Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

What's new

FortiWeb 7.0.2 offers the following new features and enhancements.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is an access control method that uses client device identification and Zero Trust tags to provide role-based application access for On-net local users and Off-net remote users. Access to applications is granted only after verifying the device and user identity, and then performing context-based posture checks using Zero Trust tags.

When a client connects to a virtual server, FortiWeb proxies the connection and takes steps to authenticate the user. It promotes the user for their certificate on the browser, and verifies this against the ZTNA endpoint record that is synchronized from the EMS. If this passes, traffic is allowed based on the ZTNA profile. If an site publish, such as SAML authentication, is configured in the web protection profile, the client is redirected to a captive portal for sign-on. It this also passes, FortiWeb returns the web page to the client.

For more information, see Zero Trust Network Access (ZTNA)

FortiClient EMS integration

As part of the ZTNA process, FortiWeb supports integrating FortiClient EMS through Fabric Connectors. ZTNA endpoint records are synchronized from the FortiClient EMS to verify the user's certificate.

For more information, see Configuring FortiClient EMS Connector for ZTNA

Scripting language support

FortiWeb now supports using Lua scripts to write simple, network aware pieces of code that will influence network traffic in a variety of ways. By using the scripts, you can customize FortiWeb's features by granularly controlling the traffic flow or even the contents of given sessions or packets.

For more information, see Script Reference Guide.

Threat Analytics integrated with FortiWeb Cloud

FortiWeb Cloud now integrates with FortiWeb appliances. Collect attack logs from all your FortiWeb platforms and leverage the power of threat analytics across your entire web assets.

For more information, see Analyzing attack logs in FortiWeb Cloud Threat Analytics.

Machine learning changes

  • Machine Learning > Anomaly Detection is moved to Web Protection > ML Based Anomaly Detection.

  • Machine Learning > Bot Detection is moved to Bot Mitigation > ML Based Bot Detection.

  • Machine Learning > API Protection is moved to API Protection > ML Based API Protection.

Machine learning based API Protection statistics

FortiWeb now provides more statistics graphs on the domain level and endpoints level of the API Protection data.

Domain usage statistics

On Status page, a new widget is added to show the domain usage statistics for Machine Learning Based API Protection and Anomaly Detection.

X-Forwarded-For header full scan

It's now supported to scan all the IP addresses listed in the X-Forwarded-For header against IP reputation. Turn on Block Using Full Scan in Serve Objects > X-Forwarded-For.

For more information, see Defining your proxies, clients, & X-headers.

Credential Stuffing local check

Credential Stuffing credentials can now be tested with both local DB and online DB servers.

Sensitivity level for signatures

Signatures now include Sensitivity Levels. You can choose from four categories of attack signatures (L1 to L4) based on their sensitivity to false positives and their requirement for a higher security level. Every level adds additional signatures thus increasing security but also the possibility of blocking legitimate traffic.

Currently available through CLI only.

For more information, see paranoia-level in config waf signature.

HTTP method and protocol check

In URL Access Rule, you can now specify the HTTP methods and protocols to check, so that only the matched requests will be passed for further scan.

For more information, see Restricting access to specific URLs.

Port and sub-domain match in hostnames

FortiWeb now supports protecting hostnames with ports or sub-domains. Enable Ignore Port or Include Sub-domain in Server Objects > Protected Hostnames.

For more information, see Defining your protected/allowed HTTP “Host:” header names.

File security enhancements

  • You can now clear the cache of the scan results from ICAP Server.

  • In addition to the pre-defined file types, you can now specify custom file types.

For more information, see Limiting file uploads and excute icap-cache clear.

Policy based allow list

Instead of global allow list, you can now apply allow list at the policy level.

For more information, see Configuring the allow list at server policy level.

Chunk encoding

You can enable chunk-encoding in config server-policy policy to encode the response packets.

More flexible x509-certificate-subject match in content routing

Content Routing now supports matching against x509-certificate-Subject by the following options: Match prefix, Match suffix, Match contains, Is equal to and Regular Expression.

For more information, see Defining your web servers.

Allowing editing server pool in HTTP content routing

It's now allowed to edit server pool when creating or editing an HTTP content routing policy in a server policy.

SSL ciphers enhancements

  • You can now group SSL ciphers and reference the group in server policy and server pool settings.

  • Most ciphers in Advanced SSL Settings are supported when HTTP/2 is enabled.

For more information, see Supported cipher suites & protocol versions.

SAML authentication enhancement

The CPU consumption is improved when the system runs SAML authentication.

