What’s new
New features
Full HTTP/2 communication support
FortiWeb now fully supports all features for HTTP/2 communication. See exceptions in
Caching module improvements
- Etag, URLs containing cookies and arguments are supported for caching;
- HTTP method, return code, and cache key can be flexibly configured for caching;
- Hit values are calculated to help users analyze the cache utilization.
Acceleration
Acceleration module offers faster browsing experience to your clients by minimizing RTT and payload size, and optimizing browser rendering.
Wildcard support for more modules
To allow matching more URLs, wildcard is added for request URL in modules such as API Gateway, Bot Deception, URL Access, and File Security, etc.
OpenAPI module enhancement
- Support 3.0.x(0-9)
- Support methods OPTIONS, HEAD, PATCH, and TRACE
- Support variables in server objects
- support uploading cross-referenced files in ZIP file.
User Tracking module enhancement
- You can now configure FortiWeb to limit the concurrent number of users accessing the same account in User Tracking;
- Sessions are now stored differently, but remain undisrupted even if FortiWeb is restarted;
- Session timeout configuration is optimized.
TCP connection and HTTP request failure retry
In case of any TCP connection or HTTP request failure, FortiWeb will reconnect the single server or switch to another server when more than one pserver is available in the server pool.
Brute Force module enhancement
With the Brute Force module removed from Web Protection > Access > Brute Force, you can use the predefined Brute-Force-Login rule and policy in Web Protection > Advanced Protection > Custom Policy to prevent the brute force logins.
URL encryption support
FortiWeb now supports encrypting URLs to prevent users from forceful browsing, and ensure the internal directory structure of the web application is not revealed to users.
User-defined IP address or range support
You can specify IP address or range for client real IP in server policy to directly connect to the back-end server.
FortiSandbox Cloud Service information added in FortiGuard tab
You can now see the FortiSandbox Cloud Service information from System > Config > FortiGuard.
Multiple IP addresses or IP ranges support in HTTP content routing policy
In a match object entry of source IP, you can import a CSV file including multiple IPv4/IPv6 addresses or IP ranges.
IP Fragmentation Protection support in DoS protection policy
You can enable Layer3 Fragment Protection in DoS protection policy to prevent attacks of fragmented packets.
Traffic marking
FortiWeb now supports marking the incoming traffic and then forwarding the marked traffic to the specified network interface and next-hop gateway.
Destination Network Address Translation (DNAT) support
You can now set firewall DNAT policies to translate the destination IP addresses.
ADFS Server Pool support
ADFS Server Pool is now supported. You can add multiple ADFS servers in a server pool.
X-Forwarded-Port and Source Port support
FortiWeb can now add the X-Forwarded-Port and Source Port in an X-Forwarded-For headers.
Cloud-init Support
Cloud-init can now be used on FortiWeb-VM on AWS and Azure.
For more information, see Deploying FortiWeb-VM on AWS EC2 and Deploying FortiWeb on Azure.
Enhancements
Keyword search support in Signatures
Besides searching by CVE number and Signature ID, now you can search for signatures with keywords. Also, CVE Number is removed from the Search Type in Filters.
Signature Exception Enhancement
New element type JSON Elements is added for Signature Exception.
Request Raw Body parsing support
FortiWeb now supports parsing the Request Raw Body for custom signature rule.
Generic Attacks Enhancement
A new detection mechanism HTTP Illegal Header is added in Generic Attacks (Extended).
Signature Update Management switch on/off
It is now possible to enable/disable Signature Update Management directly from the GUI (previously from CLI only). This feature needs to be enabled first in System > Config > Feature Visibility.
File unzipping before applying File Security Rule
You can now verify file type and size in compressed files (CLI only).
For more information, see waf file-upload-restriction-rule.
New signature strategy to reduce false positives
To further reduce false positives signatures have been optimized. This will be applied in new signature policies.
DF flag added in CLI
DF flag is added in CLI to allow FortiWeb to send non DF-flag packet to pass the device with low MTU.
For more information, see server-policy-setting.
The maximum number of server pool, server pool members, and virtual servers increased
For FortiWeb 1000E, 2000E, 3000E, 3010E, and 4000E appliances, you can create a maximum number of 6000 server pools and virtual servers, and the maximum number of server pool members together in all server pools is increased to 12000.
The maximum number of created certificates increased
For FortiWeb 1000E, 2000E, 3000E, 3010E, and 4000E appliances, you can create a maximum number of 5000 certificates in System > Certificates >Local/Multi-certificate/Inline SNI/CA/Intermediate CA/CRL/Certificate Verify.
Backing up machine learning data through CLI
A new option is added in config system backup to back up full configurations with machine learning data.
For more information, see system backup.
Restricting report scope based on URLs
It's now supported to specify the HTTP URL as a condition to filter out log messages in a report.
For more information, see Restricting the report’s scope.
Downloading logs from secondary nodes in an HA group
In addition to viewing logs from the secondary node, they can now be downloaded from the master node directly.
For more information, see Checking your HA topology information and statistics.
DNS proxy status control
The CLI command using-dns-proxy is added so you can switch the DNS proxy status on or off.
For more information, see server-policy setting.
More granular IP address range in SNAT policy
In SNAT policy, the IP address subnet is replaced with an IP range where you can define the first IP and last IP addresses in an IP range.
Add exception in SNAT policy
By selecting the Translation Type as NO NAT in SNAT policy, you can now prevent the source IP addresses in the matched traffic from being translated.
Enhancement to FortiWeb Administrative Access
Direct HTTP access to FortiWeb GUI will be automatically redirected to HTTPS. Telnet is no longer permitted.
FortiWeb-VM license control
It is now possible to import a FortiWeb-VM license to a VM with greater vCPU number than the license specifies. The extra vCPUs on the virtual machine will not be used by FortiWeb.
IPv6 DAD enhancement
FortiWeb performs IPv6 DAD detection on the master appliance in Active-Passive and standard Active-Active HA groups.
See system global for how to enable ipv6-dad-ha.
Configurable content-types for compression
FortiWeb performs page compression by judging whether the request carries the Accept-Encoding header.
Changes
Allow method restriction removed in Anomaly Detection
Allow method restriction in Machine learning for Anomaly Detection is removed.
Events level adjustment
The severity level of the FortiWeb upgrade event and AV FDS update event is changed from Critical to Notification.
Page Access and Start Pages modules removed
Page Access and Start Pages modules are removed from GUI, you can configure them in CLI.
For more information, see waf-start-pages.
Default HTTPS server certificate name changed
The default server certificate name is changed to defaulthttpscert.
GEO IP Database
The Data Analytics is renamed to GEO IP Database in System > Maintenance > Backup&Restore.