Fortinet black logo

Administration Guide

What's new

What's new

FortiWeb 7.2.1 offers the following new features and enhancements.

Custom rule enhancements

  • HTTP Methods scan is moved out of the HTTP headers filter to stand out as a separate filter. More HTTP method types are supported including WEBDAV,RPC, and OTHERS.

  • To target the inspection point more accurately in parameter filter, it's now supported to scan the parameters located only in URL or the HTTP body.

For more information, see Custom Policy.

Reverse DNS lookup timeout setting in URL Access rules

To avoid the process hanging for a long time, you can now set a timeout value to limit the reverse DNS lookup time in URL Access rule.

For more information, see Restricting access based on specific URLs.

IP groups

You can now create IP groups in Server Objects > IP Groups then reference them in modules where it requires to specify IP addresses or IP ranges. IP Groups is supported in IP Protection > IP List and will be introduced in other modules in future releases.

For more information, see Creating IP groups.

LUA script update

A new predefined Lua script "SSL_COMMANDS" is added. The newly supported SSL commands can be used to retrieve information about the SSL handshake such as SNI status, the SSL ciphers, certificate verification status, etc.

For more information, see "SSL commands" in Script Reference.

JSON Protection enhancements

  • You can now choose the JSON schema version for the system to check if the uploaded JSON schema file is valid against the specified version.

  • Multiple JSON schemas can now be added in one group and be referenced in JSON Protection rules.

For more information, see Configuring JSON protection.

Support defining "format" for "string" type in OpenAPI file

In OpenAPI file, for the optional modifier property "format" of the "string" type, you can define it as "email" (rfc5322) or "uuid" (rfc4122).

For example:

id:

type: string

format: uuid

work-email:

type: string

format: email

We accept "email", "Email", and "EMAIL"; "uuid" and "UUID". They are case sensitive, so do not use strings other than them. For example, UuID is not accepted.

For more information, see OpenAPI Validation.

HTTP header insertion in URL rewrite rule

It's now supported to insert more than one HTTP headers when rewriting an URL. Configure it in Application Delivery > URL Rewriting.

Host and peer verification in Fetch URL & Quarantine IP

Fetch URL & Quarantine IP can now establish HTTPS connection with FortiGuard or back-end servers and verify the TLS certificates. Configure in System > Config > FortiGate Integration and Web Protection > Input Validation > Hidden Fields.

Validating server certificate when connecting with FortiClient EMS

You can now configure FortiWeb to validate the server certificate when connecting with FortiClient EMS. Enable Server Certificate for the FortiClient EMS fabric connector (System > Fabric Connector).

OAuth Authorization enhancement

It's now supported to do strict TLS verification even with a custom CA certificate to check the TLS traffic between FortiWeb and the third party OAuth authorization servers.

For more information, see OAuth Authorization.

Least response time load balancing algorithm

The back-end server load balancing algorithm now supports Least Response Time and Probabilistic Weighted Least Response Time. It can distribute the incoming traffic to the server with the shortest average response time and the lowest number of connections, thus making the client connect to the most efficient back-end server.

For more information, see Defining your web servers.

Request redirection

  • Requests with a naked domain can now be redirected to “www” domain.

  • The status code for redirecting HTTP to HTTPS is changed from 301 to 302.

For more information, see Configuring an HTTP server policy.

Health check result synchronization

In certain case when different server pools sharing the same IP address it's unnecessary to perform health check to all the server pools. Use the following command to share the health check result across multiple server pools.

config server-policy health

edit "<health-check_name>"

set group-id <int>

set role {master | slave}

next

end

With this command, you can create several health checks with the same group-id, assigning master role to one of them while the slave role to the rest. Health check result is automatically pushed from the master to the slave.

Shell access enhancements

  • It's now supported to view the history of commands executed in Shell. Run diagnose debug shell-access history show.

  • To ensure the security of Shell access, you can now restrict the access only from trusted hosts.

    Run the following commands to set the history size and specify trusted hosts.

    config system global

    set shell-access enable

    set shell-history-size <int>

    set shell-trusthostv4 <IPv4_address_range>

    set shell-trusthostv6 <IPv6_address_range>

    end

For more information, see config system global.

Replacement Message enhancement

%%USERNAME%% and %%RAWNAME%% are introduced in the Replacement Message so that you can configure FortiWeb to display different format of usernames such as "username@abc.com" or "username".

For more information, see Customizing error and authentication pages (replacement messages).

RFC-9719 Comply

RFC-9719 TLS security can now be applied to both inbound or outbound HTTPS connections with FortiWeb. Configure in Server Pool and Server Policy.

For more information, see Defining your web servers and Configuring an HTTP server policy.

Up to 4096 bits key size supported for Let's Encrypt certificates

RSA algorithm with different key length can be implemented and accepted by the Let’s Encrypt Server. Those key sizes are 2048, 3072, and 4096 bits. Please note that larger keys consume more computing resources, however, achieve better security.

For more information, see Let's Encrypt certificates.

Support forwarding logs to ELK

Attack and traffic packet logs can now be sent to syslog servers in JSON format through TCP or TLS protocol. Configure it in Log&Report > Log Policy > Syslog Policy.

RBE attack log enhancement

The HTTP host and URL are now revealed in the RBE (including RBE, CAPTCHA, and reCAPTCHA) attack logs to better help with troubleshooting.

Support updating the URL of Google reCAPTCHA service

It's now supported to edit the URL of Google reCAPTCHA service so that you can update it in time when Google changes it.

For more information, see config system recaptcha-api.

Restrict ADOM admin permissions to VIPs

Global administrators can create, edit, and delete VIPs, while ADOM administrators can now only view the VIPs assigned to their ADOM.

