The Security Fabric integration has been enhanced. New Fabric connectors tab is added. You can now use SSO to log in to FortiWeb directly from FortiGate.
For more information, see Fabric Connector: Single Sign On with FortiGate.
Anomaly Detection in Machine Learning is enhanced to simplify the configuration and refine the process of model refreshing. Sample Collection mode and Parameter Model Update have been removed and are now fully automated.
For more information, see Configuring anomaly detection policy.
The Trojan detection in File Security is upgraded to a separate tab named Web Shell Detection. This feature becomes more powerful as it not only detects known web shells but also performs fuzzy hash based web shell detection.
For more information, see Web Shell Detection.
Integration with Let’s Encrypt is now supported, allowing to automatically generate server certificates alleviating the need to upload private certificates.
For more information, see Let's Encrypt certificates.
You can configure External Connectors to authorize FortiWeb to access your public cloud resources on AWS and Azure in order to automatically obtain and dynamically update the IP addresses of the back-end servers.
reCAPTCHA for bot detection is now available. It's integrated into features such as Dos Protect and Bot Mitigation to confirm whether the client is a bot or not.
For more information, see Creating reCAPTCHA servers.
Additional scan targets have been added to SQL/XSS Syntax Based Detection. "User-Agent", "Referer", and all other HTTP headers are now supported in addition to the existing "Parameter Name", "Parameter Value" and "Request Cookie".
For more information, see Syntax-based SQL/XSS injection detection.
Predefined SQL/XSS Syntax Based Detection policies are added so that you can quickly apply them in a web protection profile.
FortiWeb now supports authenticating clients by NTLM in HTTP. In Site Publish rule, you can select NTLM Authentication for Client Authentication Method, then select Kerberos Constrained Delegation for Authentication Delegation.
For more information, see Client Authentication Method in Offloaded authentication and optional SSO configuration.
New options are added in Site Publish rule to support extracting username from the client certificate and send it to the RADIUS server for an additional authorization step.
For more information, see Authentication Delegation in Offloaded authentication and optional SSO configuration.
The Referer-policy and Feature-Policy headers are now supported in HTTP Header Security.
For more information, see HTTP Security Headers.
It's now supported to rewrite HTTP headers in response packets by defining the HTTP Header Insertion and HTTP Header Removal list in URL Rewriting rule.
For more information, see Rewriting & redirecting.
FortiWeb now supports decoding base64 payloads in parameters.
For more information, see Advanced Decoding.
FortiWeb now supports UTF-16 JS payload decoding.
The OpenAPI Validation feature is enhanced to support the security mechanism in OpenAPI 3.0.x specifications.
FortiWeb now supports executing health check to the back-end server in TTP mode. An exception is when FortiWeb is deployed in active-active standard HA mode.
For more information, see Defining your web servers.
You can now import an intermediate certificate for the FortiWeb admin interface.
For more information, see To upload the intermediate CA for the administrator.
FortiWeb now displays 7-day threats data in FortiView on 3000E and 4000E.
FortiWeb now allows you to monitor the following events by SNMP traps and OIDs.
Events monitored by SNMP OIDs: Virtual Server Object status, Server-Pool object status, Server Policy status, and Policy/Virtual Server traffic.
Events monitored by SNMP traps: Policy LDAP auth failure and Policy RADIUS auth failure.
For FortiWeb-VM, its maximums for server policy, server pool, pool member, and virtual server are all increased to 1024 if the memory is larger than 64 GB; The maximums for all types of certificates are lifted to 1024 as well.
The maximum of trusted host per Administrator (configured in Admin > Administrator) is increased from 3 to 10.
cookieless-cache CLI option is added for cookieless authentication in the Site Publish rule to allow flexible setting of the cache timeout value. When it's set to 0, FortiWeb will send authentication requests to the authentication server every time the user logs in.
For more information, see
waf site-publish-helper rule.