Fortinet black logo

User Guide

What's new

Copy Link
Copy Doc ID 8d4237ec-c163-11ee-8c42-fa163e15d75b:1878
Download PDF

24.1 released on Feb 1, 2024

Support for FortiADC Threat Analytics

FortiWeb Cloud now supports the analysis of attack logs from FortiADC, utilizing its advanced AI-based threat analytics system to provide cross-platform visibility. For setup information, see Forwarding FortiADC attack logs to Threat Analytics.

Splunk Version 9 support

You can now export Traffic Logs directly to the latest version of Splunk. This allows seamless ingestion and mapping of security and audit data collected from FortiWeb Cloud. For more information, see FortiWeb Cloud and Splunk.

23.4 released on Nov 16, 2023

Consumption report

A new Consumption report is now available, detailing data/bandwidth consumption for each application. Enable in Global > Settings. For more information, see Settings.

Security Fabric Support for FortiGate 7.x

FortiWeb Cloud devices can now be integrated into the Security Fabric of any FortiGate running 7.0.0 or newer. For more information, see Fortinet Security Fabric.

Redesign rewriting requests to support multiple rules

Rewriting Requests has been redesigned to support multiple actions in single rewrite rule. For more information, see Rewriting Requests.

Support signature exceptions for JSON format

Attack Log has been enhanced to support Exceptions for JSON format requests. You can specify JSON element in the exception rules in Known Attacks and Information Leakage.

Add RST_STREAM Restriction

FortiWeb Cloud has been enhanced to provide better protection for the HTTP/2 Rapid Reset Attack. A new Request Limit has been added that allows limiting the number of RST_STREAM per session. Configure it in Access Rules>Request Limits. For more information, see Request Limits.

Sub-user and Admin (Legacy) migration

FortiWeb Cloud will cease to support Sub-user and Admin (Legacy) accounts starting from version 24.1, which is scheduled for release in January 2024. To ensure uninterrupted access, kindly migrate Sub-user and Admin (Legacy) to IAM user in advance. Failure to do so may result in the them losing access to FortiWeb Cloud. For more information, see Migrating to IAM user.

23.3.a released on Sept 7, 2023

Region IP update

An additional AWS scrubbing center has deployed in the following region. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS il-central-1: Israel (Tel Aviv)

    • 51.17.26.125

      2a05:d025:c86:1702:3be9:6a28:de24:3589

    • 51.16.192.242

      2a05:d025:c86:1702:4ddf:2b90:a945:ea28

    • 51.16.118.151

      2a05:d025:c86:1701:39b:f35d:2126:5c85

    • 51.16.198.214

      2a05:d025:c86:1701:1eb6:57b5:dfe6:4cfb

FortiCloud Organizations (OUs)

FortiWeb Cloud now supports FortiCloud Organization. This centralized account management service consolidates multiple FortiCloud accounts into a structured system of Organization/Organizational Units (OUs). For more information, see FortiCloud Organizational Units.

FortiFlex Contract Support

FortiWeb Cloud is introducing FortiFlex (formerly Flex-VM), a new contract management system that allows customers to buy points that can be directed to match their specific requirements for Application and Bandwidth, instead of being restricted to a limited array of contract choices. For more information, see FortiFlex.

FortiSIEM Support

You can now export your attack and audit logs to FortiSIEM. See Log Settings for more information.

Traffic log export to Azure Storage

You can now export your attack logs to Azure blob storage. See Log Settings for more information.

Allow WAF Cloud IP addresses

You now have the option to download a list of all IP addresses that you need to configure on the firewall. For more information, see Application management.

Custom Rules ordering

You can now adjust the order of custom rules. See Custom Rule for more information.

23.3 released on July 6, 2023

Region IP update

A new scrubbing center will be live on the date of the upcoming release. Please make sure to allow access to your applications from the IP addresses listed below.

  • GCP europe-west-8 (Milan)

    • 34.154.63.30

    • 34.154.60.54

    • 34.154.148.78

    • 34.154.84.52

Waiting Room

Control visitor traffic using a virtual holding space and queuing First-In/First-Out system.

See Waiting Room for more information.

Using FortiAnalyzer as syslog server

You now have the option to export logs to FortiAnalyzer to leverage its powerful log management, analytics, and reporting capabilities.

See Log Settings for more information.

Vulnerability Scan service available on Public Cloud Marketplace

Customers that subscribed via Public Cloud marketplace can now run vulnerability scans without having to purchase a separate license. They will be automatically billed via the existing subscription

See Vulnerability Scan for more information.

IAM user role management in FortiCloud

You can now directly assign roles to IAM users in FortiCloud, simplifying the process of managing user access and permissions

See Admin management for more information.

Cache clear for all pages or a single page

The Caching and Compression module now includes the capability to clear the cache for all pages or a single page.

See Caching and Compression for more information.

23.2 released on April 28, 2023

ML based API Protection - Schema and Threat Protection

A new protection layer called “Threat Protection” has been added to the ML based API Protection module. It learns parameter value patterns from API body requests and builds mathematical models to screen out abnormal requests that are deemed malicious. Additionally, you can now set individual API path schema protection rules to detect malformed API requests.

See ML Based API Protection for more information.

IP Protection – uploading an IP List in batch

In IP Protection, instead of configuring IPs one by one, you can now upload a CSV file with a list of IPs instead. See IP Protection for more information.

SOC Analyst Workflow - ServiceNow Integration

Incident Notifications now supports Service Now. You can configure FortiWeb Cloud to create an incident in ServiceNow when threat incidents occur. See Settings for more information.

Account permission control at the Application level moved to Admin Management

The account permission control at the application level was in Role Management. Now it’s moved to Admin Management. See Admin management for more information.

Log filtering enhancements

Attack log now displays logs from all applications, filtering for a specific application is not required. Additionally, filters have been enhanced with filter suggestions.

Application configuration clone

In previous versions, applying a configuration template to specific applications could be done in Global > Templates. However, now you can create a new template by cloning an existing application's configuration in Global > Applications.

RESTful API version upgraded to v2

FortiWeb Cloud now supports RESTful API v2. Currently v1 is still supported, but some URLs and formats have changed. We cannot guarantee that the RESTful API scripts in v1 format still work.

Please note that starting from the next version 23.2.a, v1 will be no longer supported.

23.1 released on February 24, 2023

SOC Analyst Workflow – Jira and Email Integration

You can now define various rules to automatically create a Jira ticket or send an email when certain Incidents occur. This can help SOC analysts assign an incident to someone else in the organization. See Settings for more information.

Update Details in Audit Logs

Audit logs now provide details on the configuration changes with before&after information.

Threat Analytics – Aggregation across multiple applications

Threat Analytics now aggregates events and finds patterns across multiple applications within the same account. This can help identify sophisticated attack campaigns that focus on multiple customer web assets.

Vulnerability scan bypassing FortiWeb Cloud

You can now bypass the FortiWeb Cloud protection when running a FortiWeb Cloud’s vulnerability scan. This can help to understand if the application is vulnerable, before implementing FortiWeb Cloud security. Enable the Bypass WAF option in Vulnerability Scan. See Vulnerability Scan for more information.

Validate HTTPS Origin Server Certificates

You can now upload SSL certificates to secure the connections between FortiWeb Cloud and your origin sever. See Origin Servers for more information.

URL rewriting based on protocol

When configuring the Rewriting Requests rule, you can now specify that the URL will be rewritten only if it's in HTTP or HTTPS request. See Rewriting Requests for more information.

22.4.a released on December 15, 2022

CORS (Cross-Origin Resource Sharing) Protection

CORS (Cross-Origin Resource Sharing) is introduced to help protect users by controlling and restricting client browsers from accessing origins (domain, scheme, or port) other than the server itself.

For more information, see CORS protection.

Attack Log Changes

Attack logs tab now merged into Threat Analytics and display logs from all applications. Additionally, FortiWeb Cloud now collects and displays logs from WAF gateways as well.

Client Certificate Authentication

Configure client certificate authentication rules to verify users by their client certificate.

For more information, see Client Certificate Authentication in Endpoints.

CVE Widget/ FortiView CVE

Additional visibility to attacks trying to exploit known vulnerabilities is added in this version. New FortiView view by CVE and Threat Analytics CVE widget are added.

SSL/TLS Encryption Enhancements

  • New SSL Encryption Level groups are added: In an effort to follow industry standards, new encryption groups added - Mozilla-Modern, Mozilla-Intermediate, and Mozilla Old.

  • The existing "High or Medium" SSL Encryption Level groups will only be available for existing applications. It is recommended to switch them to the new groups.

  • New SSL Encryption Level groups are now also available for Origin Servers to control the encryption levels from FortiWeb Cloud to the backend application.

ML Based API Protection data view enhancement

  • ML based API Protection is enhanced to automatically update API endpoints when the application changes.

  • UI is rearranged to provide easier visibility to API endpoints.

  • PII specific data labels have been added.

22.4 released on November 06, 2022

Bug fix

We have fixed several bugs to deliver better performance.

Region IP update

IP addresses of the following scrubbing centers are being updated. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS eu-west-2: Europe (London)

    • 18.168.230.94

    • 2a05:d01c:64d:7001:1e54:38a8:2653:4d95

    • 18.130.48.8

    • 2a05:d01c:64d:7002:8a95:b846:2f49:ca5b

22.3.c released on October 6, 2022

Bug fix

We have fixed several bugs to deliver better performance.

