Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

What's new

FortiWeb 7.0 offers the following new features and enhancements.

New features

API Discovery and Protection

Machine Learning Based API Discovery and Protection is introduced. Using machine learning algorithms FortiWeb parses the REST API schema and data structure and builds mathematical models to block any malicious API requests.

For more information, see Configuring API Protection Policy.

Enhancements

Dashboard and FortiView enhancements

New Widgets are introduced in Dashboard to display System information, security events, user tracking information, and FortiView statistics. The Monitor tab and FortiView tab are removed in this release.

For more information, see Dashboard.

New Action Type – Client ID Block Period

A new action type has been added - Client ID Block Period. It allows blocking a malicious user based on the FortiWeb generated client ID rather than source IP.

For more information, see the Block Method option in Client management.

Ability to block directly from FortiView

You can now conveniently block source IP addresses from FortiView.

OAuth 2.0 support

FortiWeb now supports OAuth 2.0 in Site Publish for front-end authentication.

For more information, see OAuth Authorization.

Personally Identifiable Information

The Personally Identifiable Information signature dictionary can now be used in custom rules.

Credential stuffing online query

It is now possible to use the extended FortiGuard credential stuffing database using an online query instead of the local DB query. The online database is larger and covers additional leaked credentials from data breaches. Enable it using the online database from CLI.

For more information, see "Credential Stuffing Online Check" in Tracking.

Exceptions in SQL/XSS-Syntax-Based-Detection (SBD) and Bot-Mitigation

You can now add exceptions in SQL/XSS-Syntax-Based-Detection (SBD) and Bot-Mitigation modules to mitigate false positives.

For more information, see Exception Policy.

Default route enhancements

To avoid conflict, the system route, HA static route, and DHCP route are now assigned with different priorities. Duplicate destination verification will be performed.

For more information, see "Static route priority" in Configuring the network settings.

Support for multiple wildcard admin users

It's now supported to set more than one wildcard admin users.

For more information, see "Group Name" in Grouping remote authentication queries and certificates for administrators

Shell access support

FortiWeb now supports Shell access SSH. You can enable it through config system global/set shell-access enable.

For more information, see config system global.

Support for HSM HA group

FortiWeb now supports HSM HA group containing two HSM servers.

For more information, see To integrate FortiWeb with SafeNet Network HSM 7 - HA mode.

LDAP server health check

You can now enable LDAP server health check so that user authentication will not be affected if some of the IP addresses associated with the LDAP domain name are down. Run config server-policy policy/set ldap-health enable to enable it.

Configuration change event logging enhancement

The event log has been enhanced to include additional information when the configuration changes (Log&Report > Event).

Traffic logging default behavior change

To avoid unnecessary resource consumption, the system by default doesn't generate traffic log for all server policies unless specified. In order for the traffic log to work, not only should it be enabled via “Other Log Settings” under Log&Report, but also in server policy settings via the CLI command config server-policy policy.

New VM16 license

VM-16 license is introduced to support up to 16 vCPUs.

FortiWeb-VM on OpenStack license file importing method update

FortiWeb-VM on Openstack has changed the license file importing method due to OpenStack changes.

Openstack Wallaby Support

FortiWeb-VM now supports the Openstack version Wallaby.

Azure load balancer support enhancements

FortiWeb-VMs can now be deployed in multiple shared back-end pools behind an Azure load balancer.

Optimization of GEO IP, IP List, and IP Reputation

To optimize performance FortiWeb now executes GEO IP, IP List, and IP Reputation policies at the TCP layer to avoid HTTP data being processed unnecessarily. This is only enabled when Server Objects > X-Forwarded-For is not used. It's now also supported to set the trigger action to Deny (no log) or Period Block to avoid alert flooding.

For more information, see the description of "Ignore X-Forwarded-For" and "Trigger Action" in GEO IP, IP List, and IP Reputation.

What's new

FortiWeb 7.0 offers the following new features and enhancements.

New features

API Discovery and Protection

Machine Learning Based API Discovery and Protection is introduced. Using machine learning algorithms FortiWeb parses the REST API schema and data structure and builds mathematical models to block any malicious API requests.

For more information, see Configuring API Protection Policy.

Enhancements

Dashboard and FortiView enhancements

New Widgets are introduced in Dashboard to display System information, security events, user tracking information, and FortiView statistics. The Monitor tab and FortiView tab are removed in this release.

For more information, see Dashboard.

New Action Type – Client ID Block Period

A new action type has been added - Client ID Block Period. It allows blocking a malicious user based on the FortiWeb generated client ID rather than source IP.

For more information, see the Block Method option in Client management.

Ability to block directly from FortiView

You can now conveniently block source IP addresses from FortiView.

OAuth 2.0 support

FortiWeb now supports OAuth 2.0 in Site Publish for front-end authentication.

For more information, see OAuth Authorization.

Personally Identifiable Information

The Personally Identifiable Information signature dictionary can now be used in custom rules.

Credential stuffing online query

It is now possible to use the extended FortiGuard credential stuffing database using an online query instead of the local DB query. The online database is larger and covers additional leaked credentials from data breaches. Enable it using the online database from CLI.

For more information, see "Credential Stuffing Online Check" in Tracking.

Exceptions in SQL/XSS-Syntax-Based-Detection (SBD) and Bot-Mitigation

You can now add exceptions in SQL/XSS-Syntax-Based-Detection (SBD) and Bot-Mitigation modules to mitigate false positives.

For more information, see Exception Policy.

Default route enhancements

To avoid conflict, the system route, HA static route, and DHCP route are now assigned with different priorities. Duplicate destination verification will be performed.

For more information, see "Static route priority" in Configuring the network settings.

Support for multiple wildcard admin users

It's now supported to set more than one wildcard admin users.

For more information, see "Group Name" in Grouping remote authentication queries and certificates for administrators

Shell access support

FortiWeb now supports Shell access SSH. You can enable it through config system global/set shell-access enable.

For more information, see config system global.

Support for HSM HA group

FortiWeb now supports HSM HA group containing two HSM servers.

For more information, see To integrate FortiWeb with SafeNet Network HSM 7 - HA mode.

LDAP server health check

You can now enable LDAP server health check so that user authentication will not be affected if some of the IP addresses associated with the LDAP domain name are down. Run config server-policy policy/set ldap-health enable to enable it.

Configuration change event logging enhancement

The event log has been enhanced to include additional information when the configuration changes (Log&Report > Event).

Traffic logging default behavior change

To avoid unnecessary resource consumption, the system by default doesn't generate traffic log for all server policies unless specified. In order for the traffic log to work, not only should it be enabled via “Other Log Settings” under Log&Report, but also in server policy settings via the CLI command config server-policy policy.

New VM16 license

VM-16 license is introduced to support up to 16 vCPUs.

FortiWeb-VM on OpenStack license file importing method update

FortiWeb-VM on Openstack has changed the license file importing method due to OpenStack changes.

Openstack Wallaby Support

FortiWeb-VM now supports the Openstack version Wallaby.

Azure load balancer support enhancements

FortiWeb-VMs can now be deployed in multiple shared back-end pools behind an Azure load balancer.

Optimization of GEO IP, IP List, and IP Reputation

To optimize performance FortiWeb now executes GEO IP, IP List, and IP Reputation policies at the TCP layer to avoid HTTP data being processed unnecessarily. This is only enabled when Server Objects > X-Forwarded-For is not used. It's now also supported to set the trigger action to Deny (no log) or Period Block to avoid alert flooding.

For more information, see the description of "Ignore X-Forwarded-For" and "Trigger Action" in GEO IP, IP List, and IP Reputation.