Fortinet black logo

Administration Guide

What’s new

What’s new

FortiWeb 6.1.1 offers the following new features and enhancements.

New features

TLS 1.3 support

TLS 1.3 is now supported in FortiWeb for the SSL connections with clients and back-end servers. You can select TLS 1.3 when creating server pool rules or HTTP policies.

For more information, see http://help.fortinet.com/fweb/611/index.htm#cshid=policies_view.

Cross-Origin Resource Sharing (CORS) protection

CORS protection is added so that only legitimate CORS requests from allowed web applications can reach your application.

For more information, see http://help.fortinet.com/fweb/611/index.htm#cshid=waf_cors_policy.

JSON protection support

You can now configure FortiWeb to verify JSON request limits and JSON request parameters to protect against API attacks

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=json_protection_policy.

WS-Security Rule added for XML Protection

You can now configure WS-Security rules to encrypt and decrypt SOAP messages, digitally sign SOAP messages, and

verify SOAP messages using digital signatures.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=waf_xml_protection_rule.

Enhancements

JSON Protection, XML Protection, and OpenAPI Validation integrated into a new tab API Protection

With this integration, you can configure the API related protections in one place.

XML detection and JSON detection moved to XML Protection and JSON Protection respectively

In this release, XML Protocol Detection and JSON Protocol Detection are moved from Inline/Offline Protection Profile to XML Protection Policy and JSON Protection Policy under API Protection.

Server Side Request Forgery (SSRF) attack detection support

XInclude and Schema Location detections are now supported. You can also select the exempted URL to configure allowed location URLs.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=waf_xml_protection_rule.

OWASP Top10 link added to attack log

When you click OWASP Top10 in attack log, an official introduction to this OWASP type will be shown.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=log_access.

Back-end Service field added for attack log

Add this field to show the type of service used between FortiWeb and the back-end server.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=log_access.

Illegal XML Format and Illegal JSON Format switches removed

Illegal XML Format and Illegal JSON Format switches are removed from Log&Report > Other Log Settings, Policy > Threat Weight, and Tracking > Device Reputation.

HTTP header field configuration support in Custom Global White List

You can whitelist your own custom header field on Custom Global White List tab in Server Objects > Global > Global White List.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=globalWhitelist_view.

CLIENT_IP and CLIENT_PORT variables added in URL rewriting

With these variables, you can insert the client IP and client port into the HTTP header and send them to the back-end server.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=urlRewrite_view.

An event log added when the HTTP content routing match fails

When the HTTP content routing match fails, an event log is added to indicate the failure. You can control the event log to avoid log overflowing with the new CLI command record-content-routing-error-log.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=http_content_routing_policy.

TLSCLIENTPORT available only for AD FS policy

Unique for AD FS policy, TLSCLIENTPORT is removed from other policy types.

HA group ID synchronized to the slave node

To ensure the stability of HA, the group ID is synchronized to the salve unit.

New items added for HTTP Constraint Exceptions

You can now add exceptions for NULL Character in URL, Illegal Character in URL, Odd and Even Space Attack, and WebSocket Protocol in HTTP Constraint Exceptions.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=protocolConstraints_expt_view.

The limit for local certificates and SNI domains increased to 512 from 256

Now, you can import at most 512 local certificates at System > Certificates > Local. Each SNI rule supports 512 domains at System > Certificates > SNI.

ICMP requests control

The ICMP requests to the management interfaces are now controlled by both the firewall setting and interface allowaccess.

Proxy protocol support

FortiWeb now supports proxy protocol for both inbound and outbound HTTP and SSL traffic. You can enable proxy protocol when creating server pool rules or HTTP policies.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=server_pool.

Support SFP+ 10G-Base-T transceiver model DM7051

The transceiver model DM7051 is now supported on FortiWeb 1000E, 2000E, 3000E, 3010E, and 4000E, so that the optical network interface can be used as an electrical one.

HTTP content routing table size increased to 512

The maximum value for the HTTP content routing table size is increased from 256 to 512.

Support customized cipher setting for HTTP/2

You can now customize the supported ciphers in TLS protocol for HTTP/2 traffic.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=policies_view.

Support brainpool curves as P256r1, P384r1, and P512r1

FortiWeb has enhanced the ECC algorithm to support brainpool curves as P256r1, P384r1, and P512r1.

Anomaly Detection supports Transparent Inspection and Offline Protection operation modes

FortiWeb now supports Machine Learning for Anomaly Detection in Transparent Inspection and Offline Protection operation modes.

ADFS Protection default configuration

By default, ADFS Protection is now disabled. Enable the feature in System > Config > Feature Visibility.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=adfs_policies_add.