Intermediate CA authentication

FortiWeb now supports partial certificate chain validation. External clients can be validated by the Intermediate CA only.

For more information, see config system certificate verify.

LetsEncrypt Certificate enhancements

  • It's now supported to set the renew interval of the LetsEncrypt Certificate.

  • Multiple FQDNs are now supported in a single LetsEncrypt Certificate.

For more information, see "Let's Encrypt certificates" in How to offload or inspect HTTPS.

Support password change for RADIUS server user authentication

FortiWeb now supports the users authenticated by RADIUS server to change their passwords.

FortiAuthenticator authorization

FortiWeb now supports FortiAuthenticator authorization, which allows users to access your application through logging in with FortiAuthenticator.

More than one ADOMs for an administrator

One administrator can now manage multiple ADOMs.

Database version in event log

When signature database is upgraded, the database version can now be recorded in the event log.

XML validation attack logs enhancement

The XML validation attack logs are now enhanced to provide detailed information on why the validation fails.

OWASP API Top10 attack log field

FortiWeb now records the OWASP API Top10 attack categories in attack logs, and you can now filter the attack logs by OWASP API Top10. It's also supported to turn on or off the OWASP API Top10 attack fields by running set owasp_api_top10_log_field {enable/disable} in config waf web-protection-profile inline-protection.

Historical update information added in diagnose system update

The date and time of the historical updates can be printed out in diagnose system update.

The comlog command support

FortiWeb now supports comlog command: diagnose debug comlog {info|read|clear|disable|enable}.

For more information, see diagnose debug comlog.

Health probe port in Azure Load balancer deployment

When FortiWeb-VMs are deployed behind an Azure Load Balancer, you can configure a dedicated port to reply the Health Probe response.

Certificate maximum increased on VM16, 4000E, and 4000F

For VM16 platform, the limits of the local, multi-certificate, inline SNI, CA, intermediate CA, CRL, and certificate will be raised to 5000.

For 4000E, 4000F, and VM16 platforms, the limit of the sub-table in Inline SNI will be raised to 2048.

Full configuration sync via HA on Google Cloud

FortiWeb-VMs deployed on Google Cloud now supports full configuration synchronization via HA clusters.

Unicast HA heartbeat on VMWare

FortiWeb-VM on VMware now supports Unicast HA heartbeat in Active-Passive HA mode.

What's new

FortiWeb 7.0.2 offers the following new features and enhancements.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is an access control method that uses client device identification and Zero Trust tags to provide role-based application access for On-net local users and Off-net remote users. Access to applications is granted only after verifying the device and user identity, and then performing context-based posture checks using Zero Trust tags.

When a client connects to a virtual server, FortiWeb proxies the connection and takes steps to authenticate the user. It promotes the user for their certificate on the browser, and verifies this against the ZTNA endpoint record that is synchronized from the EMS. If this passes, traffic is allowed based on the ZTNA profile. If an site publish, such as SAML authentication, is configured in the web protection profile, the client is redirected to a captive portal for sign-on. It this also passes, FortiWeb returns the web page to the client.

For more information, see Zero Trust Network Access (ZTNA)

FortiClient EMS integration

As part of the ZTNA process, FortiWeb supports integrating FortiClient EMS through Fabric Connectors. ZTNA endpoint records are synchronized from the FortiClient EMS to verify the user's certificate.

For more information, see Configuring FortiClient EMS Connector for ZTNA

Scripting language support

FortiWeb now supports using Lua scripts to write simple, network aware pieces of code that will influence network traffic in a variety of ways. By using the scripts, you can customize FortiWeb's features by granularly controlling the traffic flow or even the contents of given sessions or packets.

For more information, see Script Reference Guide.

Threat Analytics integrated with FortiWeb Cloud

FortiWeb Cloud now integrates with FortiWeb appliances. Collect attack logs from all your FortiWeb platforms and leverage the power of threat analytics across your entire web assets.

For more information, see Analyzing attack logs in FortiWeb Cloud Threat Analytics.

Machine learning changes

  • Machine Learning > Anomaly Detection is moved to Web Protection > ML Based Anomaly Detection.

  • Machine Learning > Bot Detection is moved to Bot Mitigation > ML Based Bot Detection.

  • Machine Learning > API Protection is moved to API Protection > ML Based API Protection.

Machine learning based API Protection statistics

FortiWeb now provides more statistics graphs on the domain level and endpoints level of the API Protection data.

Domain usage statistics

On Status page, a new widget is added to show the domain usage statistics for Machine Learning Based API Protection and Anomaly Detection.

