads accompanying a log message. See Sensitive Data Masking for more information.

  • Parameter Validation

    A new security module named Parameter Validation is introduced in this release. It validates parameter input such as whether they’re required, maximum allowed length or whether they match pre-defined/customized patterns. See Parameter Validation for more information.

  • New scrubbing center

    A New scrubbing center has been deployed on Azure. Please allow access to your application from the IP addresses of these scrubbing centers.

    • Brazil South (São Paulo State)

      • 20.195.163.139

      • 20.197.225.122

      • 20.197.226.167 (Offline)

  • Origin Server Lock

    Origin Server Lock protects your application from attackers that try to bypass FortiWeb Cloud security measures by pointing their onboarded application to your origin server. See Origin Server Lock for more information.

  • Full support of HTTP/2

    HTTP/2 was supported only in certain security modules previously. Now FortiWeb Cloud fully supports HTTP/2 across all security modules.

  • Customized SSL/TLS Encryption Level

    You can customize the SSL/TLS Encryption Level by selecting the ciphers from the available ciphers list. See SSL/TLS and Supported cipher suites & protocol versions for more information.

  • Alerts for soon to expire certificates

    FortiWeb Cloud can now send an email alert when local certificates in Endpoints are about to expire.

  • Third Party IdP initiated SAML support

    Third Party IdP initiated SAML is now supported allowing to automatically access FortiWeb Cloud admin interface using your organization’s user credentials via a third party ID provider. See Managing External IdP roles in FortiCloud IAM for more information.

21.2.b released on May 26, 2021

  • It is now possible to enable sub categories and allow or deny specific bots in Threshold Based Detection’s Known Bad Bots, replacing the exception rules. If you had known bad bots exception rules configured make sure you enable/disable the bad bots via the new interface.

  • Syntax Based Detection exceptions are now based on attack types instead of signature IDs. Exceptions are configured separately from Signature Based Detection exceptions.

21.2.a released on May 1, 2021

  • The number of allowed custom rules per application has been raised to 24.

  • Additional granularity available for Credential based brute force protection. You can configure a target URL and occurrence period.

  • Additional WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

    • AWS

      • eu-central-1 (Frankfurt)

        • 18.192.64.32

        • 2a05:d014:f3c:6c01:99d0:8c50:ae51:99ac

        • 3.125.233.133

        • 2a05:d014:f3c:6c02:58:3e12:a98a:df9f

        • 3.64.105.7 (offline)

        • 2a05:d014:f3c:6c01:55bc:c559:8bb1:11e0 (offline)

      • sa-east-1 (Sao Paulo)

        • 54.207.227.252

        • 2600:1f1e:653:3201:eac8:161d:c0a:6915

        • 177.71.170.92

        • 2600:1f1e:653:3202:3615:6e2c:7b0c:85c9

        • 54.232.72.181 (offline)

        • 2600:1f1e:653:3201:d1a5:34ae:e023:be2d (offline)

    • Azure

      • West Europe

        • 20.86.129.248

        • 20.86.49.155

        • 20.86.49.12 (offline)

21.1.c released on March 1, 2021

The following enhancements are made in Rewriting Requests module:

  • In addition to the connection's source IP, it's now possible to record the connection's source port in the X-Forwarded-For: header.
  • The X-Forwarded-Port: header can be added to record the connection's original destination port.

See Rewriting Requests for more information.

 

21.1.b released on February 9, 2021

  • It's now supported to redirect requests based on host names, for example, redirecting from example.com to www.example.com. See Rewriting Requests.

  • You can now sign in FortiWeb Cloud as IAM users.

  • New scrubbing centers have been deployed on the following regions on OCI. Please allow access to your application from the IP addresses of these scrubbing centers.

    • US West (Phoenix)

      • 158.101.43.252

      • 158.101.43.253

      • 129.146.233.205 (Offline)

    • Germany Central (Frankfurt)

      • 158.101.176.179

      • 193.122.55.66

      • 132.145.248.29 (Offline)

 

21.1.a released on January 11, 2021

  • It is no longer required to have a port 80 HTTP service enabled to successfully generate automatic certificates. The limitation has been removed.
  • Custom ports HTTP 9219 and HTTPS 8181 are now supported.
  • You can now customize the following pages that FortiWeb Cloud displays to your users:
    • Attack Block Page
    • Server Unavailable Page
    • Captcha Enforcement Page

    The old Custom Block Page configurations will be discarded. You need to re-configure it through the new page. See Custom block pages.

