Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

What's new

New features

Multiple service ports support in server policy

You can specify a maximum number of 128 server ports in custom service so that one IP can listen to multiple ports.

For more information, see Defining custom services.

Secure flag added to internal cookies for persistence policy

You can now configure the secure cookie to force browsers to return the cookie only for HTTPS traffic.

For more information, see Configuring session persistence.

JSON file upload enhancement

FortiWeb now supports parsing the file contained in the uploaded JSON file to check whether it violates the file security policy.

For more information, see Configuring a file security rule.

HTTP header removal

It's now supported to remove HTTP headers when HTTP requests are rewritten.

For more information, see Rewriting & redirecting.

Length limit extended in URL rewriting rule

For URL rewriting rules, the length of the following four fields is extended from 256 bytes to 1024 bytes: Replacement URL, Replacement Referer, Request Replacement Location, and Response Replacement Location.

HTTP header value check in Global White list

You can specify the HTTP header value for it to be added Global White list. FortiWeb will skip scans if the traffic hits the match.

For more information, see Configuring the global object white list.

OpenAPI validation enhancement

  • OpenAPI files with recursive references can be uploaded.
  • JSON format of OpenAPI file is supported.
  • OpenAPI files with relative URL path can be uploaded.
  • Add CLI set ignore-undefined-query-param {enable | disable} to bypass undefined query parameters in OpenAPI files.

For more information, see Protection for APIs.

RESTful API support for deleting blocked IP/users

You can now delete multiple blocked IPs/users under one server policy with RESTful API.

For more information, see FortiWeb RESTful API Reference.

Local configuration backup to FortiWeb disk

You can now back up system configuration and web protection profiles to FortiWeb disk.

For more information, see Backup & restore.

Machine learning data backup

You can set ml-flag to back up machine learning data when executing full-config backup.

For more information, see config system backup.

SSL version setting for admin login

When HTTPS access is configured, administrators can set the SSL versions in admin settings.

For more information, see Global web UI & CLI settings.

SameSite flag enhancement

In addition to Client Management, now the SameSite flag also applies to User Tracking, Anomaly Detection, and Site Publish.

For more information, see server-policy policy.

Two-Factor Authentication support for admin access

An extra layer of security 2FA is introduced when logging into FortiWeb GUI. With 2FA, you have to log in with your username and password and provide token authentication that only you know or have access to.

For more information, see config system global.

Offline license support for more VM platforms

Besides Hyper-V platform, offline licenses are now also allowed to import to VMware, KVM, and XEN platforms.

FIPS compliance mode

The fips-ciphers mode is introduced in FortiWeb-VMs on AWS and Azure.

For more information, see config system-fips-cc.

HA enhancements for FortiWeb on public cloud platforms

FortiWeb HA on public cloud platforms are implemented with the following enhancements in this release:

  • Active-active-standard mode is no longer supported. After upgrading to 6.3.6, FortiWeb-VMs with this mode will automatically switch to active-active-high-volume mode.
  • For FortiWeb-VMs in active-passive mode, the configurations of the active VM's interface IP, static route, policy route, and firewall policy will not be synchronized to the standby VM.
  • In earlier versions, enabling HA requires all interfaces to enable DHCP mode. From 6.3.6, only port1 is required to enable DHCP mode.

FortiWeb BYOL image on Alibaba Cloud

You can now deploy FortiWeb with a BYOL license from Alibaba Cloud Marketplace.

FortiWeb hybrid autoscaling on AWS

FortiWeb now supports hybrid autoscaling solution on AWS. You can deploy a fixed number of BYOL instances and a variable number of PAYG instances.

FortiWeb available on AWS China Marketplace

You can now deploy FortiWeb from AWS China Marketplace. Only standalone mode is supported for now.

New model 100E introduced

FortiWeb 100E is introduced to replace 100D. It has better performance than 100D.

New RESTful API

New RESTful API is introduced in FortiWeb in this release.

For more information ,see FortiWeb RESTful API reference.

 

Enhancements

Optimization on Certificates

  • Certificates tab is moved from System to Server Objects.
  • Local and Multi-certificate tabs are integrated into Local in Server Objects > Certificates.
  • Certificate Verify and Server Certificate Verify tabs are integrated into Certificate Verify in Server Objects > Certificates.

WCCP Client configurable only in WCCP mode

When in non-WCCP modes, WCCP Client tab is invisible and non-configurable from GUI.

For more information, see Configuring FortiWeb to receive traffic via WCCP.

Multiple features integrated in feature visibility

You can customize more features shown on GUI by setting them in System > Config > Feature Visibility.