Region IP update

IP addresses of the following scrubbing centers are being updated. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS sa-east-1: South America (Sao Paulo)

    • 18.229.224.63

    • 2600:1f1e:653:3201:6d62:b616:3070:869f

    • 15.229.95.152

    • 2600:1f1e:653:3202:cad1:1b69:28e2:ccea

  • Azure East US2

    • 20.14.167.255

    • 20.65.95.32

22.3.b released on September 23, 2022

Region IP update

IP addresses of the following scrubbing centers are being updated. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS us-east-1: US East (N. Virginia)

    • 3.214.245.110

    • 2600:1f18:1492:1701:7c58:5331:25e3:3343

    • 3.225.188.145

    • 2600:1f18:1492:1702:b3ff:2b1d:d9a7:9e88

  • New region on Azure: Canada Central

    • 20.63.56.203

    • 20.63.58.199

    • 20.48.236.10

    • 20.48.236.225

Threat Analytics Incident Tags

Administrators can now use predefined tags or create their own tags for Threat Analytics incidents. This helps in labeling incidents for future usage such as sorting, filtering and acknowledging incidents.

Allowlist FortiWeb Cloud IP Addresses

The following links include up to date FortiWeb Cloud IPs. For security best practice configure your web and network firewall to only accept traffic to your web applications from these IPs - https://www.fortiweb-cloud.com/ips-v4 and https://www.fortiweb-cloud.com/ips-v6.

22.3.a released on August 19, 2022

Threat Analytics integrated with FortiWeb

FortiWeb Cloud now integrates with FortiWeb appliances. Collect attack logs from all your FortiWeb platforms and leverage the power of threat analytics across your entire web assets.

Insights tab in Threat Analytics

The new Insights tab is added in Threat Analytics. It provides an additional layer of incident analysis and offers recommendations to improve your security posture. See Threat Analytics for more information.

Vulnerability Scan

A new Web Vulnerability Scan module is introduced. It helps identify OWASP Top 10 flaws in web applications. Get a comprehensive report with remediation recommendations to protect your web applications. See Vulnerability Scan for more information.

Cookie Exception

It's now supported to add exceptions based cookie name and value. This option is available in Signature Based Detection and Syntax Based Detection in Known Attacks, Information Leakage, and attack logs.

New subscription option on AWS

You can now subscribe FortiWeb Cloud on AWS with a yearly data plan.

22.2.b p2 released on July 27, 2022

Region IP updated

IP addresses of the following scrubbing centers on AWS are being updated. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS eu-central-1: Europe (Frankfurt)

    • 3.127.31.213

    • 2a05:d014:f3c:6c01:5e7a:1eba:64:30ce

    • 52.58.147.238

    • 2a05:d014:f3c:6c02:3b5d:afaa:1d4:b8f1

22.2.c released on June 29, 2022

Sensitivity level for signatures

Known Attacks now include Sensitivity Levels. You can now choose from four categories of attack signatures (L1 to L4) based on their sensitivity to false positives and their requirement for a higher security level. Every level adds additional signatures thus increasing security but also the possibility of blocking legitimate traffic.

Personally Identifiable Information

On Information Leakage page, you can now configure FortiWeb Cloud to identify personally identifiable information (PII)

Top Known Threats widget

A Top Known Threats widget is added to the Dashboard. It lists the top attacks triggered on your web assets by CVE.

New SOC Analyst role

A new SOC Analyst role is added to the Role management tab.

Region IP updated

IP addresses of scrubbing centers on Azure and Google Cloud are being updated and they will be in effect in the next release 22.3.a. Make sure to update your systems if you created rules limiting access to these IPs. Refer to Restricting direct traffic & allowing FortiWeb Cloud IP addresses for the updated IP addresses.

22.2.a p1 released on June 10, 2022

New scrubbing center clusters

Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS ap-east-1 (Hongkong)

    • 18.166.240.188

    • 2406:da1e:b:ae01:31b6:202a:2bbc:79da

    • 18.167.155.174

    • 2406:da1e:b:ae02:f3f4:38fa:d7a2:311a

    • 16.163.110.210

    • 2406:da1e:b:ae01:b1ae:20d2:703f:a868

    • 18.167.190.240

    • 2406:da1e:b:ae01:841e:27d4:4642:5f7f

    • 16.163.212.249

    • 2406:da1e:b:ae02:5b3d:9808:f840:b303

22.2.a released on May 16, 2022

Machine Learning based API Protection

Machine Learning based API Discovery is now upgraded to Machine Learning based API Protection. FortiWeb Cloud can now block anomalies based on the schema it has automatically created and built for the application.

UI enhancements for Machine Learning based API Protection

A new API Collection tab is added with two views, Path List and API View. Path list provides an way to sift through all APIs and easily identify, parameters and schema action. The tree view has been removed.

Machine learning changes

  • The API Discovery module is removed. The old configurations and the machine learning models are cleared.

  • The configurations of the Anomaly Detection are not affected, but its machine learning models are cleared.

Traffic Summary

A new page named Traffic Summary is added under FortiView. View traffic statistics such as source IP addresses, URL, User Agent, Return Code, and Request Method.

Billing system update

Due to a metering issue, customers that have CDN enabled were only partially billed for their traffic. This issue is now fixed.

Region IP updated

IP addresses of scrubbing centers on AWS are being updated and they will be in effect in the next release 22.2.b. Make sure to update your systems if you created rules limiting access to these IPs. Refer to Restricting direct traffic & allowing FortiWeb Cloud IP addresses for the updated IP addresses.

Traffic log exporting

You can now use FortiWeb Cloud to log all access requests and export traffic log to an AWS S3 bucket. See Exporting traffic logs.

Threat Analytics widget on Dashboard

A Dashboard tab has been added to Threat Analytics.

22.1.c released on April 4, 2022

Threat Analytics

We’re introducing a new service called Threat Analytics in this release. The service uses machine learning algorithms to identify attack patterns across your entire application assets and aggregate them into security incidents and assign severity. It helps separate real threats from informational alerts and false positives and help you focus on the threats that matter. See Threat Analytics for more information.

OWASP 2021 attack type

Attack types have been aligned to the OWASP Top 10. You will notice attack logs being tagged with new category names.

DNS status update

FortiWeb Cloud now updates your application's DNS status every two minutes on the first day when it's onboarded, then once an hour after that. An "Update" button had been added to allow to manually update the DNS status at any time.

22.1.b released on February 24, 2022

Blocking Known Engines

In addition to allowing known engines, you can now also set the action to block or bypass.

Domain filter type in Attack Logs

You can now filter the attack logs by domain names.

CC-attack detection

Bot Detection can now prevent against Challenge Collapsar (CC) attacks.

22.1.a released on January 9, 2022

New scrubbing center clusters

Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS us-east-1 (N.Virginia)

    • 3.228.64.186

    • 2600:1f18:1492:1701:e54f:59c6:7114:2878

    • 3.231.16.50

    • 2600:1f18:1492:1702:e618:cb8e:f4b5:4ba4

  • AWS eu-central-1 (Frankfurt)

    • 35.156.146.120

    • 2a05:d014:f3c:6c01:24c5:1d8d:b3be:2785

    • 35.158.251.28

    • 2a05:d014:f3c:6c02:2490:b345:e759:f43f

Chat bot integration

A new chatbot has been integrated to help address frequently asked questions.

Signature search

It is now possible to search for specific signatures in the Known Attacks and Information Leakage dictionaries. You can search by CVE, keywords, signature IDs and by attack category.

21.4.b released on December 5, 2021

Action required! Change your A record ASAP!

The IP addresses of FortiWeb Cloud have changed. If you are using a CNAME record to point your domains to FortiWeb Cloud you do not need to do anything.

However, if you are using an A record to point your domain to FortiWeb Cloud you need to change the IP address in your DNS A record as soon as possible, otherwise when your web application certificate expires it will fail to renew.

To update the A record:

  1. Log in to FortiWeb Cloud.
  2. Go to Global > Applications.
  3. Find the application which uses the A record.
  4. Click Update Pending in DNS Status column. You can find the new IP addresses in the pop-up window.
  5. Go to your DNS service and find the A record, then pair your domain name with the new IP addresses.

This change applies only to A record. For restricting direct traffic and configuring the allowlist in a DDoS device, you can use the same IP addresses as before.

An easier way to look up Cloud WAF IP addresses

The Regions column in the applications tab has been populated with additional information. It displays the IP addresses of the Cloud WAF scrubbing centers assigned to your applications.

Caching added to dashboard widgets

Caching data has been added to the Throughput and Incoming Requests dashboard widgets.

Default action changed for GEO IP violations

The action taken for the GEO IP violations is changed from Deny&Alert to Period Block (600 seconds).

Minimum interval of Information Leakage logs

To avoid log flooding, the minimum interval of Information Leakage logs is set to 1 second.

21.4.a p3 released on November 12, 2021

New scrubbing center clusters

Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS ap-south-1 (Mumbai)

    • 3.109.248.211

    • 2406:da1a:31:d501:fc19:5e59:9804:b392

    • 3.109.17.189

    • 2406:da1a:31:d502:2eaf:153f:91b3:7dc0

    • 3.108.0.134 (offline)

    • 2406:da1a:31:d501:4933:f303:c5b:4726 (offline)

  • AWS us-east-2 (Ohio)

    • 3.131.242.28

    • 2600:1f16:160:aa01:4584:fec1:ab59:6bd4

    • 18.188.127.1

    • 2600:1f16:160:aa02:5629:28f1:196d:acbe

    • 3.132.52.4 (offline)

    • 2600:1f16:160:aa01:6d33:94aa:74c0:7cf0 (offline)

21.4.a released on October 8, 2021

  • URL Redirection enhancement

    When redirecting clients to a new host or IP address in a “301 Permanently” response, you can now keep the URL path while executing redirection. For example, clients visiting "www.aaa.com/test.html" can be redirected to "www.bbb.com/test.html".

