Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

What's new

Security Fabric - Single Sign On with FortiGate

The Security Fabric integration has been enhanced. New Fabric connectors tab is added. You can now use SSO to log in to FortiWeb directly from FortiGate.

For more information, see Fabric Connector: Single Sign On with FortiGate.

Machine Learning Anomaly Detection enhancement

Anomaly Detection in Machine Learning is enhanced to simplify the configuration and refine the process of model refreshing. Sample Collection mode and Parameter Model Update have been removed and are now fully automated.

For more information, see Configuring anomaly detection policy.

Web Shell Detection

The Trojan detection in File Security is upgraded to a separate tab named Web Shell Detection. This feature becomes more powerful as it not only detects known web shells but also performs fuzzy hash based web shell detection.

For more information, see Web Shell Detection.

Let's Encrypt certificate support

Integration with Let’s Encrypt is now supported, allowing to automatically generate server certificates alleviating the need to upload private certificates.

For more information, see Let's Encrypt certificates.

AWS and Azure External Connectors

You can configure External Connectors to authorize FortiWeb to access your public cloud resources on AWS and Azure in order to automatically obtain and dynamically update the IP addresses of the back-end servers.

For more information, see AWS Connector and Azure Connector.

reCAPTCHA support

reCAPTCHA for bot detection is now available. It's integrated into features such as Dos Protect and Bot Mitigation to confirm whether the client is a bot or not.

For more information, see Creating reCAPTCHA servers.

SQL/XSS Syntax Based Detection enhancement

Additional scan targets have been added to SQL/XSS Syntax Based Detection. "User-Agent", "Referer", and all other HTTP headers are now supported in addition to the existing "Parameter Name", "Parameter Value" and "Request Cookie".

For more information, see Syntax-based SQL/XSS injection detection.

Predefined policies in SQL/XSS Syntax Based Detection

Predefined SQL/XSS Syntax Based Detection policies are added so that you can quickly apply them in a web protection profile.

NTLM Authentication support in Site Publish rule

FortiWeb now supports authenticating clients by NTLM in HTTP. In Site Publish rule, you can select NTLM Authentication for Client Authentication Method, then select Kerberos Constrained Delegation for Authentication Delegation.

For more information, see Client Authentication Method in Offloaded authentication and optional SSO configuration.

New RADIUS authorization support for client certificate authentication

New options are added in Site Publish rule to support extracting username from the client certificate and send it to the RADIUS server for an additional authorization step.

For more information, see Authentication Delegation in Offloaded authentication and optional SSO configuration.

HTTP header append

The Referer-policy and Feature-Policy headers are now supported in HTTP Header Security.

For more information, see HTTP Security Headers.

HTTP header rewrite

It's now supported to rewrite HTTP headers in response packets by defining the HTTP Header Insertion and HTTP Header Removal list in URL Rewriting rule.

For more information, see Rewriting & redirecting.

Base64 decoding in payload

FortiWeb now supports decoding base64 payloads in parameters.

For more information, see Advanced Decoding.

UTF-16 JS decoding in payload

FortiWeb now supports UTF-16 JS payload decoding.

OpenAPI enhancement

The OpenAPI Validation feature is enhanced to support the security mechanism in OpenAPI 3.0.x specifications.

Health check in TTP mode

FortiWeb now supports executing health check to the back-end server in TTP mode. An exception is when FortiWeb is deployed in active-active standard HA mode.

For more information, see Defining your web servers.

FortiWeb admin interface web server certificate enhancement

You can now import an intermediate certificate for the FortiWeb admin interface.

For more information, see To upload the intermediate CA for the administrator.

7-day threats data in FortiView

FortiWeb now displays 7-day threats data in FortiView on 3000E and 4000E.

Additional events monitored by SNMP traps and OIDs

FortiWeb now allows you to monitor the following events by SNMP traps and OIDs.

  • Events monitored by SNMP OIDs: Virtual Server Object status, Server-Pool object status, Server Policy status, and Policy/Virtual Server traffic.

  • Events monitored by SNMP traps: Policy LDAP auth failure and Policy RADIUS auth failure.

Maximum configuration number increased on FortiWeb-VM

For FortiWeb-VM, its maximums for server policy, server pool, pool member, and virtual server are all increased to 1024 if the memory is larger than 64 GB; The maximums for all types of certificates are lifted to 1024 as well.

Administrator trusted host maximum increased

The maximum of trusted host per Administrator (configured in Admin > Administrator) is increased from 3 to 10.

Cookieless cache in Site Publish rule

The cookieless-cache CLI option is added for cookieless authentication in the Site Publish rule to allow flexible setting of the cache timeout value. When it's set to 0, FortiWeb will send authentication requests to the authentication server every time the user logs in.

For more information, see cookieless-cache in waf site-publish-helper rule.