For more information, see Feature visibility.

Signature scan enhancement

The response body of content types including binary, media, and picture are no longer scanned against signature rules.

Support HEX decoding for HTTP arguments

FortiWeb's HTTP parser now supports decoding the parameter values containing HEX characters.

Enhancements on the trust items

FortiWeb no longer executes subsequent scans for the items listed in IP List, Global White List, and Known Bots. This reduces false positives and improves performance.

Add exceptions of SQL/XSS Syntax Based Detection from attack log

FortiWeb now supports adding SQL/XSS Syntax Based Detection exceptions from attack logs.

Add exceptions of Known Bots from attack log

FortiWeb now supports adding Known Bots exceptions from attack logs.

XML Entities check enhancement

FortiWeb will not download external entity references when it checks the XML format, and it will not treat the XML as "XML Format error" if it can't find the external definition.

Client Management debug

The client Management debug information can be printed using the command diagnose debug application client-management.

Changes of supported SSL ciphers

The following changes are implemented for the Customized SSL ciphers list.

New added:

  • ECDHE-ARIA128-GCM-SHA256
  • DHE-RSA-ARIA128-GCM-SHA256
  • DHE-RSA-ARIA256-GCM-SHA384
  • ECDHE-ARIA256-GCM-SHA384

No longer supported:

  • DHE-RSA-CAMELLIA128-SHA
  • DHE-DSS-CAMELLIA128-SHA
  • CAMELLIA256-SHA
  • CAMELLIA128-SHA

For a complete SSL ciphers list supported by FortiWeb, see Supported cipher suites & protocol versions.

Brute Force Login removed from predefined custom policy

To avoid false positives, Brute Force Login is removed from the predefined custom policies.

Bot confirmation disabled in predefined Brute Force Login Alert Only custom rule

Bot confirmation is disabled as the alert only custom rule is not supposed to block requests.

GEO DB package upload moved to FortiGuard

The GEO DB setting is moved from System > Config > Maintenance to System > Config > FortiGuard.

FortiSandbox connectivity status moved

The FortiSandbox connectivity status is displayed on the FortiSandbox page instead of the landing page widget.

Page Access and Start Pages modules completely removed

Page Access and Start Pages modules were removed from GUI in 630. Now the CLI commands of these two modules are also removed.

 

What's new

New features

Multiple service ports support in server policy

You can specify a maximum number of 128 server ports in custom service so that one IP can listen to multiple ports.

For more information, see Defining custom services.

Secure flag added to internal cookies for persistence policy

You can now configure the secure cookie to force browsers to return the cookie only for HTTPS traffic.

For more information, see Configuring session persistence.

JSON file upload enhancement

FortiWeb now supports parsing the file contained in the uploaded JSON file to check whether it violates the file security policy.

For more information, see Configuring a file security rule.

HTTP header removal

It's now supported to remove HTTP headers when HTTP requests are rewritten.

For more information, see Rewriting & redirecting.

Length limit extended in URL rewriting rule

For URL rewriting rules, the length of the following four fields is extended from 256 bytes to 1024 bytes: Replacement URL, Replacement Referer, Request Replacement Location, and Response Replacement Location.

HTTP header value check in Global White list

You can specify the HTTP header value for it to be added Global White list. FortiWeb will skip scans if the traffic hits the match.

For more information, see Configuring the global object white list.

OpenAPI validation enhancement

  • OpenAPI files with recursive references can be uploaded.
  • JSON format of OpenAPI file is supported.
  • OpenAPI files with relative URL path can be uploaded.
  • Add CLI set ignore-undefined-query-param {enable | disable} to bypass undefined query parameters in OpenAPI files.

For more information, see Protection for APIs.

RESTful API support for deleting blocked IP/users

You can now delete multiple blocked IPs/users under one server policy with RESTful API.

For more information, see FortiWeb RESTful API Reference.

Local configuration backup to FortiWeb disk

You can now back up system configuration and web protection profiles to FortiWeb disk.

For more information, see Backup & restore.

Machine learning data backup

You can set ml-flag to back up machine learning data when executing full-config backup.

For more information, see config system backup.

SSL version setting for admin login

When HTTPS access is configured, administrators can set the SSL versions in admin settings.

For more information, see Global web UI & CLI settings.

SameSite flag enhancement

In addition to Client Management, now the SameSite flag also applies to User Tracking, Anomaly Detection, and Site Publish.

For more information, see server-policy policy.

Two-Factor Authentication support for admin access

An extra layer of security 2FA is introduced when logging into FortiWeb GUI. With 2FA, you have to log in with your username and password and provide token authentication that only you know or have access to.