  • CDN enhancement

    CDN feature is enhanced to allow selecting a specific continent instead of caching globally. This can help address compliance requirements that mandate application traffic must be served from a specific continent.

  • New scrubbing centers

    Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

    • AWS ap-southeast-1 (Singapore)

      • 18.136.170.71

      • 2406:da18:ad1:1101:b6ad:34de:de05:5ef3

      • 13.214.45.126

      • 2406:da18:ad1:1102:9a1c:767e:1e67:4763

      • 13.250.74.198(Offline)

      • 2406:da18:ad1:1101:1fb2:25ab:77f1:42e4(Offline)

    • AWS ca-central-1 (Canada)

      • 3.97.158.98

      • 2600:1f11:8c:9101:eb3:39f1:1815:884e

      • 3.97.249.50

      • 2600:1f11:8c:9102:411d:63f2:e5b4:5209

      • 3.98.118.237(Offline)

      • 2600:1f11:8c:9101:62aa:927:70dd:acfa(Offline)

    • AWS us-west-1 (N.California)

      • 52.8.219.206

      • 2600:1f1c:b97:d801:ff83:8b03:7a29:5981

      • 52.9.219.121

      • 2600:1f1c:b97:d802:fe8f:1a5d:5d1:1c6b

      • 54.215.20.148(Offline)

      • 2600:1f1c:b97:d801:fd1b:8346:e92e:466b(Offline)

    • AWS us-west-2 (Oregon)

      • 35.160.55.58

      • 2600:1f14:b5a:da01:a32:4cac:f337:9c00

      • 44.241.247.81

      • 2600:1f14:b5a:da02:5a8e:d30:ff37:18a9

      • 52.37.161.224(Offline)

      • 2600:1f14:b5a:da01:c9ac:e531:128b:ae2c(Offline)

21.3.b patch2 released on September 24, 2021

Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS eu-west-1 (Ireland)

    • 54.78.90.129

    • 2a05:d018:77c:d901:4f37:924f:6ea2:5952

    • 54.217.132.119

    • 2a05:d018:77c:d902:6605:9bef:2ca3:f220

    • 52.18.74.99 (offline)

    • 2a05:d018:77c:d901:550f:2833:9dbd:362c (offline)

  • AWS eu-west-2 (London)

    • 18.134.173.119

    • 2a05:d01c:64d:7001:7f27:28fe:f43b:e55b

    • 52.56.112.105

    • 2a05:d01c:64d:7002:a0b0:a076:53b2:31e3

    • 35.178.16.146 (offline)

    • 2a05:d01c:64d:7001:b99d:28b6:db62:e2bd (offline)

  • AWS eu-south-1 (Milan)

    • 15.161.215.247

    • 2a05:d01a:9f2:1701:4d5b:f1a8:d291:5a84

    • 15.161.76.114

    • 2a05:d01a:9f2:1702:8e71:e939:c954:1608

    • 15.160.42.32 (offline)

    • 2a05:d01a:9f2:1701:75ab:6622:8788:fdb2 (offline)

21.3.b released on September 3, 2021

  • Know Bots module

    Known bad bots and known search engines configuration is moved from Threshold Based Detection to a new module named Known Bots. See Known Bots for more information.

  • User Management enhancement

    Tighter and stricter integration with FortiCloud is introduced. FortiCloud sub users and IAM users are automatically assigned certain permissions on FortiWeb Cloud. See Admin management.

  • SQL and XSS Syntax Based Detection Enhancements

    Additional granularity is available for SQL and XSS Syntax Based Detection. You can specify the SQL injection types and XSS attack types to parse against. See Known Attacks for more information.

  • Alert notification upon certificate renewal failure

    When FortiWeb Cloud fails to renew or retrieve a certificate, a notification message will be displayed on the Web UI. An alert email will be sent as well.

  • Block page layout enhancement

    The layout of the "Server Unavailable Message" and "Attack Block Page" displayed to your application users is enhanced. Go to Global > System Settings > Custom Block Pages to view the updated pages.

  • Filter type changes in Custom Rule

    The filter type "Security Rules" in Custom Rule is now renamed to Known Attacks. "Information Disclosure" and "Known Bad Bots" are no longer available when Known Attacks is chosen.

  • DNSSEC support on AWS

    DNS Security Extensions (DNSSEC) has been enabled for CNAMEs associated with applications hosted on AWS to protect against DNS spoofing, cache poisoning, or other DNS-related man-in-the-middle attacks.

  • DevOps tools configuration file update

    The configuration file for Ansible and Terraform is updated so that the API token is not exposed in yml file. See Using FortiWeb Cloud with DevOps tools.

21.3.a released on July 24, 2021

  • API Discovery (Beta)

    Use Machine Learning Based API discovery to learn the REST API data structure from user traffic. By studying the samples, a Swagger file will be generated describing the data structure such as the URL pattern and schema of endpoint data. See ML Based API Protection for more information.

  • Bot Detection (Beta)

    The AI-based machine learning bot detection model is introduced to complement the existing signature and threshold based rules. It detects sophisticated bots that can sometimes go undetected. See ML Based Bot Detection for more information.

  • Syntax based Cross Site Scripting detection

    Syntax Based Cross Site Scripting detection is introduced in the Known Attacks module to detect the XSS injection attacks using a sophisticated, non-signature based module that analyzes HTML/JavaScript syntax. See Known Attacks for more information.

  • Caching and Compression enhancements

    Additional granularity available for Caching and Compression. You can configure HTTP Method, Allow Return Code, Allow File Type, and Key Generation Factor to define the content to be cached. Resources cached on FortiWeb Cloud can now be purged. See Caching and Compression for more information.

  • DNS and HTTP challenges for Automatic Certificate

    It's now allowed to select whether to use DNS or HTTP challenge to validate your ownership of the domains. See Endpoints for more information.

  • Wildcard in domain names

    You can use wildcard to match multiple domains when onboarding an application. SeeEndpoints for more information.

  • HTTP only flag

    You can configure the Endpoints settings to add "HTTP Only" flag to internal cookies, which prevents client-side scripts from accessing the cookie. SeeEndpoints for more information.

  • Server certificate verification for log exporting

    FortiWeb Cloud by default enforces server certificate verification before it sends logs to the log server. See for more information.

  • Customizing HTTP Response Code

    It's now allowed to change the HTTP Response Code of Attack Block Page in custom block message.

21.2.c released on June 11, 2021

  • Sensitive Data Masking

    Sensitive Data Masking allows masking certain data types such as user names, passwords and other PII information that could appear in the packet payloads accompanying a log message. See Sensitive Data Masking for more information.

  • Parameter Validation

    A new security module named Parameter Validation is introduced in this release. It validates parameter input such as whether they’re required, maximum allowed length or whether they match pre-defined/customized patterns. See Parameter Validation for more information.

  • New scrubbing center

    A New scrubbing center has been deployed on Azure. Please allow access to your application from the IP addresses of these scrubbing centers.

    • Brazil South (São Paulo State)

      • 20.195.163.139

      • 20.197.225.122

      • 20.197.226.167 (Offline)

  • Origin Server Lock

    Origin Server Lock protects your application from attackers that try to bypass FortiWeb Cloud security measures by pointing their onboarded application to your origin server. See Origin Server Lock for more information.

  • Full support of HTTP/2

    HTTP/2 was supported only in certain security modules previously. Now FortiWeb Cloud fully supports HTTP/2 across all security modules.

  • Customized SSL/TLS Encryption Level

    You can customize the SSL/TLS Encryption Level by selecting the ciphers from the available ciphers list. See SSL/TLS and Supported cipher suites & protocol versions for more information.

  • Alerts for soon to expire certificates

    FortiWeb Cloud can now send an email alert when local certificates in Endpoints are about to expire.

  • Third Party IdP initiated SAML support

    Third Party IdP initiated SAML is now supported allowing to automatically access FortiWeb Cloud admin interface using your organization’s user credentials via a third party ID provider. See Managing External IdP roles in FortiCloud IAM for more information.

21.2.b released on May 26, 2021

  • It is now possible to enable sub categories and allow or deny specific bots in Threshold Based Detection’s Known Bad Bots, replacing the exception rules. If you had known bad bots exception rules configured make sure you enable/disable the bad bots via the new interface.

  • Syntax Based Detection exceptions are now based on attack types instead of signature IDs. Exceptions are configured separately from Signature Based Detection exceptions.

21.2.a released on May 1, 2021

  • The number of allowed custom rules per application has been raised to 24.

  • Additional granularity available for Credential based brute force protection. You can configure a target URL and occurrence period.

  • Additional WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

    • AWS

      • eu-central-1 (Frankfurt)

        • 18.192.64.32

        • 2a05:d014:f3c:6c01:99d0:8c50:ae51:99ac

        • 3.125.233.133

        • 2a05:d014:f3c:6c02:58:3e12:a98a:df9f

        • 3.64.105.7 (offline)

        • 2a05:d014:f3c:6c01:55bc:c559:8bb1:11e0 (offline)

      • sa-east-1 (Sao Paulo)

        • 54.207.227.252

        • 2600:1f1e:653:3201:eac8:161d:c0a:6915

        • 177.71.170.92

        • 2600:1f1e:653:3202:3615:6e2c:7b0c:85c9

        • 54.232.72.181 (offline)

        • 2600:1f1e:653:3201:d1a5:34ae:e023:be2d (offline)

    • Azure

      • West Europe

        • 20.86.129.248

        • 20.86.49.155

        • 20.86.49.12 (offline)

21.1.c released on March 1, 2021

The following enhancements are made in Rewriting Requests module:

  • In addition to the connection's source IP, it's now possible to record the connection's source port in the X-Forwarded-For: header.
  • The X-Forwarded-Port: header can be added to record the connection's original destination port.