What's new

Security Fabric - Single Sign On with FortiGate

The Security Fabric integration has been enhanced. New Fabric connectors tab is added. You can now use SSO to log in to FortiWeb directly from FortiGate.

For more information, see Fabric Connector: Single Sign On with FortiGate.

Machine Learning Anomaly Detection enhancement

Anomaly Detection in Machine Learning is enhanced to simplify the configuration and refine the process of model refreshing. Sample Collection mode and Parameter Model Update have been removed and are now fully automated.

For more information, see Configuring anomaly detection policy.

Web Shell Detection

The Trojan detection in File Security is upgraded to a separate tab named Web Shell Detection. This feature becomes more powerful as it not only detects known web shells but also performs fuzzy hash based web shell detection.

For more information, see Web Shell Detection.

Let's Encrypt certificate support

Integration with Let’s Encrypt is now supported, allowing to automatically generate server certificates alleviating the need to upload private certificates.

For more information, see Let's Encrypt certificates.

AWS and Azure External Connectors

You can configure External Connectors to authorize FortiWeb to access your public cloud resources on AWS and Azure in order to automatically obtain and dynamically update the IP addresses of the back-end servers.

For more information, see AWS Connector and Azure Connector.

reCAPTCHA support

reCAPTCHA for bot detection is now available. It's integrated into features such as Dos Protect and Bot Mitigation to confirm whether the client is a bot or not.

For more information, see Creating reCAPTCHA servers.

SQL/XSS Syntax Based Detection enhancement

Additional scan targets have been added to SQL/XSS Syntax Based Detection. "User-Agent", "Referer", and all other HTTP headers are now supported in addition to the existing "Parameter Name", "Parameter Value" and "Request Cookie".

For more information, see Syntax-based SQL/XSS injection detection.

Predefined policies in SQL/XSS Syntax Based Detection

Predefined SQL/XSS Syntax Based Detection policies are added so that you can quickly apply them in a web protection profile.

NTLM Authentication support in Site Publish rule

FortiWeb now supports authenticating clients by NTLM in HTTP. In Site Publish rule, you can select NTLM Authentication for Client Authentication Method, then select Kerberos Constrained Delegation for Authentication Delegation.

For more information, see Client Authentication Method in Offloaded authentication and optional SSO configuration.

New RADIUS authorization support for client certificate authentication

New options are added in Site Publish rule to support extracting username from the client certificate and send it to the RADIUS server for an additional authorization step.

For more information, see Authentication Delegation in Offloaded authentication and optional SSO configuration.

HTTP header append

The Referer-policy and Feature-Policy headers are now supported in HTTP Header Security.

For more information, see HTTP Security Headers.

HTTP header rewrite

It's now supported to rewrite HTTP headers in response packets by defining the HTTP Header Insertion and HTTP Header Removal list in URL Rewriting rule.

For more information, see Rewriting & redirecting.

Base64 decoding in payload

FortiWeb now supports decoding base64 payloads in parameters.

For more information, see Advanced Decoding.

UTF-16 JS decoding in payload

FortiWeb now supports UTF-16 JS payload decoding.

OpenAPI enhancement

The OpenAPI Validation feature is enhanced to support the security mechanism in OpenAPI 3.0.x specifications.

Health check in TTP mode

FortiWeb now supports executing health check to the back-end server in TTP mode. An exception is when FortiWeb is deployed in active-active standard HA mode.

For more information, see Defining your web servers.

FortiWeb admin interface web server certificate enhancement

You can now import an intermediate certificate for the FortiWeb admin interface.

For more information, see To upload the intermediate CA for the administrator.

7-day threats data in FortiView

FortiWeb now displays 7-day threats data in FortiView on 3000E and 4000E.

Additional events monitored by SNMP traps and OIDs

FortiWeb now allows you to monitor the following events by SNMP traps and OIDs.

  • Events monitored by SNMP OIDs: Virtual Server Object status, Server-Pool object status, Server Policy status, and Policy/Virtual Server traffic.

  • Events monitored by SNMP traps: Policy LDAP auth failure and Policy RADIUS auth failure.

Maximum configuration number increased on FortiWeb-VM

For FortiWeb-VM, its maximums for server policy, server pool, pool member, and virtual server are all increased to 1024 if the memory is larger than 64 GB; The maximums for all types of certificates are lifted to 1024 as well.

Administrator trusted host maximum increased

The maximum of trusted host per Administrator (configured in Admin > Administrator) is increased from 3 to 10.

Cookieless cache in Site Publish rule

The cookieless-cache CLI option is added for cookieless authentication in the Site Publish rule to allow flexible setting of the cache timeout value. When it's set to 0, FortiWeb will send authentication requests to the authentication server every time the user logs in.

For more information, see cookieless-cache in waf site-publish-helper rule.