Fortinet black logo

Administration Guide

Home FortiWeb 6.3.3 Administration Guide

What's new

6.3.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.10
7.0.9
7.0.8
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.2
6.4.1
6.4.0
6.3.23
6.3.19
6.3.18
6.3.17
6.3.16
6.3.15
6.3.14
6.3.13
6.3.11
6.3.10
6.3.9
6.3.7
6.3.6
6.3.5
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.2
6.1.1
5.7.0
5.6.1
5.6.0
5.6.0
Copy Link
Copy Doc ID aa3e5084-99bb-11ea-8862-00505692583a:819488
Download PDF

What's new

New features

Introducing Deep Learning

As part of Machine Learning for Anomaly Detection, FortiWeb now builds mathematical models with fewer samples but continues to collect samples and optimize the mathematical models as more samples are collected overtime. This allows FortiWeb to provide protection much faster and to enhance accuracy over time.

For more information, see Configuring anomaly detection policy

New XSS Syntax Based Detection module

  • XSS Syntax Based Detection is introduced to detect XSS injection attacks by analyzing the HTML/JavaScript syntax.
  • SQL Injection (Syntax Based Detection) is moved from Web Protection > Signatures to Web Protection > Advanced Protection > SQL/XSS Syntax Based Detection.

For more information, see Syntax-based SQL/XSS injection detection.

Client management

Client management allows to track a client by either the recognized cookie or the source IP. When a client violates a WAF rule, FortiWeb accumulates the threat score based on the configured threat weight value, and takes actions accordingly. This feature replaces Device Tracking, Device Reputation, and Client Device Management.

For more information, see Client management.

Bad Robot and Known Search Engines integrated to Known Bots for better bot management

  • Bad Robot is removed from the main signature class in Web Protection > Known Attacks > Signatures.
  • Known Search Engines is removed from Server Objects > Global and Policy > Web Protection Profile.
  • Both the modules are integrated into Bot Mitigation > Known Bots.

For more information, see Configuring known bots.

New AJAX block page for AJAX requests

You can now enable Replacement Message for AJAX requests in Config > Replacement Message > Replacement Message.

For more information, see Configuring an error or authentication page.

Support for Cookieless clients in NTLM Delegation

The Site Publish module can now support NTLM delegation for cookieless clients.

For more information, see Offloaded authentication and optional SSO configuration

Additional information on Blocked IPs

A new "reason" column has been added in Monitor > Blocked IPs.

For more information, see Monitoring currently blocked IPs.

Parameter type in Global White List optimized

URL/Domain filters are added for parameter type in Global White List, allowing better granularity when certain parameters need to bypass the security modules.

For more information, see Configuring the global object white list.

User tracking data shared across content routing rules

Web protection profiles using the same user tracking rules can share user tracking data now.

SameSite flag added in cookiesession1 to help prevent CSRF attacks

You can now assign a SameSite flag to internal cookies and set strict, lax or none value to define whether any request from the third parties carries such cookies or not.

For more information, see server-policy policy.

Support for chunk encoded HTTP requests

FortiWeb can now parse the chunk encoded body in HTTP requests.

client-ip/server-ip support in diagnose debug flow filter module-detail

You can now specify a source and/or destination IP address to include or exclude module debug logs involving the specified IP address.

For more information, see debug flow filter.

Enhancements

Login failure message optimization

"Failed to search user DN" and "Failed to bind LDAP server" login failure messages are replaced with generic "Failed to login" message to avoid user enumeration attacks. You can view more login failure information in the event log.

Default block period value increase

The default value for "Period Block" is updated to 600 seconds to ensure higher security.

Bot Analysis moved to FortiView > Security

The Bot Analysis page is optimized to show detailed information on search engines and malicious bots.

For more information, see Bot Analysis.

Predefined policies in Custom Policy and Bot Mitigation Policy

  • Predefined Bot Mitigation policies are added in Bot Mitigation Policy.
  • Predefined Advanced Protection policy (alert only) is added in Custom Policy.

Device Tracking, Device Reputation, and Client Device Management removed

Device tracking related modules and configurations are removed from this release. Tracking is now done using the new Client Management feature.

For more information, see Client management.

Least connection algorithm enhancement

When distributing new TCP connections to the server pool member, the Least Connection algorithm is enhanced to avoid new connections always being processed by the same member.

Enhancements for Machine Learning Anomaly Detection

  • You can re-admit a noisy sample to the legitimate sample pool.
  • Threat Models have been optimized to reduce false positives.
  • You can define an expiration time for patterns. All the samples related with the expired patterns will be cleared from the database.

For more information, see Configuring anomaly detection policy

HA heartbeat enhancement

HA heartbeat is optimized to provide better stability and scalability.

Virtual IP limit lifted in high volume active-active HA mode

In addition to standalone, active-passive, standard active-active modes, now FortiWeb 1000E, 2000E, 3000E, 3010E, and 4000E appliances in high volume active-active HA mode also support a maximum number of 6000 virtual IPs.

New regions support by FortiWeb Fabric Connectors for OCI platform

Fabric Connectors now support all available OCI regions.

Autoscaling enhancement on AWS

For the FortiWeb autoscaling solution on AWS, an elastic IP is now supported to access the master node.

Using templates to auto-deploy FortiWeb HA on AWS and Azure

FortiWeb HA group with up to eight members can be automatically deployed using templates on AWS and Azure.