See Rewriting Requests for more information.

21.1.b released on February 9, 2021

  • It's now supported to redirect requests based on host names, for example, redirecting from example.com to www.example.com. See Rewriting Requests.

  • You can now sign in FortiWeb Cloud as IAM users.

  • New scrubbing centers have been deployed on the following regions on OCI. Please allow access to your application from the IP addresses of these scrubbing centers.

    • US West (Phoenix)

      • 158.101.43.252

      • 158.101.43.253

      • 129.146.233.205 (Offline)

    • Germany Central (Frankfurt)

      • 158.101.176.179

      • 193.122.55.66

      • 132.145.248.29 (Offline)

21.1.a released on January 11, 2021

  • It is no longer required to have a port 80 HTTP service enabled to successfully generate automatic certificates. The limitation has been removed.
  • Custom ports HTTP 9219 and HTTPS 8181 are now supported.
  • You can now customize the following pages that FortiWeb Cloud displays to your users:
    • Attack Block Page
    • Server Unavailable Page
    • Captcha Enforcement Page

    The old Custom Block Page configurations will be discarded. You need to re-configure it through the new page. See Custom block pages.

  • New scrubbing centers have been deployed on AWS and Azure. Please allow access to your application from the IP addresses of these scrubbing centers.

    East US2 on Azure

    • 20.69.235.177
    • 20.81.153.33
    • 20.81.153.78 (offline)

    Australia East on Azure

    • 20.70.160.47
    • 20.70.152.97
    • 20.70.152.115 (offline)

    Europe (Milan) on AWS

    • 15.161.173.116
    • 15.161.10.152
    • 15.161.24.119 (offline)
    • 2a05:d01a:9f2:1701:bd84:9314:f93:b2f
    • 2a05:d01a:9f2:1702:aca5:5d4d:1995:50d
    • 2a05:d01a:9f2:1701:3e5:91fb:2690:b114 (offline)

20.4.b released on November 23, 2020

  • It is now possible to enable HSTS forcing clients to only use HTTPS with the application.
  • When enabled, FortiWeb Cloud will use the Secure flag for its session management cookie only allowing its use over HTTPS.
  • The logic in which FortiWeb Cloud retrieves automatic certificates has been optimized. Additionally, a new “Retrieve” button is added to allow manual retrieval of automatic certificates.

For more information on the new features, see Endpoints.

20.4.a released on November 10, 2020

  • As the FortiWeb Cloud service is already protected against volumetric DDoS attacks, TCP flood prevention is removed in order to prevent conflicts.
  • Configuration deployment is significantly improved to reduce service disruption.
  • New scrubbing centers are deployed in eu-central-1: EU (Frankfurt) on AWS. See Restricting direct traffic & allowing FortiWeb Cloud IP addresses.

20.3.b released on September 16, 2020

  • A new scrubbing center has been deployed on AWS - ap-south-1:Asia Pacific (Mumbai). See FortiWeb Cloud scrubbing centers on AWS.
  • API Key settings is no longer part of the Global Settings role, allowing to generate an API key for read-only defined roles as well.
  • DNS status changes will now be recorded in the audit log.
  • When a source violates the API Gateway rule, it is possible to automatically block the source IP for a period of 10 minutes.
  • In addition to 443, 7443, and 8443, ports 8081 and 8014 can now be used for HTTPS service.
  • Fabric Connectors is renamed to Cloud Connectors.

20.3.a released on August 10, 2020

  • Optimizations on Reports:
    • Add a new query Applications Traffic Summary for report category.
    • Support adding or removing all applications once.
    • Activate or deactivate report generation for scheduled reports.
    • Weekly reports enabling is removed from Global Settings.
  • A new trustlist module is added to allow trusting specific parameters. Once enabled security enforcement is bypassed for the specified parameters. See Global Trustlist.
  • You can now define a separate Action per security module allowing, for example for some modules to only trigger an alert while others are set to block. Enabled when Advanced Configuration is enabled.
  • The Filter option for Cloud Connector is optimized to show all available options for a selected fabric connector.
  • A new Ansible template is released to allow configuring an endpoint’s certificate configuration. See Configuring FortiWeb Cloud with Ansible.
  • FortiWeb Cloud now supports generating an API key for authentication. See API Key.
  • Advanced Configuration is added in Global Settings. Once enabled a templates tab is introduced together with the ability to configure the Action interface for each security module.
  • Six new predefined templates containing commonly used WAF security configuration for different known applications such as Drupal and WordPress are introduced in this release. See Templates
  • FortiWeb Cloud will keep the data in your account for an additional week after you unsubscribe from FortiWeb Cloud.

20.2.d released on July 1, 2020

  • Cloud Connectors is introduced to support origin servers with dynamically changing IP addresses. See Cloud Connectors.
  • IPv6 is now supported for customers utilizing FortiWeb Cloud on AWS. You can enable IPv6 service in Endpoint, add origin servers with IPv6 addresses, or configure IPv6 addresses in IP Protection and Custom Rule.
  • New report types added together with capability to schedule reports with granularity around application and report time frame.
  • Support for DevOps tools including Jenkins, Ansible, and Terraform has been added. You can use them to automatically onboard or delete applications and change the IP list in IP Protection. Contact support to download the template.

20.2.c released on June 17, 2020

  • Role Management is introduced to offer an easier way to manage access privileges and permissions specific to a job function. See Role management.
  • Manually test in real-time the health status of a origin server. See Origin Servers.
  • You can now insert Content-Security-Policy header to prevent certain types of attacks, including XSS and data injection attacks. See HTTP Header Security.

20.2.b released on May 29, 2020

  • You can now configure Allow Known Search Engines in Threshold Based Detection to accept/deny the traffic from known search engines such as Google, Bing, and Yahoo, etc. This is enabled by default. See Threshold Based Detection.
  • FortiWeb Cloud now supports onboarding applications running on non-standard ports. Certain limitations apply. See Traffic Type.
  • A new scrubbing center has been deployed on AWS - sa-east-1:South America. See FortiWeb Cloud scrubbing centers on AWS.

  • A new protection mechanism is introduced for SQL Injection attacks called Syntax Based Detection. It uses a SQL parser to validate whether the pattern is real SQL language which helps identify true attacks while minimizing false positives. See Known Attacks.

  • Paging is optimized for Attack Logs and Audit Logs. A maximum of 10,000 attack/audit logs are displayed per each filter in Attack/Audit Logs.
  • Audit logs now cover changes in automatic certificates status including: starting to apply, failed to apply, applied successfully, renewed successfully, and failed to renew.

  • Additional health check statuses have been added to the audit log. The Server Status widget display is updated.

20.2.a released on April 27, 2020

  • You can now define an Allow Only list in IP Protection to limit access to the application to specified IP addresses. See IP Protection.
  • You can now send a customized block page to clients triggering WAF rules. See Endpoints.
  • Forwarding attack and event logs to ElasticSearch is now supported. See Log Settings and Audit logs.
  • A new OWASP Top 10 widget together with a new FortiView OWASP Top 10 view have been added.

20.1.b released on March 21, 2020

  • Parameter name is supported when creating a signature exception rule for Known Attacks, Information Leakage, and Threshold Based Detection.
  • It's now supported to add URL and parameter exceptions in attack logs.

20.1.a released on February 29, 2020

  • Three new modules supported for API PROTECTION.

    • Mobile API Protection module allows to protect your Mobile APIs from malicious attacks by verifying the mobile device authenticity. See Mobile API Protection.
    • API Gateway module allows to control and secure all access to you APIs. You can define API users, verify API keys, and perform access control, etc. See API Gateway.
    • JSON Protection module allows to verify JSON request limits and JSON request parameters to protect against API attacks. See JSON Protection.
  • WAF configuration template is added for you to push WAF configurations to multiple applications. See Templates.
  • Bot mitigation leverages various detection mechanisms to quickly filter out automated threats.
    • Biometrics Based Detection: FortiWeb Cloud can now verify whether a client is a bot by monitoring events such as mouse movement, keyboard, screen touch, and scroll, etc. See Biometrics Based Detection.
    • Threshold Based Detection: With predefined occurrence, time period, etc. of suspicious behaviors, FortiWeb Cloud judges whether the request comes from a human or a bot. See Threshold Based Detection.

    • Bot Deception: FortiWeb Cloud now provides a deception technique to identify bots. It inserts a hidden link into response pages. Clients that fetch the URL can accurately be classified as bots. See Bot Deception.
  • XML Protection module is moved from Advanced Applications to API Protection. See XML Protection.
  • User and Time Periods filters are added for Custom Rule. See Custom Rule.
  • Three security modes are added in Cookie Security module. See Cookie Security.
  • Applications page is optimized to accelerate the loading.
  • With the Attack Log Alerts feature, FortiWeb Cloud now supports sending attack log alert emails based on threat level or customized alert email rule. See Log Settings.
  • HTTP/2 communications can be protected when the traffic type is HTTPS. It's supported in Known Attacks, Information Leakage, and Cookie Security.

  • FortiWeb Cloud now supports adding exceptions through Anomaly Detection logs.
  • FortiWeb Cloud now supports Server Name Indication (SNI) configuration that identifies the certificate to use by domain. See Custom Certificate.