X-Forwarded-For header full scan

It's now supported to scan all the IP addresses listed in the X-Forwarded-For header against IP reputation. Turn on Block Using Full Scan in Serve Objects > X-Forwarded-For.

For more information, see Defining your proxies, clients, & X-headers.

Credential Stuffing local check

Credential Stuffing credentials can now be tested with both local DB and online DB servers.

Sensitivity level for signatures

Signatures now include Sensitivity Levels. You can choose from four categories of attack signatures (L1 to L4) based on their sensitivity to false positives and their requirement for a higher security level. Every level adds additional signatures thus increasing security but also the possibility of blocking legitimate traffic.

Currently available through CLI only.

For more information, see paranoia-level in config waf signature.

HTTP method and protocol check

In URL Access Rule, you can now specify the HTTP methods and protocols to check, so that only the matched requests will be passed for further scan.

For more information, see Restricting access to specific URLs.

Port and sub-domain match in hostnames

FortiWeb now supports protecting hostnames with ports or sub-domains. Enable Ignore Port or Include Sub-domain in Server Objects > Protected Hostnames.

For more information, see Defining your protected/allowed HTTP “Host:” header names.

File security enhancements

  • You can now clear the cache of the scan results from ICAP Server.

  • In addition to the pre-defined file types, you can now specify custom file types.

For more information, see Limiting file uploads and excute icap-cache clear.

Policy based allow list

Instead of global allow list, you can now apply allow list at the policy level.

For more information, see Configuring the allow list at server policy level.

Chunk encoding

You can enable chunk-encoding in config server-policy policy to encode the response packets.

More flexible x509-certificate-subject match in content routing

Content Routing now supports matching against x509-certificate-Subject by the following options: Match prefix, Match suffix, Match contains, Is equal to and Regular Expression.

For more information, see Defining your web servers.

Allowing editing server pool in HTTP content routing

It's now allowed to edit server pool when creating or editing an HTTP content routing policy in a server policy.

SSL ciphers enhancements

  • You can now group SSL ciphers and reference the group in server policy and server pool settings.

  • Most ciphers in Advanced SSL Settings are supported when HTTP/2 is enabled.

For more information, see Supported cipher suites & protocol versions.

SAML authentication enhancement

The CPU consumption is improved when the system runs SAML authentication.

Intermediate CA authentication

FortiWeb now supports partial certificate chain validation. External clients can be validated by the Intermediate CA only.

For more information, see config system certificate verify.

LetsEncrypt Certificate enhancements

  • It's now supported to set the renew interval of the LetsEncrypt Certificate.

  • Multiple FQDNs are now supported in a single LetsEncrypt Certificate.

For more information, see "Let's Encrypt certificates" in How to offload or inspect HTTPS.

Support password change for RADIUS server user authentication

FortiWeb now supports the users authenticated by RADIUS server to change their passwords.

FortiAuthenticator authorization

FortiWeb now supports FortiAuthenticator authorization, which allows users to access your application through logging in with FortiAuthenticator.

More than one ADOMs for an administrator

One administrator can now manage multiple ADOMs.

Database version in event log

When signature database is upgraded, the database version can now be recorded in the event log.

XML validation attack logs enhancement

The XML validation attack logs are now enhanced to provide detailed information on why the validation fails.

OWASP API Top10 attack log field

FortiWeb now records the OWASP API Top10 attack categories in attack logs, and you can now filter the attack logs by OWASP API Top10. It's also supported to turn on or off the OWASP API Top10 attack fields by running set owasp_api_top10_log_field {enable/disable} in config waf web-protection-profile inline-protection.

Historical update information added in diagnose system update

The date and time of the historical updates can be printed out in diagnose system update.

The comlog command support

FortiWeb now supports comlog command: diagnose debug comlog {info|read|clear|disable|enable}.

For more information, see diagnose debug comlog.

Health probe port in Azure Load balancer deployment

When FortiWeb-VMs are deployed behind an Azure Load Balancer, you can configure a dedicated port to reply the Health Probe response.

Certificate maximum increased on VM16, 4000E, and 4000F

For VM16 platform, the limits of the local, multi-certificate, inline SNI, CA, intermediate CA, CRL, and certificate will be raised to 5000.

For 4000E, 4000F, and VM16 platforms, the limit of the sub-table in Inline SNI will be raised to 2048.

Full configuration sync via HA on Google Cloud

FortiWeb-VMs deployed on Google Cloud now supports full configuration synchronization via HA clusters.

Unicast HA heartbeat on VMWare

FortiWeb-VM on VMware now supports Unicast HA heartbeat in Active-Passive HA mode.