Close Client Connection when servers are unresponsive

You can configure FortiWeb to close client connections when all the servers in the server pool are unresponsive.

For more information, see server-invalid-no-reponse on this page:

https://docs2.fortinet.com/document/fortiweb/6.1.1/cli-reference/922044/server-policy-setting

FortiWeb Container now available via an AWS PAYG marketplace listing

You can now deploy FortiWeb-Docker-100, FortiWeb-Docker-500, and FortiWeb-Docker-2000 on AWS docker container of the PAYG type.

Autoscaling on AWS and Azure

Autoscaling has been enhanced on AWS and Azure.

For more information, see Deploying Auto Scaling on AWS and Deploying Auto Scaling on Azure.

FortiWeb-VM on Alibaba Cloud

FortiWeb-VM can now be deployed on Alibaba Cloud.

For more infomation, see Deploying FortiWeb-VM on Alibaba Cloud.

FortiWeb-VM on Nutanix

FortiWeb-VM can be deployed on Nutanix platform.

For more information, see Deploying FortiWeb-VM on Nutanix.

Azure Stack support

FortiWeb-VM can now be deployed on Azure Stack.

HA support on OCI

You can now deploy FortiWeb-VM High Availability (HA) cluster on OCI.

For more information, see High Availability for FortiWeb on OCI.

HA enhancement on Azure and OCI

For FortiWeb Active-Passive HA cluster on Azure and OCI, you can configure FortiWeb to notify the load balancer to distribute the traffic to the new master node when fail-over occurs.

For more information, see High Availability for FortiWeb on Azure and High Availability for FortiWeb on OCI.

Add callback interval setting for Autoscale

It's now supported to configure the interval time for FortiWeb to send callback requests when deployed in auto scaling cluster.

For more information, see config system manager in FortiWeb CLI Reference.

Gemalto SafeNet Network HSM 7 support

With faster speed than other HSMs, SafeNet Network HSM 7 replaces SafeNet Luna SA HSM to meet FortiWeb's requirements on high performance.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=hsm.

Support SR-IOV network cards on KVM

FortiWeb has added support for SR-IOV network cards XL710 and 82599EB on KVM platform to ensure maximum performance of the virtual machine.

What’s new

FortiWeb 6.1.1 offers the following new features and enhancements.

New features

TLS 1.3 support

TLS 1.3 is now supported in FortiWeb for the SSL connections with clients and back-end servers. You can select TLS 1.3 when creating server pool rules or HTTP policies.

For more information, see http://help.fortinet.com/fweb/611/index.htm#cshid=policies_view.

Cross-Origin Resource Sharing (CORS) protection

CORS protection is added so that only legitimate CORS requests from allowed web applications can reach your application.

For more information, see http://help.fortinet.com/fweb/611/index.htm#cshid=waf_cors_policy.

JSON protection support

You can now configure FortiWeb to verify JSON request limits and JSON request parameters to protect against API attacks

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=json_protection_policy.

WS-Security Rule added for XML Protection

You can now configure WS-Security rules to encrypt and decrypt SOAP messages, digitally sign SOAP messages, and

verify SOAP messages using digital signatures.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=waf_xml_protection_rule.

Enhancements

JSON Protection, XML Protection, and OpenAPI Validation integrated into a new tab API Protection

With this integration, you can configure the API related protections in one place.

XML detection and JSON detection moved to XML Protection and JSON Protection respectively

In this release, XML Protocol Detection and JSON Protocol Detection are moved from Inline/Offline Protection Profile to XML Protection Policy and JSON Protection Policy under API Protection.

Server Side Request Forgery (SSRF) attack detection support

XInclude and Schema Location detections are now supported. You can also select the exempted URL to configure allowed location URLs.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=waf_xml_protection_rule.

OWASP Top10 link added to attack log

When you click OWASP Top10 in attack log, an official introduction to this OWASP type will be shown.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=log_access.

Back-end Service field added for attack log

Add this field to show the type of service used between FortiWeb and the back-end server.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=log_access.

Illegal XML Format and Illegal JSON Format switches removed

Illegal XML Format and Illegal JSON Format switches are removed from Log&Report > Other Log Settings, Policy > Threat Weight, and Tracking > Device Reputation.

HTTP header field configuration support in Custom Global White List

You can whitelist your own custom header field on Custom Global White List tab in Server Objects > Global > Global White List.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=globalWhitelist_view.

CLIENT_IP and CLIENT_PORT variables added in URL rewriting

With these variables, you can insert the client IP and client port into the HTTP header and send them to the back-end server.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=urlRewrite_view.