24.1 released on Feb 1, 2024

Support for FortiADC Threat Analytics

FortiWeb Cloud now supports the analysis of attack logs from FortiADC, utilizing its advanced AI-based threat analytics system to provide cross-platform visibility. For setup information, see Forwarding FortiADC attack logs to Threat Analytics.

Splunk Version 9 support

You can now export Traffic Logs directly to the latest version of Splunk. This allows seamless ingestion and mapping of security and audit data collected from FortiWeb Cloud. For more information, see FortiWeb Cloud and Splunk.

23.4 released on Nov 16, 2023

Consumption report

A new Consumption report is now available, detailing data/bandwidth consumption for each application. Enable in Global > Settings. For more information, see Settings.

Security Fabric Support for FortiGate 7.x

FortiWeb Cloud devices can now be integrated into the Security Fabric of any FortiGate running 7.0.0 or newer. For more information, see Fortinet Security Fabric.

Redesign rewriting requests to support multiple rules

Rewriting Requests has been redesigned to support multiple actions in single rewrite rule. For more information, see Rewriting Requests.

Support signature exceptions for JSON format

Attack Log has been enhanced to support Exceptions for JSON format requests. You can specify JSON element in the exception rules in Known Attacks and Information Leakage.

Add RST_STREAM Restriction

FortiWeb Cloud has been enhanced to provide better protection for the HTTP/2 Rapid Reset Attack. A new Request Limit has been added that allows limiting the number of RST_STREAM per session. Configure it in Access Rules>Request Limits. For more information, see Request Limits.

Sub-user and Admin (Legacy) migration

FortiWeb Cloud will cease to support Sub-user and Admin (Legacy) accounts starting from version 24.1, which is scheduled for release in January 2024. To ensure uninterrupted access, kindly migrate Sub-user and Admin (Legacy) to IAM user in advance. Failure to do so may result in the them losing access to FortiWeb Cloud. For more information, see Migrating to IAM user.

23.3.a released on Sept 7, 2023

Region IP update

An additional AWS scrubbing center has deployed in the following region. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS il-central-1: Israel (Tel Aviv)

    • 51.17.26.125

      2a05:d025:c86:1702:3be9:6a28:de24:3589

    • 51.16.192.242

      2a05:d025:c86:1702:4ddf:2b90:a945:ea28

    • 51.16.118.151

      2a05:d025:c86:1701:39b:f35d:2126:5c85

    • 51.16.198.214

      2a05:d025:c86:1701:1eb6:57b5:dfe6:4cfb

FortiCloud Organizations (OUs)

FortiWeb Cloud now supports FortiCloud Organization. This centralized account management service consolidates multiple FortiCloud accounts into a structured system of Organization/Organizational Units (OUs). For more information, see FortiCloud Organizational Units.

FortiFlex Contract Support

FortiWeb Cloud is introducing FortiFlex (formerly Flex-VM), a new contract management system that allows customers to buy points that can be directed to match their specific requirements for Application and Bandwidth, instead of being restricted to a limited array of contract choices. For more information, see FortiFlex.

FortiSIEM Support

You can now export your attack and audit logs to FortiSIEM. See Log Settings for more information.

Traffic log export to Azure Storage

You can now export your attack logs to Azure blob storage. See Log Settings for more information.

Allow WAF Cloud IP addresses

You now have the option to download a list of all IP addresses that you need to configure on the firewall. For more information, see Application management.

Custom Rules ordering

You can now adjust the order of custom rules. See Custom Rule for more information.

23.3 released on July 6, 2023

Region IP update

A new scrubbing center will be live on the date of the upcoming release. Please make sure to allow access to your applications from the IP addresses listed below.

  • GCP europe-west-8 (Milan)

    • 34.154.63.30

    • 34.154.60.54

    • 34.154.148.78

    • 34.154.84.52

Waiting Room

Control visitor traffic using a virtual holding space and queuing First-In/First-Out system.

See Waiting Room for more information.

Using FortiAnalyzer as syslog server

You now have the option to export logs to FortiAnalyzer to leverage its powerful log management, analytics, and reporting capabilities.

See Log Settings for more information.

Vulnerability Scan service available on Public Cloud Marketplace

Customers that subscribed via Public Cloud marketplace can now run vulnerability scans without having to purchase a separate license. They will be automatically billed via the existing subscription

See Vulnerability Scan for more information.

IAM user role management in FortiCloud

You can now directly assign roles to IAM users in FortiCloud, simplifying the process of managing user access and permissions

See Admin management for more information.

Cache clear for all pages or a single page

The Caching and Compression module now includes the capability to clear the cache for all pages or a single page.

See Caching and Compression for more information.

23.2 released on April 28, 2023

ML based API Protection - Schema and Threat Protection

A new protection layer called “Threat Protection” has been added to the ML based API Protection module. It learns parameter value patterns from API body requests and builds mathematical models to screen out abnormal requests that are deemed malicious. Additionally, you can now set individual API path schema protection rules to detect malformed API requests.

See ML Based API Protection for more information.

IP Protection – uploading an IP List in batch

In IP Protection, instead of configuring IPs one by one, you can now upload a CSV file with a list of IPs instead. See IP Protection for more information.

SOC Analyst Workflow - ServiceNow Integration

Incident Notifications now supports Service Now. You can configure FortiWeb Cloud to create an incident in ServiceNow when threat incidents occur. See Settings for more information.

Account permission control at the Application level moved to Admin Management

The account permission control at the application level was in Role Management. Now it’s moved to Admin Management. See Admin management for more information.

Log filtering enhancements

Attack log now displays logs from all applications, filtering for a specific application is not required. Additionally, filters have been enhanced with filter suggestions.

Application configuration clone

In previous versions, applying a configuration template to specific applications could be done in Global > Templates. However, now you can create a new template by cloning an existing application's configuration in Global > Applications.

RESTful API version upgraded to v2

FortiWeb Cloud now supports RESTful API v2. Currently v1 is still supported, but some URLs and formats have changed. We cannot guarantee that the RESTful API scripts in v1 format still work.

Please note that starting from the next version 23.2.a, v1 will be no longer supported.

23.1 released on February 24, 2023

SOC Analyst Workflow – Jira and Email Integration

You can now define various rules to automatically create a Jira ticket or send an email when certain Incidents occur. This can help SOC analysts assign an incident to someone else in the organization. See Settings for more information.

Update Details in Audit Logs

Audit logs now provide details on the configuration changes with before&after information.

Threat Analytics – Aggregation across multiple applications

Threat Analytics now aggregates events and finds patterns across multiple applications within the same account. This can help identify sophisticated attack campaigns that focus on multiple customer web assets.

Vulnerability scan bypassing FortiWeb Cloud

You can now bypass the FortiWeb Cloud protection when running a FortiWeb Cloud’s vulnerability scan. This can help to understand if the application is vulnerable, before implementing FortiWeb Cloud security. Enable the Bypass WAF option in Vulnerability Scan. See Vulnerability Scan for more information.

Validate HTTPS Origin Server Certificates

You can now upload SSL certificates to secure the connections between FortiWeb Cloud and your origin sever. See Origin Servers for more information.

URL rewriting based on protocol

When configuring the Rewriting Requests rule, you can now specify that the URL will be rewritten only if it's in HTTP or HTTPS request. See Rewriting Requests for more information.

22.4.a released on December 15, 2022

CORS (Cross-Origin Resource Sharing) Protection

CORS (Cross-Origin Resource Sharing) is introduced to help protect users by controlling and restricting client browsers from accessing origins (domain, scheme, or port) other than the server itself.

For more information, see CORS protection.

Attack Log Changes

Attack logs tab now merged into Threat Analytics and display logs from all applications. Additionally, FortiWeb Cloud now collects and displays logs from WAF gateways as well.

Client Certificate Authentication

Configure client certificate authentication rules to verify users by their client certificate.

For more information, see Client Certificate Authentication in Endpoints.

CVE Widget/ FortiView CVE

Additional visibility to attacks trying to exploit known vulnerabilities is added in this version. New FortiView view by CVE and Threat Analytics CVE widget are added.

SSL/TLS Encryption Enhancements

  • New SSL Encryption Level groups are added: In an effort to follow industry standards, new encryption groups added - Mozilla-Modern, Mozilla-Intermediate, and Mozilla Old.

  • The existing "High or Medium" SSL Encryption Level groups will only be available for existing applications. It is recommended to switch them to the new groups.

  • New SSL Encryption Level groups are now also available for Origin Servers to control the encryption levels from FortiWeb Cloud to the backend application.

ML Based API Protection data view enhancement

  • ML based API Protection is enhanced to automatically update API endpoints when the application changes.

  • UI is rearranged to provide easier visibility to API endpoints.

  • PII specific data labels have been added.

22.4 released on November 06, 2022

Bug fix

We have fixed several bugs to deliver better performance.

Region IP update

IP addresses of the following scrubbing centers are being updated. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS eu-west-2: Europe (London)

    • 18.168.230.94

    • 2a05:d01c:64d:7001:1e54:38a8:2653:4d95

    • 18.130.48.8

    • 2a05:d01c:64d:7002:8a95:b846:2f49:ca5b

22.3.c released on October 6, 2022

Bug fix

We have fixed several bugs to deliver better performance.