Limiting access to specific source IP addresses

You can now define an Allow Only IP range in IP List to limit access to the application to specified IP addresses.

For more information, see Blacklisting & whitelisting clients.

FortiAnalyzer support for log export

Forwarding attack logs to FortiAnalyzer is now supported.

TCP buffer default value changed

The default value of tcp-buffer is changed to max.

Previous
Next

What's new

New features

Introducing Deep Learning

As part of Machine Learning for Anomaly Detection, FortiWeb now builds mathematical models with fewer samples but continues to collect samples and optimize the mathematical models as more samples are collected overtime. This allows FortiWeb to provide protection much faster and to enhance accuracy over time.

For more information, see Configuring anomaly detection policy

New XSS Syntax Based Detection module

  • XSS Syntax Based Detection is introduced to detect XSS injection attacks by analyzing the HTML/JavaScript syntax.
  • SQL Injection (Syntax Based Detection) is moved from Web Protection > Signatures to Web Protection > Advanced Protection > SQL/XSS Syntax Based Detection.

For more information, see Syntax-based SQL/XSS injection detection.

Client management

Client management allows to track a client by either the recognized cookie or the source IP. When a client violates a WAF rule, FortiWeb accumulates the threat score based on the configured threat weight value, and takes actions accordingly. This feature replaces Device Tracking, Device Reputation, and Client Device Management.

For more information, see Client management.

Bad Robot and Known Search Engines integrated to Known Bots for better bot management

  • Bad Robot is removed from the main signature class in Web Protection > Known Attacks > Signatures.
  • Known Search Engines is removed from Server Objects > Global and Policy > Web Protection Profile.
  • Both the modules are integrated into Bot Mitigation > Known Bots.

For more information, see Configuring known bots.

New AJAX block page for AJAX requests

You can now enable Replacement Message for AJAX requests in Config > Replacement Message > Replacement Message.

For more information, see Configuring an error or authentication page.

Support for Cookieless clients in NTLM Delegation

The Site Publish module can now support NTLM delegation for cookieless clients.

For more information, see Offloaded authentication and optional SSO configuration

Additional information on Blocked IPs

A new "reason" column has been added in Monitor > Blocked IPs.

For more information, see Monitoring currently blocked IPs.

Parameter type in Global White List optimized

URL/Domain filters are added for parameter type in Global White List, allowing better granularity when certain parameters need to bypass the security modules.

For more information, see Configuring the global object white list.

User tracking data shared across content routing rules

Web protection profiles using the same user tracking rules can share user tracking data now.

SameSite flag added in cookiesession1 to help prevent CSRF attacks

You can now assign a SameSite flag to internal cookies and set strict, lax or none value to define whether any request from the third parties carries such cookies or not.

For more information, see server-policy policy.

Support for chunk encoded HTTP requests

FortiWeb can now parse the chunk encoded body in HTTP requests.

client-ip/server-ip support in diagnose debug flow filter module-detail

You can now specify a source and/or destination IP address to include or exclude module debug logs involving the specified IP address.

For more information, see debug flow filter.

Enhancements

Login failure message optimization

"Failed to search user DN" and "Failed to bind LDAP server" login failure messages are replaced with generic "Failed to login" message to avoid user enumeration attacks. You can view more login failure information in the event log.

Default block period value increase

The default value for "Period Block" is updated to 600 seconds to ensure higher security.

Bot Analysis moved to FortiView > Security

The Bot Analysis page is optimized to show detailed information on search engines and malicious bots.

For more information, see Bot Analysis.

Predefined policies in Custom Policy and Bot Mitigation Policy

  • Predefined Bot Mitigation policies are added in Bot Mitigation Policy.
  • Predefined Advanced Protection policy (alert only) is added in Custom Policy.

Device Tracking, Device Reputation, and Client Device Management removed

Device tracking related modules and configurations are removed from this release. Tracking is now done using the new Client Management feature.

For more information, see Client management.

Least connection algorithm enhancement

When distributing new TCP connections to the server pool member, the Least Connection algorithm is enhanced to avoid new connections always being processed by the same member.

Enhancements for Machine Learning Anomaly Detection

  • You can re-admit a noisy sample to the legitimate sample pool.
  • Threat Models have been optimized to reduce false positives.
  • You can define an expiration time for patterns. All the samples related with the expired patterns will be cleared from the database.

For more information, see Configuring anomaly detection policy

HA heartbeat enhancement

HA heartbeat is optimized to provide better stability and scalability.

Virtual IP limit lifted in high volume active-active HA mode

In addition to standalone, active-passive, standard active-active modes, now FortiWeb 1000E, 2000E, 3000E, 3010E, and 4000E appliances in high volume active-active HA mode also support a maximum number of 6000 virtual IPs.

New regions support by FortiWeb Fabric Connectors for OCI platform

Fabric Connectors now support all available OCI regions.

Autoscaling enhancement on AWS

For the FortiWeb autoscaling solution on AWS, an elastic IP is now supported to access the master node.

Using templates to auto-deploy FortiWeb HA on AWS and Azure

FortiWeb HA group with up to eight members can be automatically deployed using templates on AWS and Azure.

Limiting access to specific source IP addresses

You can now define an Allow Only IP range in IP List to limit access to the application to specified IP addresses.

For more information, see Blacklisting & whitelisting clients.

FortiAnalyzer support for log export

Forwarding attack logs to FortiAnalyzer is now supported.

TCP buffer default value changed

The default value of tcp-buffer is changed to max.

Previous
Next