What's new

FortiWeb 7.2.1 offers the following new features and enhancements.

Custom rule enhancements

  • HTTP Methods scan is moved out of the HTTP headers filter to stand out as a separate filter. More HTTP method types are supported including WEBDAV,RPC, and OTHERS.

  • To target the inspection point more accurately in parameter filter, it's now supported to scan the parameters located only in URL or the HTTP body.

For more information, see Custom Policy.

Reverse DNS lookup timeout setting in URL Access rules

To avoid the process hanging for a long time, you can now set a timeout value to limit the reverse DNS lookup time in URL Access rule.

For more information, see Restricting access based on specific URLs.

IP groups

You can now create IP groups in Server Objects > IP Groups then reference them in modules where it requires to specify IP addresses or IP ranges. IP Groups is supported in IP Protection > IP List and will be introduced in other modules in future releases.

For more information, see Creating IP groups.

LUA script update

A new predefined Lua script "SSL_COMMANDS" is added. The newly supported SSL commands can be used to retrieve information about the SSL handshake such as SNI status, the SSL ciphers, certificate verification status, etc.

For more information, see "SSL commands" in Script Reference.

JSON Protection enhancements

  • You can now choose the JSON schema version for the system to check if the uploaded JSON schema file is valid against the specified version.

  • Multiple JSON schemas can now be added in one group and be referenced in JSON Protection rules.

For more information, see Configuring JSON protection.

Support defining "format" for "string" type in OpenAPI file

In OpenAPI file, for the optional modifier property "format" of the "string" type, you can define it as "email" (rfc5322) or "uuid" (rfc4122).

For example:

id:

type: string

format: uuid

work-email:

type: string

format: email

We accept "email", "Email", and "EMAIL"; "uuid" and "UUID". They are case sensitive, so do not use strings other than them. For example, UuID is not accepted.

For more information, see OpenAPI Validation.

HTTP header insertion in URL rewrite rule

It's now supported to insert more than one HTTP headers when rewriting an URL. Configure it in Application Delivery > URL Rewriting.

Host and peer verification in Fetch URL & Quarantine IP

Fetch URL & Quarantine IP can now establish HTTPS connection with FortiGuard or back-end servers and verify the TLS certificates. Configure in System > Config > FortiGate Integration and Web Protection > Input Validation > Hidden Fields.

Validating server certificate when connecting with FortiClient EMS

You can now configure FortiWeb to validate the server certificate when connecting with FortiClient EMS. Enable Server Certificate for the FortiClient EMS fabric connector (System > Fabric Connector).

OAuth Authorization enhancement

It's now supported to do strict TLS verification even with a custom CA certificate to check the TLS traffic between FortiWeb and the third party OAuth authorization servers.

For more information, see OAuth Authorization.

Least response time load balancing algorithm

The back-end server load balancing algorithm now supports Least Response Time and Probabilistic Weighted Least Response Time. It can distribute the incoming traffic to the server with the shortest average response time and the lowest number of connections, thus making the client connect to the most efficient back-end server.

For more information, see Defining your web servers.

Request redirection

  • Requests with a naked domain can now be redirected to “www” domain.

  • The status code for redirecting HTTP to HTTPS is changed from 301 to 302.

For more information, see Configuring an HTTP server policy.

Health check result synchronization

In certain case when different server pools sharing the same IP address it's unnecessary to perform health check to all the server pools. Use the following command to share the health check result across multiple server pools.

config server-policy health

edit "<health-check_name>"

set group-id <int>

set role {master | slave}

next

end

With this command, you can create several health checks with the same group-id, assigning master role to one of them while the slave role to the rest. Health check result is automatically pushed from the master to the slave.

Shell access enhancements

  • It's now supported to view the history of commands executed in Shell. Run diagnose debug shell-access history show.

  • To ensure the security of Shell access, you can now restrict the access only from trusted hosts.

    Run the following commands to set the history size and specify trusted hosts.

    config system global

    set shell-access enable

    set shell-history-size <int>

    set shell-trusthostv4 <IPv4_address_range>

    set shell-trusthostv6 <IPv6_address_range>

    end

For more information, see config system global.

Replacement Message enhancement

%%USERNAME%% and %%RAWNAME%% are introduced in the Replacement Message so that you can configure FortiWeb to display different format of usernames such as "username@abc.com" or "username".

For more information, see Customizing error and authentication pages (replacement messages).

RFC-9719 Comply

RFC-9719 TLS security can now be applied to both inbound or outbound HTTPS connections with FortiWeb. Configure in Server Pool and Server Policy.

For more information, see Defining your web servers and Configuring an HTTP server policy.

Up to 4096 bits key size supported for Let's Encrypt certificates

RSA algorithm with different key length can be implemented and accepted by the Let’s Encrypt Server. Those key sizes are 2048, 3072, and 4096 bits. Please note that larger keys consume more computing resources, however, achieve better security.

For more information, see Let's Encrypt certificates.

Support forwarding logs to ELK

Attack and traffic packet logs can now be sent to syslog servers in JSON format through TCP or TLS protocol. Configure it in Log&Report > Log Policy > Syslog Policy.

RBE attack log enhancement

The HTTP host and URL are now revealed in the RBE (including RBE, CAPTCHA, and reCAPTCHA) attack logs to better help with troubleshooting.

Support updating the URL of Google reCAPTCHA service

It's now supported to edit the URL of Google reCAPTCHA service so that you can update it in time when Google changes it.

For more information, see config system recaptcha-api.

Restrict ADOM admin permissions to VIPs

Global administrators can create, edit, and delete VIPs, while ADOM administrators can now only view the VIPs assigned to their ADOM.