Region IP update

IP addresses of the following scrubbing centers are being updated. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS sa-east-1: South America (Sao Paulo)

    • 18.229.224.63

    • 2600:1f1e:653:3201:6d62:b616:3070:869f

    • 15.229.95.152

    • 2600:1f1e:653:3202:cad1:1b69:28e2:ccea

  • Azure East US2

    • 20.14.167.255

    • 20.65.95.32

22.3.b released on September 23, 2022

Region IP update

IP addresses of the following scrubbing centers are being updated. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS us-east-1: US East (N. Virginia)

    • 3.214.245.110

    • 2600:1f18:1492:1701:7c58:5331:25e3:3343

    • 3.225.188.145

    • 2600:1f18:1492:1702:b3ff:2b1d:d9a7:9e88

  • New region on Azure: Canada Central

    • 20.63.56.203

    • 20.63.58.199

    • 20.48.236.10

    • 20.48.236.225

Threat Analytics Incident Tags

Administrators can now use predefined tags or create their own tags for Threat Analytics incidents. This helps in labeling incidents for future usage such as sorting, filtering and acknowledging incidents.

Allowlist FortiWeb Cloud IP Addresses

The following links include up to date FortiWeb Cloud IPs. For security best practice configure your web and network firewall to only accept traffic to your web applications from these IPs - https://www.fortiweb-cloud.com/ips-v4 and https://www.fortiweb-cloud.com/ips-v6.

22.3.a released on August 19, 2022

Threat Analytics integrated with FortiWeb

FortiWeb Cloud now integrates with FortiWeb appliances. Collect attack logs from all your FortiWeb platforms and leverage the power of threat analytics across your entire web assets.

Insights tab in Threat Analytics

The new Insights tab is added in Threat Analytics. It provides an additional layer of incident analysis and offers recommendations to improve your security posture. See Threat Analytics for more information.

Vulnerability Scan

A new Web Vulnerability Scan module is introduced. It helps identify OWASP Top 10 flaws in web applications. Get a comprehensive report with remediation recommendations to protect your web applications. See Vulnerability Scan for more information.

Cookie Exception

It's now supported to add exceptions based cookie name and value. This option is available in Signature Based Detection and Syntax Based Detection in Known Attacks, Information Leakage, and attack logs.

New subscription option on AWS

You can now subscribe FortiWeb Cloud on AWS with a yearly data plan.

22.2.b p2 released on July 27, 2022

Region IP updated

IP addresses of the following scrubbing centers on AWS are being updated. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS eu-central-1: Europe (Frankfurt)

    • 3.127.31.213

    • 2a05:d014:f3c:6c01:5e7a:1eba:64:30ce

    • 52.58.147.238

    • 2a05:d014:f3c:6c02:3b5d:afaa:1d4:b8f1

22.2.c released on June 29, 2022

Sensitivity level for signatures

Known Attacks now include Sensitivity Levels. You can now choose from four categories of attack signatures (L1 to L4) based on their sensitivity to false positives and their requirement for a higher security level. Every level adds additional signatures thus increasing security but also the possibility of blocking legitimate traffic.

Personally Identifiable Information

On Information Leakage page, you can now configure FortiWeb Cloud to identify personally identifiable information (PII)

Top Known Threats widget

A Top Known Threats widget is added to the Dashboard. It lists the top attacks triggered on your web assets by CVE.

New SOC Analyst role

A new SOC Analyst role is added to the Role management tab.

Region IP updated

IP addresses of scrubbing centers on Azure and Google Cloud are being updated and they will be in effect in the next release 22.3.a. Make sure to update your systems if you created rules limiting access to these IPs. Refer to Restricting direct traffic & allowing FortiWeb Cloud IP addresses for the updated IP addresses.

22.2.a p1 released on June 10, 2022

New scrubbing center clusters

Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS ap-east-1 (Hongkong)

    • 18.166.240.188

    • 2406:da1e:b:ae01:31b6:202a:2bbc:79da

    • 18.167.155.174

    • 2406:da1e:b:ae02:f3f4:38fa:d7a2:311a

    • 16.163.110.210

    • 2406:da1e:b:ae01:b1ae:20d2:703f:a868

    • 18.167.190.240

    • 2406:da1e:b:ae01:841e:27d4:4642:5f7f

    • 16.163.212.249

    • 2406:da1e:b:ae02:5b3d:9808:f840:b303

22.2.a released on May 16, 2022

Machine Learning based API Protection

Machine Learning based API Discovery is now upgraded to Machine Learning based API Protection. FortiWeb Cloud can now block anomalies based on the schema it has automatically created and built for the application.

UI enhancements for Machine Learning based API Protection

A new API Collection tab is added with two views, Path List and API View. Path list provides an way to sift through all APIs and easily identify, parameters and schema action. The tree view has been removed.

Machine learning changes

  • The API Discovery module is removed. The old configurations and the machine learning models are cleared.

  • The configurations of the Anomaly Detection are not affected, but its machine learning models are cleared.

Traffic Summary

A new page named Traffic Summary is added under FortiView. View traffic statistics such as source IP addresses, URL, User Agent, Return Code, and Request Method.

Billing system update

Due to a metering issue, customers that have CDN enabled were only partially billed for their traffic. This issue is now fixed.

Region IP updated

IP addresses of scrubbing centers on AWS are being updated and they will be in effect in the next release 22.2.b. Make sure to update your systems if you created rules limiting access to these IPs. Refer to Restricting direct traffic & allowing FortiWeb Cloud IP addresses for the updated IP addresses.

Traffic log exporting

You can now use FortiWeb Cloud to log all access requests and export traffic log to an AWS S3 bucket. See Exporting traffic logs.

Threat Analytics widget on Dashboard

A Dashboard tab has been added to Threat Analytics.

22.1.c released on April 4, 2022

Threat Analytics

We’re introducing a new service called Threat Analytics in this release. The service uses machine learning algorithms to identify attack patterns across your entire application assets and aggregate them into security incidents and assign severity. It helps separate real threats from informational alerts and false positives and help you focus on the threats that matter. See Threat Analytics for more information.

OWASP 2021 attack type

Attack types have been aligned to the OWASP Top 10. You will notice attack logs being tagged with new category names.

DNS status update

FortiWeb Cloud now updates your application's DNS status every two minutes on the first day when it's onboarded, then once an hour after that. An "Update" button had been added to allow to manually update the DNS status at any time.

22.1.b released on February 24, 2022

Blocking Known Engines

In addition to allowing known engines, you can now also set the action to block or bypass.

Domain filter type in Attack Logs

You can now filter the attack logs by domain names.

CC-attack detection

Bot Detection can now prevent against Challenge Collapsar (CC) attacks.

22.1.a released on January 9, 2022

New scrubbing center clusters

Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS us-east-1 (N.Virginia)

    • 3.228.64.186

    • 2600:1f18:1492:1701:e54f:59c6:7114:2878

    • 3.231.16.50

    • 2600:1f18:1492:1702:e618:cb8e:f4b5:4ba4

  • AWS eu-central-1 (Frankfurt)

    • 35.156.146.120

    • 2a05:d014:f3c:6c01:24c5:1d8d:b3be:2785

    • 35.158.251.28

    • 2a05:d014:f3c:6c02:2490:b345:e759:f43f

Chat bot integration

A new chatbot has been integrated to help address frequently asked questions.

Signature search

It is now possible to search for specific signatures in the Known Attacks and Information Leakage dictionaries. You can search by CVE, keywords, signature IDs and by attack category.

21.4.b released on December 5, 2021

Action required! Change your A record ASAP!

The IP addresses of FortiWeb Cloud have changed. If you are using a CNAME record to point your domains to FortiWeb Cloud you do not need to do anything.

However, if you are using an A record to point your domain to FortiWeb Cloud you need to change the IP address in your DNS A record as soon as possible, otherwise when your web application certificate expires it will fail to renew.

To update the A record:

  1. Log in to FortiWeb Cloud.
  2. Go to Global > Applications.
  3. Find the application which uses the A record.
  4. Click Update Pending in DNS Status column. You can find the new IP addresses in the pop-up window.
  5. Go to your DNS service and find the A record, then pair your domain name with the new IP addresses.

This change applies only to A record. For restricting direct traffic and configuring the allowlist in a DDoS device, you can use the same IP addresses as before.

An easier way to look up Cloud WAF IP addresses

The Regions column in the applications tab has been populated with additional information. It displays the IP addresses of the Cloud WAF scrubbing centers assigned to your applications.

Caching added to dashboard widgets

Caching data has been added to the Throughput and Incoming Requests dashboard widgets.

Default action changed for GEO IP violations

The action taken for the GEO IP violations is changed from Deny&Alert to Period Block (600 seconds).

Minimum interval of Information Leakage logs

To avoid log flooding, the minimum interval of Information Leakage logs is set to 1 second.

21.4.a p3 released on November 12, 2021

New scrubbing center clusters

Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS ap-south-1 (Mumbai)

    • 3.109.248.211

    • 2406:da1a:31:d501:fc19:5e59:9804:b392

    • 3.109.17.189

    • 2406:da1a:31:d502:2eaf:153f:91b3:7dc0

    • 3.108.0.134 (offline)

    • 2406:da1a:31:d501:4933:f303:c5b:4726 (offline)

  • AWS us-east-2 (Ohio)

    • 3.131.242.28

    • 2600:1f16:160:aa01:4584:fec1:ab59:6bd4

    • 18.188.127.1

    • 2600:1f16:160:aa02:5629:28f1:196d:acbe

    • 3.132.52.4 (offline)

    • 2600:1f16:160:aa01:6d33:94aa:74c0:7cf0 (offline)

21.4.a released on October 8, 2021

  • URL Redirection enhancement

    When redirecting clients to a new host or IP address in a “301 Permanently” response, you can now keep the URL path while executing redirection. For example, clients visiting "www.aaa.com/test.html" can be redirected to "www.bbb.com/test.html".