  • New scrubbing centers have been deployed on AWS and Azure. Please allow access to your application from the IP addresses of these scrubbing centers.

    East US2 on Azure

    • 20.69.235.177
    • 20.81.153.33
    • 20.81.153.78 (offline)

    Australia East on Azure

    • 20.70.160.47
    • 20.70.152.97
    • 20.70.152.115 (offline)

    Europe (Milan) on AWS

    • 15.161.173.116
    • 15.161.10.152
    • 15.161.24.119 (offline)
    • 2a05:d01a:9f2:1701:bd84:9314:f93:b2f
    • 2a05:d01a:9f2:1702:aca5:5d4d:1995:50d
    • 2a05:d01a:9f2:1701:3e5:91fb:2690:b114 (offline)

20.4.b released on November 23, 2020

  • It is now possible to enable HSTS forcing clients to only use HTTPS with the application.
  • When enabled, FortiWeb Cloud will use the Secure flag for its session management cookie only allowing its use over HTTPS.
  • The logic in which FortiWeb Cloud retrieves automatic certificates has been optimized. Additionally, a new “Retrieve” button is added to allow manual retrieval of automatic certificates.

For more information on the new features, see Endpoints.

20.4.a released on November 10, 2020

  • As the FortiWeb Cloud service is already protected against volumetric DDoS attacks, TCP flood prevention is removed in order to prevent conflicts.
  • Configuration deployment is significantly improved to reduce service disruption.
  • New scrubbing centers are deployed in eu-central-1: EU (Frankfurt) on AWS. See Restricting direct traffic & allowing FortiWeb Cloud IP addresses.

20.3.b released on September 16, 2020

  • A new scrubbing center has been deployed on AWS - ap-south-1:Asia Pacific (Mumbai). See FortiWeb Cloud scrubbing centers on AWS.
  • API Key settings is no longer part of the Global Settings role, allowing to generate an API key for read-only defined roles as well.
  • DNS status changes will now be recorded in the audit log.
  • When a source violates the API Gateway rule, it is possible to automatically block the source IP for a period of 10 minutes.
  • In addition to 443, 7443, and 8443, ports 8081 and 8014 can now be used for HTTPS service.
  • Fabric Connectors is renamed to Cloud Connectors.

20.3.a released on August 10, 2020

  • Optimizations on Reports:
    • Add a new query Applications Traffic Summary for report category.
    • Support adding or removing all applications once.
    • Activate or deactivate report generation for scheduled reports.
    • Weekly reports enabling is removed from Global Settings.
  • A new trustlist module is added to allow trusting specific parameters. Once enabled security enforcement is bypassed for the specified parameters. See Global Trustlist.
  • You can now define a separate Action per security module allowing, for example for some modules to only trigger an alert while others are set to block. Enabled when Advanced Configuration is enabled.
  • The Filter option for Cloud Connector is optimized to show all available options for a selected fabric connector.
  • A new Ansible template is released to allow configuring an endpoint’s certificate configuration. See Configuring FortiWeb Cloud with Ansible.
  • FortiWeb Cloud now supports generating an API key for authentication. See API Key.
  • Advanced Configuration is added in Global Settings. Once enabled a templates tab is introduced together with the ability to configure the Action interface for each security module.
  • Six new predefined templates containing commonly used WAF security configuration for different known applications such as Drupal and WordPress are introduced in this release. See Templates
  • FortiWeb Cloud will keep the data in your account for an additional week after you unsubscribe from FortiWeb Cloud.

20.2.d released on July 1, 2020

  • Cloud Connectors is introduced to support origin servers with dynamically changing IP addresses. See Cloud Connectors.
  • IPv6 is now supported for customers utilizing FortiWeb Cloud on AWS. You can enable IPv6 service in Endpoint, add origin servers with IPv6 addresses, or configure IPv6 addresses in IP Protection and Custom Rule.
  • New report types added together with capability to schedule reports with granularity around application and report time frame.
  • Support for DevOps tools including Jenkins, Ansible, and Terraform has been added. You can use them to automatically onboard or delete applications and change the IP list in IP Protection. Contact support to download the template.

