Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.6.0 Administration Guide
    7.6.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    WAF features

    WAF features

    HTTP3 Support

    FortiWeb now supports the HTTP/3 protocol for the traffic between FortiWeb and the client in Reverse Proxy mode.

    Threat Protection model update

    We have introduced a major update to the Threat Protection model. The update is done after long research and testing using large amounts of data for model training. The new update increases model accuracy and reduce false positives and false negatives. We will continue to collect more data to further refine the model. Future updates will be published along with the FDS updates.

    Built-in allowed domains in MiTB protection

    To simplify the configuration process, we have included a built-in list of well-known third-party external resources which would be used through AJAX request. The suggested list is available in the Allowed External Domains for AJAX Request table of Man in the Browser Protection module.

    AJAX check for cross-site request forgery (CSRF) requests

    Previously, we supported checking the CSRF attacks that exploit static links in the page, such as <a> and <form> tags. Starting from version 7.6.0, we can also scan the CSRF requests using JavaScript XMLHttpRequests embedded in the page, also known as AJAX requests.

    DoS Protection Exception Policy

    You can create an exception policy to omit DDoS attack scans when you know that some source IPs may trigger positives during normal use. The exception policy can be applied in Dos Protection Policy, HTTP Access Limit, Malicious IPs, HTTP Flood, and TCP Flood policy.

    Obscuring sensitive data in the gRPC API responses

    For gRPC API traffic, FortiWeb now supports obscuring sensitive data in server's response if it matches the Information Disclosure and Personally Identifiable Information signatures.

    Known Good Bots subcategories

    Previously, Known Good Bots had only one category - "Known Search Engines". Starting from version 7.6.0, we have added more good bots to the list and divided them into smaller groups for better management. You can now set different actions for different Known Good Bots sub-categories.

    URL Rewrite enhancements

    We have implemented the following enhancements to the URL Rewrite module.

    • Cookie removal from HTTP header based on cookie name.

    • Cookie value insertion or replacement based on cookie name.

    • HTTP body replacement

    The "deflate" compression type supported

    FortiWeb now supports the "deflate" compression type. "Deflate" files can be uncompressed and scanned against the security modules to ensure their legitimacy.

    XFF trust IPs

    For the Trusted X-Header Sources table in Server Objects > X-Forwarded-For, we have removed the previous limitation of 256 IP address entries. Now, you can define IP ranges and IP groups within this table.

    Customizing waiting room display page

    Now you have the option to customize the message displayed to users when they are placed in the waiting room. This feature allows you to tailor the text to better align with your brand or provide specific instructions to users during their wait.

    Quarantine IP settings moved to Security Fabric > Fabric Connectors

    In previous versions, Quarantine IP was configured through System > Config > FortiGate Integration. To ease configuration, this feature can now be configured through Security Fabric > Fabric Connectors.

    500 error page enhancement

    We have enhanced the 500 error page to provide detailed information explaining why requests are blocked when they violate the HTTP Protocol Constraints (HPC) security rules.

    Signature scan for uploaded files

    It's now supported to perform a signature scan for the files uploaded by the clients. Enable it in Web Protection > Input Validation > File Security > File Security Policy.

    Previous
    Next

    WAF features

    WAF features

    HTTP3 Support

    FortiWeb now supports the HTTP/3 protocol for the traffic between FortiWeb and the client in Reverse Proxy mode.

    Threat Protection model update

    We have introduced a major update to the Threat Protection model. The update is done after long research and testing using large amounts of data for model training. The new update increases model accuracy and reduce false positives and false negatives. We will continue to collect more data to further refine the model. Future updates will be published along with the FDS updates.

    Built-in allowed domains in MiTB protection

    To simplify the configuration process, we have included a built-in list of well-known third-party external resources which would be used through AJAX request. The suggested list is available in the Allowed External Domains for AJAX Request table of Man in the Browser Protection module.

    AJAX check for cross-site request forgery (CSRF) requests

    Previously, we supported checking the CSRF attacks that exploit static links in the page, such as <a> and <form> tags. Starting from version 7.6.0, we can also scan the CSRF requests using JavaScript XMLHttpRequests embedded in the page, also known as AJAX requests.

    DoS Protection Exception Policy

    You can create an exception policy to omit DDoS attack scans when you know that some source IPs may trigger positives during normal use. The exception policy can be applied in Dos Protection Policy, HTTP Access Limit, Malicious IPs, HTTP Flood, and TCP Flood policy.

    Obscuring sensitive data in the gRPC API responses

    For gRPC API traffic, FortiWeb now supports obscuring sensitive data in server's response if it matches the Information Disclosure and Personally Identifiable Information signatures.

    Known Good Bots subcategories

    Previously, Known Good Bots had only one category - "Known Search Engines". Starting from version 7.6.0, we have added more good bots to the list and divided them into smaller groups for better management. You can now set different actions for different Known Good Bots sub-categories.

    URL Rewrite enhancements

    We have implemented the following enhancements to the URL Rewrite module.

    • Cookie removal from HTTP header based on cookie name.

    • Cookie value insertion or replacement based on cookie name.

    • HTTP body replacement

    The "deflate" compression type supported

    FortiWeb now supports the "deflate" compression type. "Deflate" files can be uncompressed and scanned against the security modules to ensure their legitimacy.

    XFF trust IPs

    For the Trusted X-Header Sources table in Server Objects > X-Forwarded-For, we have removed the previous limitation of 256 IP address entries. Now, you can define IP ranges and IP groups within this table.

    Customizing waiting room display page

    Now you have the option to customize the message displayed to users when they are placed in the waiting room. This feature allows you to tailor the text to better align with your brand or provide specific instructions to users during their wait.

    Quarantine IP settings moved to Security Fabric > Fabric Connectors

    In previous versions, Quarantine IP was configured through System > Config > FortiGate Integration. To ease configuration, this feature can now be configured through Security Fabric > Fabric Connectors.

    500 error page enhancement

    We have enhanced the 500 error page to provide detailed information explaining why requests are blocked when they violate the HTTP Protocol Constraints (HPC) security rules.

    Signature scan for uploaded files

    It's now supported to perform a signature scan for the files uploaded by the clients. Enable it in Web Protection > Input Validation > File Security > File Security Policy.

    Previous
    Next