  • CDN enhancement

    CDN feature is enhanced to allow selecting a specific continent instead of caching globally. This can help address compliance requirements that mandate application traffic must be served from a specific continent.

  • New scrubbing centers

    Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

    • AWS ap-southeast-1 (Singapore)

      • 18.136.170.71

      • 2406:da18:ad1:1101:b6ad:34de:de05:5ef3

      • 13.214.45.126

      • 2406:da18:ad1:1102:9a1c:767e:1e67:4763

      • 13.250.74.198(Offline)

      • 2406:da18:ad1:1101:1fb2:25ab:77f1:42e4(Offline)

    • AWS ca-central-1 (Canada)

      • 3.97.158.98

      • 2600:1f11:8c:9101:eb3:39f1:1815:884e

      • 3.97.249.50

      • 2600:1f11:8c:9102:411d:63f2:e5b4:5209

      • 3.98.118.237(Offline)

      • 2600:1f11:8c:9101:62aa:927:70dd:acfa(Offline)

    • AWS us-west-1 (N.California)

      • 52.8.219.206

      • 2600:1f1c:b97:d801:ff83:8b03:7a29:5981

      • 52.9.219.121

      • 2600:1f1c:b97:d802:fe8f:1a5d:5d1:1c6b

      • 54.215.20.148(Offline)

      • 2600:1f1c:b97:d801:fd1b:8346:e92e:466b(Offline)

    • AWS us-west-2 (Oregon)

      • 35.160.55.58

      • 2600:1f14:b5a:da01:a32:4cac:f337:9c00

      • 44.241.247.81

      • 2600:1f14:b5a:da02:5a8e:d30:ff37:18a9

      • 52.37.161.224(Offline)

      • 2600:1f14:b5a:da01:c9ac:e531:128b:ae2c(Offline)

21.3.b patch2 released on September 24, 2021

Additional AWS WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

  • AWS eu-west-1 (Ireland)

    • 54.78.90.129

    • 2a05:d018:77c:d901:4f37:924f:6ea2:5952

    • 54.217.132.119

    • 2a05:d018:77c:d902:6605:9bef:2ca3:f220

    • 52.18.74.99 (offline)

    • 2a05:d018:77c:d901:550f:2833:9dbd:362c (offline)

  • AWS eu-west-2 (London)

    • 18.134.173.119

    • 2a05:d01c:64d:7001:7f27:28fe:f43b:e55b

    • 52.56.112.105

    • 2a05:d01c:64d:7002:a0b0:a076:53b2:31e3

    • 35.178.16.146 (offline)

    • 2a05:d01c:64d:7001:b99d:28b6:db62:e2bd (offline)

  • AWS eu-south-1 (Milan)

    • 15.161.215.247

    • 2a05:d01a:9f2:1701:4d5b:f1a8:d291:5a84

    • 15.161.76.114

    • 2a05:d01a:9f2:1702:8e71:e939:c954:1608

    • 15.160.42.32 (offline)

    • 2a05:d01a:9f2:1701:75ab:6622:8788:fdb2 (offline)

21.3.b released on September 3, 2021

  • Know Bots module

    Known bad bots and known search engines configuration is moved from Threshold Based Detection to a new module named Known Bots. See Known Bots for more information.

  • User Management enhancement

    Tighter and stricter integration with FortiCloud is introduced. FortiCloud sub users and IAM users are automatically assigned certain permissions on FortiWeb Cloud. See Admin management.

  • SQL and XSS Syntax Based Detection Enhancements

    Additional granularity is available for SQL and XSS Syntax Based Detection. You can specify the SQL injection types and XSS attack types to parse against. See Known Attacks for more information.

  • Alert notification upon certificate renewal failure

    When FortiWeb Cloud fails to renew or retrieve a certificate, a notification message will be displayed on the Web UI. An alert email will be sent as well.

  • Block page layout enhancement

    The layout of the "Server Unavailable Message" and "Attack Block Page" displayed to your application users is enhanced. Go to Global > System Settings > Custom Block Pages to view the updated pages.

  • Filter type changes in Custom Rule

    The filter type "Security Rules" in Custom Rule is now renamed to Known Attacks. "Information Disclosure" and "Known Bad Bots" are no longer available when Known Attacks is chosen.

  • DNSSEC support on AWS

    DNS Security Extensions (DNSSEC) has been enabled for CNAMEs associated with applications hosted on AWS to protect against DNS spoofing, cache poisoning, or other DNS-related man-in-the-middle attacks.

  • DevOps tools configuration file update

    The configuration file for Ansible and Terraform is updated so that the API token is not exposed in yml file. See Using FortiWeb Cloud with DevOps tools.

21.3.a released on July 24, 2021

  • API Discovery (Beta)

    Use Machine Learning Based API discovery to learn the REST API data structure from user traffic. By studying the samples, a Swagger file will be generated describing the data structure such as the URL pattern and schema of endpoint data. See ML Based API Protection for more information.

  • Bot Detection (Beta)

    The AI-based machine learning bot detection model is introduced to complement the existing signature and threshold based rules. It detects sophisticated bots that can sometimes go undetected. See ML Based Bot Detection for more information.

  • Syntax based Cross Site Scripting detection

    Syntax Based Cross Site Scripting detection is introduced in the Known Attacks module to detect the XSS injection attacks using a sophisticated, non-signature based module that analyzes HTML/JavaScript syntax. See Known Attacks for more information.

  • Caching and Compression enhancements

    Additional granularity available for Caching and Compression. You can configure HTTP Method, Allow Return Code, Allow File Type, and Key Generation Factor to define the content to be cached. Resources cached on FortiWeb Cloud can now be purged. See Caching and Compression for more information.

  • DNS and HTTP challenges for Automatic Certificate

    It's now allowed to select whether to use DNS or HTTP challenge to validate your ownership of the domains. See Endpoints for more information.

  • Wildcard in domain names

    You can use wildcard to match multiple domains when onboarding an application. SeeEndpoints for more information.

  • HTTP only flag

    You can configure the Endpoints settings to add "HTTP Only" flag to internal cookies, which prevents client-side scripts from accessing the cookie. SeeEndpoints for more information.

  • Server certificate verification for log exporting

    FortiWeb Cloud by default enforces server certificate verification before it sends logs to the log server. See for more information.

  • Customizing HTTP Response Code

    It's now allowed to change the HTTP Response Code of Attack Block Page in custom block message.

21.2.c released on June 11, 2021

  • Sensitive Data Masking

    Sensitive Data Masking allows masking certain data types such as user names, passwords and other PII information that could appear in the packet payloads accompanying a log message. See Sensitive Data Masking for more information.

  • Parameter Validation

    A new security module named Parameter Validation is introduced in this release. It validates parameter input such as whether they’re required, maximum allowed length or whether they match pre-defined/customized patterns. See Parameter Validation for more information.

  • New scrubbing center

    A New scrubbing center has been deployed on Azure. Please allow access to your application from the IP addresses of these scrubbing centers.

    • Brazil South (São Paulo State)

      • 20.195.163.139

      • 20.197.225.122

      • 20.197.226.167 (Offline)

  • Origin Server Lock

    Origin Server Lock protects your application from attackers that try to bypass FortiWeb Cloud security measures by pointing their onboarded application to your origin server. See Origin Server Lock for more information.

  • Full support of HTTP/2

    HTTP/2 was supported only in certain security modules previously. Now FortiWeb Cloud fully supports HTTP/2 across all security modules.

  • Customized SSL/TLS Encryption Level

    You can customize the SSL/TLS Encryption Level by selecting the ciphers from the available ciphers list. See SSL/TLS and Supported cipher suites & protocol versions for more information.

  • Alerts for soon to expire certificates

    FortiWeb Cloud can now send an email alert when local certificates in Endpoints are about to expire.

  • Third Party IdP initiated SAML support

    Third Party IdP initiated SAML is now supported allowing to automatically access FortiWeb Cloud admin interface using your organization’s user credentials via a third party ID provider. See Managing External IdP roles in FortiCloud IAM for more information.

21.2.b released on May 26, 2021

  • It is now possible to enable sub categories and allow or deny specific bots in Threshold Based Detection’s Known Bad Bots, replacing the exception rules. If you had known bad bots exception rules configured make sure you enable/disable the bad bots via the new interface.

  • Syntax Based Detection exceptions are now based on attack types instead of signature IDs. Exceptions are configured separately from Signature Based Detection exceptions.

21.2.a released on May 1, 2021

  • The number of allowed custom rules per application has been raised to 24.

  • Additional granularity available for Credential based brute force protection. You can configure a target URL and occurrence period.

  • Additional WAF clusters have deployed in the following existing regions. Please make sure to allow access to your application from the IP addresses listed below.

    • AWS

      • eu-central-1 (Frankfurt)

        • 18.192.64.32

        • 2a05:d014:f3c:6c01:99d0:8c50:ae51:99ac

        • 3.125.233.133

        • 2a05:d014:f3c:6c02:58:3e12:a98a:df9f

        • 3.64.105.7 (offline)

        • 2a05:d014:f3c:6c01:55bc:c559:8bb1:11e0 (offline)

      • sa-east-1 (Sao Paulo)

        • 54.207.227.252

        • 2600:1f1e:653:3201:eac8:161d:c0a:6915

        • 177.71.170.92

        • 2600:1f1e:653:3202:3615:6e2c:7b0c:85c9

        • 54.232.72.181 (offline)

        • 2600:1f1e:653:3201:d1a5:34ae:e023:be2d (offline)

    • Azure

      • West Europe

        • 20.86.129.248

        • 20.86.49.155

        • 20.86.49.12 (offline)

21.1.c released on March 1, 2021

The following enhancements are made in Rewriting Requests module:

  • In addition to the connection's source IP, it's now possible to record the connection's source port in the X-Forwarded-For: header.
  • The X-Forwarded-Port: header can be added to record the connection's original destination port.