An event log added when the HTTP content routing match fails

When the HTTP content routing match fails, an event log is added to indicate the failure. You can control the event log to avoid log overflowing with the new CLI command record-content-routing-error-log.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=http_content_routing_policy.

TLSCLIENTPORT available only for AD FS policy

Unique for AD FS policy, TLSCLIENTPORT is removed from other policy types.

HA group ID synchronized to the slave node

To ensure the stability of HA, the group ID is synchronized to the salve unit.

New items added for HTTP Constraint Exceptions

You can now add exceptions for NULL Character in URL, Illegal Character in URL, Odd and Even Space Attack, and WebSocket Protocol in HTTP Constraint Exceptions.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=protocolConstraints_expt_view.

The limit for local certificates and SNI domains increased to 512 from 256

Now, you can import at most 512 local certificates at System > Certificates > Local. Each SNI rule supports 512 domains at System > Certificates > SNI.

ICMP requests control

The ICMP requests to the management interfaces are now controlled by both the firewall setting and interface allowaccess.

Proxy protocol support

FortiWeb now supports proxy protocol for both inbound and outbound HTTP and SSL traffic. You can enable proxy protocol when creating server pool rules or HTTP policies.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=server_pool.

Support SFP+ 10G-Base-T transceiver model DM7051

The transceiver model DM7051 is now supported on FortiWeb 1000E, 2000E, 3000E, 3010E, and 4000E, so that the optical network interface can be used as an electrical one.

HTTP content routing table size increased to 512

The maximum value for the HTTP content routing table size is increased from 256 to 512.

Support customized cipher setting for HTTP/2

You can now customize the supported ciphers in TLS protocol for HTTP/2 traffic.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=policies_view.

Support brainpool curves as P256r1, P384r1, and P512r1

FortiWeb has enhanced the ECC algorithm to support brainpool curves as P256r1, P384r1, and P512r1.

Anomaly Detection supports Transparent Inspection and Offline Protection operation modes

FortiWeb now supports Machine Learning for Anomaly Detection in Transparent Inspection and Offline Protection operation modes.

ADFS Protection default configuration

By default, ADFS Protection is now disabled. Enable the feature in System > Config > Feature Visibility.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=adfs_policies_add.

Close Client Connection when servers are unresponsive

You can configure FortiWeb to close client connections when all the servers in the server pool are unresponsive.

For more information, see server-invalid-no-reponse on this page:

https://docs2.fortinet.com/document/fortiweb/6.1.1/cli-reference/922044/server-policy-setting

FortiWeb Container now available via an AWS PAYG marketplace listing

You can now deploy FortiWeb-Docker-100, FortiWeb-Docker-500, and FortiWeb-Docker-2000 on AWS docker container of the PAYG type.

Autoscaling on AWS and Azure

Autoscaling has been enhanced on AWS and Azure.

For more information, see Deploying Auto Scaling on AWS and Deploying Auto Scaling on Azure.

FortiWeb-VM on Alibaba Cloud

FortiWeb-VM can now be deployed on Alibaba Cloud.

For more infomation, see Deploying FortiWeb-VM on Alibaba Cloud.

FortiWeb-VM on Nutanix

FortiWeb-VM can be deployed on Nutanix platform.

For more information, see Deploying FortiWeb-VM on Nutanix.

Azure Stack support

FortiWeb-VM can now be deployed on Azure Stack.

HA support on OCI

You can now deploy FortiWeb-VM High Availability (HA) cluster on OCI.

For more information, see High Availability for FortiWeb on OCI.

HA enhancement on Azure and OCI

For FortiWeb Active-Passive HA cluster on Azure and OCI, you can configure FortiWeb to notify the load balancer to distribute the traffic to the new master node when fail-over occurs.

For more information, see High Availability for FortiWeb on Azure and High Availability for FortiWeb on OCI.

Add callback interval setting for Autoscale

It's now supported to configure the interval time for FortiWeb to send callback requests when deployed in auto scaling cluster.

For more information, see config system manager in FortiWeb CLI Reference.

Gemalto SafeNet Network HSM 7 support

With faster speed than other HSMs, SafeNet Network HSM 7 replaces SafeNet Luna SA HSM to meet FortiWeb's requirements on high performance.

For more information, see https://docs.fortinet.com/document/fortiweb/611/administration-guide?cshid=hsm.

Support SR-IOV network cards on KVM

FortiWeb has added support for SR-IOV network cards XL710 and 82599EB on KVM platform to ensure maximum performance of the virtual machine.