20.2.c released on June 17, 2020

  • Role Management is introduced to offer an easier way to manage access privileges and permissions specific to a job function. See Role management.
  • Manually test in real-time the health status of a origin server. See Origin Servers.
  • You can now insert Content-Security-Policy header to prevent certain types of attacks, including XSS and data injection attacks. See HTTP Header Security.

20.2.b released on May 29, 2020

  • You can now configure Allow Known Search Engines in Threshold Based Detection to accept/deny the traffic from known search engines such as Google, Bing, and Yahoo, etc. This is enabled by default. See Threshold Based Detection.
  • FortiWeb Cloud now supports onboarding applications running on non-standard ports. Certain limitations apply. See Traffic Type.
  • A new scrubbing center has been deployed on AWS - sa-east-1:South America. See FortiWeb Cloud scrubbing centers on AWS.

  • A new protection mechanism is introduced for SQL Injection attacks called Syntax Based Detection. It uses a SQL parser to validate whether the pattern is real SQL language which helps identify true attacks while minimizing false positives. See Known Attacks.

  • Paging is optimized for Attack Logs and Audit Logs. A maximum of 10,000 attack/audit logs are displayed per each filter in Attack/Audit Logs.
  • Audit logs now cover changes in automatic certificates status including: starting to apply, failed to apply, applied successfully, renewed successfully, and failed to renew.

  • Additional health check statuses have been added to the audit log. The Server Status widget display is updated.

20.2.a released on April 27, 2020

  • You can now define an Allow Only list in IP Protection to limit access to the application to specified IP addresses. See IP Protection.
  • You can now send a customized block page to clients triggering WAF rules. See Endpoints.
  • Forwarding attack and event logs to ElasticSearch is now supported. See Log Settings and Audit logs.
  • A new OWASP Top 10 widget together with a new FortiView OWASP Top 10 view have been added.

20.1.b released on March 21, 2020

  • Parameter name is supported when creating a signature exception rule for Known Attacks, Information Leakage, and Threshold Based Detection.
  • It's now supported to add URL and parameter exceptions in attack logs.

20.1.a released on February 29, 2020

  • Three new modules supported for API PROTECTION.

    • Mobile API Protection module allows to protect your Mobile APIs from malicious attacks by verifying the mobile device authenticity. See Mobile API Protection.
    • API Gateway module allows to control and secure all access to you APIs. You can define API users, verify API keys, and perform access control, etc. See API Gateway.
    • JSON Protection module allows to verify JSON request limits and JSON request parameters to protect against API attacks. See JSON Protection.
  • WAF configuration template is added for you to push WAF configurations to multiple applications. See Templates.
  • Bot mitigation leverages various detection mechanisms to quickly filter out automated threats.
    • Biometrics Based Detection: FortiWeb Cloud can now verify whether a client is a bot by monitoring events such as mouse movement, keyboard, screen touch, and scroll, etc. See Biometrics Based Detection.
    • Threshold Based Detection: With predefined occurrence, time period, etc. of suspicious behaviors, FortiWeb Cloud judges whether the request comes from a human or a bot. See Threshold Based Detection.

    • Bot Deception: FortiWeb Cloud now provides a deception technique to identify bots. It inserts a hidden link into response pages. Clients that fetch the URL can accurately be classified as bots. See Bot Deception.
  • XML Protection module is moved from Advanced Applications to API Protection. See XML Protection.
  • User and Time Periods filters are added for Custom Rule. See Custom Rule.
  • Three security modes are added in Cookie Security module. See Cookie Security.
  • Applications page is optimized to accelerate the loading.
  • With the Attack Log Alerts feature, FortiWeb Cloud now supports sending attack log alert emails based on threat level or customized alert email rule. See Log Settings.
  • HTTP/2 communications can be protected when the traffic type is HTTPS. It's supported in Known Attacks, Information Leakage, and Cookie Security.

  • FortiWeb Cloud now supports adding exceptions through Anomaly Detection logs.
  • FortiWeb Cloud now supports Server Name Indication (SNI) configuration that identifies the certificate to use by domain. See Custom Certificate.