See Rewriting Requests for more information.

21.1.b released on February 9, 2021

  • It's now supported to redirect requests based on host names, for example, redirecting from example.com to www.example.com. See Rewriting Requests.

  • You can now sign in FortiWeb Cloud as IAM users.

  • New scrubbing centers have been deployed on the following regions on OCI. Please allow access to your application from the IP addresses of these scrubbing centers.

    • US West (Phoenix)

      • 158.101.43.252

      • 158.101.43.253

      • 129.146.233.205 (Offline)

    • Germany Central (Frankfurt)

      • 158.101.176.179

      • 193.122.55.66

      • 132.145.248.29 (Offline)

21.1.a released on January 11, 2021

  • It is no longer required to have a port 80 HTTP service enabled to successfully generate automatic certificates. The limitation has been removed.
  • Custom ports HTTP 9219 and HTTPS 8181 are now supported.
  • You can now customize the following pages that FortiWeb Cloud displays to your users:
    • Attack Block Page
    • Server Unavailable Page
    • Captcha Enforcement Page

    The old Custom Block Page configurations will be discarded. You need to re-configure it through the new page. See Custom block pages.

  • New scrubbing centers have been deployed on AWS and Azure. Please allow access to your application from the IP addresses of these scrubbing centers.

    East US2 on Azure

    • 20.69.235.177
    • 20.81.153.33
    • 20.81.153.78 (offline)

    Australia East on Azure

    • 20.70.160.47
    • 20.70.152.97
    • 20.70.152.115 (offline)

    Europe (Milan) on AWS

    • 15.161.173.116
    • 15.161.10.152
    • 15.161.24.119 (offline)
    • 2a05:d01a:9f2:1701:bd84:9314:f93:b2f
    • 2a05:d01a:9f2:1702:aca5:5d4d:1995:50d
    • 2a05:d01a:9f2:1701:3e5:91fb:2690:b114 (offline)

20.4.b released on November 23, 2020

  • It is now possible to enable HSTS forcing clients to only use HTTPS with the application.
  • When enabled, FortiWeb Cloud will use the Secure flag for its session management cookie only allowing its use over HTTPS.
  • The logic in which FortiWeb Cloud retrieves automatic certificates has been optimized. Additionally, a new “Retrieve” button is added to allow manual retrieval of automatic certificates.

For more information on the new features, see Endpoints.

20.4.a released on November 10, 2020

  • As the FortiWeb Cloud service is already protected against volumetric DDoS attacks, TCP flood prevention is removed in order to prevent conflicts.
  • Configuration deployment is significantly improved to reduce service disruption.
  • New scrubbing centers are deployed in eu-central-1: EU (Frankfurt) on AWS. See Restricting direct traffic & allowing FortiWeb Cloud IP addresses.

20.3.b released on September 16, 2020

  • A new scrubbing center has been deployed on AWS - ap-south-1:Asia Pacific (Mumbai). See FortiWeb Cloud scrubbing centers on AWS.
  • API Key settings is no longer part of the Global Settings role, allowing to generate an API key for read-only defined roles as well.
  • DNS status changes will now be recorded in the audit log.
  • When a source violates the API Gateway rule, it is possible to automatically block the source IP for a period of 10 minutes.
  • In addition to 443, 7443, and 8443, ports 8081 and 8014 can now be used for HTTPS service.
  • Fabric Connectors is renamed to Cloud Connectors.

20.3.a released on August 10, 2020

  • Optimizations on Reports:
    • Add a new query Applications Traffic Summary for report category.
    • Support adding or removing all applications once.
    • Activate or deactivate report generation for scheduled reports.
    • Weekly reports enabling is removed from Global Settings.
  • A new trustlist module is added to allow trusting specific parameters. Once enabled security enforcement is bypassed for the specified parameters. See Global Trustlist.
  • You can now define a separate Action per security module allowing, for example for some modules to only trigger an alert while others are set to block. Enabled when Advanced Configuration is enabled.
  • The Filter option for Cloud Connector is optimized to show all available options for a selected fabric connector.
  • A new Ansible template is released to allow configuring an endpoint’s certificate configuration. See Configuring FortiWeb Cloud with Ansible.
  • FortiWeb Cloud now supports generating an API key for authentication. See API Key.
  • Advanced Configuration is added in Global Settings. Once enabled a templates tab is introduced together with the ability to configure the Action interface for each security module.
  • Six new predefined templates containing commonly used WAF security configuration for different known applications such as Drupal and WordPress are introduced in this release. See Templates
  • FortiWeb Cloud will keep the data in your account for an additional week after you unsubscribe from FortiWeb Cloud.

20.2.d released on July 1, 2020

  • Cloud Connectors is introduced to support origin servers with dynamically changing IP addresses. See Cloud Connectors.
  • IPv6 is now supported for customers utilizing FortiWeb Cloud on AWS. You can enable IPv6 service in Endpoint, add origin servers with IPv6 addresses, or configure IPv6 addresses in IP Protection and Custom Rule.
  • New report types added together with capability to schedule reports with granularity around application and report time frame.
  • Support for DevOps tools including Jenkins, Ansible, and Terraform has been added. You can use them to automatically onboard or delete applications and change the IP list in IP Protection. Contact support to download the template.

20.2.c released on June 17, 2020

  • Role Management is introduced to offer an easier way to manage access privileges and permissions specific to a job function. See Role management.
  • Manually test in real-time the health status of a origin server. See Origin Servers.
  • You can now insert Content-Security-Policy header to prevent certain types of attacks, including XSS and data injection attacks. See HTTP Header Security.

20.2.b released on May 29, 2020

  • You can now configure Allow Known Search Engines in Threshold Based Detection to accept/deny the traffic from known search engines such as Google, Bing, and Yahoo, etc. This is enabled by default. See Threshold Based Detection.
  • FortiWeb Cloud now supports onboarding applications running on non-standard ports. Certain limitations apply. See Traffic Type.
  • A new scrubbing center has been deployed on AWS - sa-east-1:South America. See FortiWeb Cloud scrubbing centers on AWS.

  • A new protection mechanism is introduced for SQL Injection attacks called Syntax Based Detection. It uses a SQL parser to validate whether the pattern is real SQL language which helps identify true attacks while minimizing false positives. See Known Attacks.

  • Paging is optimized for Attack Logs and Audit Logs. A maximum of 10,000 attack/audit logs are displayed per each filter in Attack/Audit Logs.
  • Audit logs now cover changes in automatic certificates status including: starting to apply, failed to apply, applied successfully, renewed successfully, and failed to renew.

  • Additional health check statuses have been added to the audit log. The Server Status widget display is updated.

20.2.a released on April 27, 2020

  • You can now define an Allow Only list in IP Protection to limit access to the application to specified IP addresses. See IP Protection.
  • You can now send a customized block page to clients triggering WAF rules. See Endpoints.
  • Forwarding attack and event logs to ElasticSearch is now supported. See Log Settings and Audit logs.
  • A new OWASP Top 10 widget together with a new FortiView OWASP Top 10 view have been added.

20.1.b released on March 21, 2020

  • Parameter name is supported when creating a signature exception rule for Known Attacks, Information Leakage, and Threshold Based Detection.
  • It's now supported to add URL and parameter exceptions in attack logs.

20.1.a released on February 29, 2020

  • Three new modules supported for API PROTECTION.

    • Mobile API Protection module allows to protect your Mobile APIs from malicious attacks by verifying the mobile device authenticity. See Mobile API Protection.
    • API Gateway module allows to control and secure all access to you APIs. You can define API users, verify API keys, and perform access control, etc. See API Gateway.
    • JSON Protection module allows to verify JSON request limits and JSON request parameters to protect against API attacks. See JSON Protection.
  • WAF configuration template is added for you to push WAF configurations to multiple applications. See Templates.
  • Bot mitigation leverages various detection mechanisms to quickly filter out automated threats.
    • Biometrics Based Detection: FortiWeb Cloud can now verify whether a client is a bot by monitoring events such as mouse movement, keyboard, screen touch, and scroll, etc. See Biometrics Based Detection.
    • Threshold Based Detection: With predefined occurrence, time period, etc. of suspicious behaviors, FortiWeb Cloud judges whether the request comes from a human or a bot. See Threshold Based Detection.

    • Bot Deception: FortiWeb Cloud now provides a deception technique to identify bots. It inserts a hidden link into response pages. Clients that fetch the URL can accurately be classified as bots. See Bot Deception.
  • XML Protection module is moved from Advanced Applications to API Protection. See XML Protection.
  • User and Time Periods filters are added for Custom Rule. See Custom Rule.
  • Three security modes are added in Cookie Security module. See Cookie Security.
  • Applications page is optimized to accelerate the loading.
  • With the Attack Log Alerts feature, FortiWeb Cloud now supports sending attack log alert emails based on threat level or customized alert email rule. See Log Settings.
  • HTTP/2 communications can be protected when the traffic type is HTTPS. It's supported in Known Attacks, Information Leakage, and Cookie Security.

  • FortiWeb Cloud now supports adding exceptions through Anomaly Detection logs.
  • FortiWeb Cloud now supports Server Name Indication (SNI) configuration that identifies the certificate to use by domain. See Custom Certificate.