For more information, see config system global.

Offline license support for more VM platforms

Besides Hyper-V platform, offline licenses are now also allowed to import to VMware, KVM, and XEN platforms.

FIPS compliance mode

The fips-ciphers mode is introduced in FortiWeb-VMs on AWS and Azure.

For more information, see config system-fips-cc.

HA enhancements for FortiWeb on public cloud platforms

FortiWeb HA on public cloud platforms are implemented with the following enhancements in this release:

  • Active-active-standard mode is no longer supported. After upgrading to 6.3.6, FortiWeb-VMs with this mode will automatically switch to active-active-high-volume mode.
  • For FortiWeb-VMs in active-passive mode, the configurations of the active VM's interface IP, static route, policy route, and firewall policy will not be synchronized to the standby VM.
  • In earlier versions, enabling HA requires all interfaces to enable DHCP mode. From 6.3.6, only port1 is required to enable DHCP mode.

FortiWeb BYOL image on Alibaba Cloud

You can now deploy FortiWeb with a BYOL license from Alibaba Cloud Marketplace.

FortiWeb hybrid autoscaling on AWS

FortiWeb now supports hybrid autoscaling solution on AWS. You can deploy a fixed number of BYOL instances and a variable number of PAYG instances.

FortiWeb available on AWS China Marketplace

You can now deploy FortiWeb from AWS China Marketplace. Only standalone mode is supported for now.

New model 100E introduced

FortiWeb 100E is introduced to replace 100D. It has better performance than 100D.

New RESTful API

New RESTful API is introduced in FortiWeb in this release.

For more information ,see FortiWeb RESTful API reference.

 

Enhancements

Optimization on Certificates

  • Certificates tab is moved from System to Server Objects.
  • Local and Multi-certificate tabs are integrated into Local in Server Objects > Certificates.
  • Certificate Verify and Server Certificate Verify tabs are integrated into Certificate Verify in Server Objects > Certificates.

WCCP Client configurable only in WCCP mode

When in non-WCCP modes, WCCP Client tab is invisible and non-configurable from GUI.

For more information, see Configuring FortiWeb to receive traffic via WCCP.

Multiple features integrated in feature visibility

You can customize more features shown on GUI by setting them in System > Config > Feature Visibility.

For more information, see Feature visibility.

Signature scan enhancement

The response body of content types including binary, media, and picture are no longer scanned against signature rules.

Support HEX decoding for HTTP arguments

FortiWeb's HTTP parser now supports decoding the parameter values containing HEX characters.

Enhancements on the trust items

FortiWeb no longer executes subsequent scans for the items listed in IP List, Global White List, and Known Bots. This reduces false positives and improves performance.

Add exceptions of SQL/XSS Syntax Based Detection from attack log

FortiWeb now supports adding SQL/XSS Syntax Based Detection exceptions from attack logs.

Add exceptions of Known Bots from attack log

FortiWeb now supports adding Known Bots exceptions from attack logs.

XML Entities check enhancement

FortiWeb will not download external entity references when it checks the XML format, and it will not treat the XML as "XML Format error" if it can't find the external definition.

Client Management debug

The client Management debug information can be printed using the command diagnose debug application client-management.

Changes of supported SSL ciphers

The following changes are implemented for the Customized SSL ciphers list.

New added:

  • ECDHE-ARIA128-GCM-SHA256
  • DHE-RSA-ARIA128-GCM-SHA256
  • DHE-RSA-ARIA256-GCM-SHA384
  • ECDHE-ARIA256-GCM-SHA384

No longer supported:

  • DHE-RSA-CAMELLIA128-SHA
  • DHE-DSS-CAMELLIA128-SHA
  • CAMELLIA256-SHA
  • CAMELLIA128-SHA

For a complete SSL ciphers list supported by FortiWeb, see Supported cipher suites & protocol versions.

Brute Force Login removed from predefined custom policy

To avoid false positives, Brute Force Login is removed from the predefined custom policies.

Bot confirmation disabled in predefined Brute Force Login Alert Only custom rule

Bot confirmation is disabled as the alert only custom rule is not supposed to block requests.

GEO DB package upload moved to FortiGuard

The GEO DB setting is moved from System > Config > Maintenance to System > Config > FortiGuard.

FortiSandbox connectivity status moved

The FortiSandbox connectivity status is displayed on the FortiSandbox page instead of the landing page widget.

Page Access and Start Pages modules completely removed

Page Access and Start Pages modules were removed from GUI in 630. Now the CLI commands of these two modules are also removed.