What's new
The following sections describe new features, enhancements, and changes in FortiProxy 7.4.2:
Configure a schedule for a shaping policy
FortiProxy 7.4.2 adds support for scheduling a shaping policy, which allows different traffic shaping for different days or different hours of the day without administrative intervention.
To add a schedule for a shaping policy in the GUI, use the Schedule option in the Create/Edit Shaping Policy window under Policy & Objects > Traffic Shaping > Traffic Shaping Policies > Create New/Edit. The default is always, which means the shaping policy is always applied. For more information, see Schedules.
Alternatively, use the set schedule
option in the config firewall shaping-policy
command in the CLI:
config firewall shaping-policy
edit 1
set status enable
set ip-version 4
set service-type service
set service "ALL"
set schedule "always"
set dstintf "any"
next
end
SOCKS proxy enhancements
FortiProxy 7.4.2 adds the following enhancements to SOCKS proxy:
-
UTM scan for HTTP/HTTPS over SOCKS—FortiProxy 7.4.2 redirects tunneled HTTP/HTTPS traffic over SOCKS server to the HTTP engine as HTTP/HTTPS traffic if the destination port is 80/443, respectively.
-
SOCKS L7 policy matching with webfilter rating—FortiProxy 7.4.2 supports webfilter and L7 policy match, such as url rating, and category matching for policy and SSL exempt, in SOCKS level, including HTTP/HTTPS over SOCKS. When an authentication rule exists, SOCKS4 connection is banned as SOCKS4 does not support authentication.
-
Isolating traffic from SOCKS proxy requests—FortiProxy 7.4.2 can now isolate traffic from SOCKS proxy requests when the isolator is a SOCKS forward server.
Support multiple server certificates
FortiProxy 7.4.2 adds support for multiple server certificates in the following scenarios. You can add multiple server certificates when configuring these types of proxy servers.
-
ZTNA Server IPv4/IPv6
-
ZTNA Service/Server Mapping
-
FTP Proxy
-
Explicit Proxy
-
ICAP Local Server (when secure ICAP connection is enabled)
Meanwhile, the set ssl-cert
or set ssl-certificate
option of the following commands now supports multiple certificates:
IPv6 proxy address support
FortiProxy 7.4.2 adds support for IPv6 proxy address object. You can create an IPv6 proxy address or address group in the Policy & Objects > Addresses tab and then use it as a source or destination address in firewall or shaping policies and authentication rules, the same way you use IPv4 proxy addresses.
Alternatively, use the new config firewall proxy-address6
or config firewall proxy-addrgrp6
commands in the CLI.
New parameters for policy matching
FortiProxy 7.4.2 adds support for policy matching using the following parameters when you create/edit a firewall policy or shaping policy:
-
Application
-
Application category
-
Application group
-
URL category (firewall policy only, CLI only)
Alternatively, use the following new options in the config firewall policy
and config firewall shaping-policy
commands in the CLI:
-
set application
-
set app-category
-
set app-group
-
set url-category
(config firewall policy
only, CLI only)
New option for enabling HTTP/HTTPS proxy
FortiProxy 7.4.2 adds the Enable HTTP/HTTPS proxy option when you create or edit an explicit proxy. The default is enabled. Alternatively, use the set http [enable|disable]
option in the config web-proxy explicit-proxy
command.
In FortiProxy 7.4.1 and 7.4.0, HTTP/HTTPS proxy is always enabled when explicit proxy is enabled. When you enable SOCKS proxy, HTTP/HTTPS proxy is also enabled as long as the explicit proxy is enabled. There is no way to enable SOCKS proxy without enabling HTTP/HTTPS proxy. The new option provides the flexibility to enable HTTP/HTTPS proxy independently so that you can enable SOCKS proxy without enabling HTTP/HTTPS proxy.
To ensure backward compatibility, if no port is configured for a specific protocol, FortiProxy uses http-incoming-port as the default port for the protocol, regardless of whether HTTP/HTTPS proxy is enabled, as long as explicit proxy is enabled.
DNS lookup support
FortiProxy 7.4.2 adds support for arbitrary DNS lookup, which is available in the new Policy & Objects > DNS Lookup tab in the GUI. FortiProxy returns an array of associated IPs (20 entries maximum) for the specified domain (FQDN) on the specified DNS server.
Alternatively, use the new diag firewall nslookup [FQDN] [DNS-server IP or FQDN]
command:
diag firewall nslookup http://www.example.com 8.8.8.8
Configure case-sensitivity for user accounts
In FortiProxy 7.4.2, you can configure whether to check case when performing username matching for local and remote user accounts using the new set username-case-sensitivity
option under config system global
:
config system global
set username-case-sensitivity [enable|disable]
end
More details for diagnosing ICAP servers
FortiProxy 7.4.2 adds ICAP server status and IP (if capable) information in ICAP HTTP error messages to aid troubleshooting. You can also view detailed status information for each ICAP server using the new diagnose wad icap list
command. Example output:
icap-server-name: server1 status: online
VDOM=root addr=ip/0.0.0.0:1344 health_check=disable
conns: succ=0 fail=0 ongoing=0 hits=0 blocked=0
monitor: succ=0 fail=0
error: stats.no_report_err=0
num_worker_load=1
SSL keyring encryption
FortiProxy 7.4.2 adds encryption for the SSL keyring file stored on the FortiProxy disk using aes256 gsm and a random salt. When you upgrade to FortiProxy 7.4.2, encryption is added to all existing keyring lists. You can also update the encryption when private password changes.
Pre-populated list of HTTP incoming IP for explicit proxy
FortiProxy 7.4.2 provides a pre-populated list of HTTP incoming IP for you to pick from when you create an explicit proxy.
Increase threat feed size limit
FortiProxy 7.4.2 increases the threat feed file size limit and line limit as follows:
|
7.4.1 and earlier |
7.4.2 |
---|---|---|
File size limit |
10 MB | 16 MB |
Line limit |
128K | 200K |
Panic logging
FortiProxy 7.4.2 adds hardware support for capturing panic traces, which allows you to automatically log panic traces with no user intervention. This feature adds convenience as you no longer need to connect a laptop via serial and reproduce the panic.
DLP license changes
FortiProxy 7.4.2 excludes the DLP license from license sharing and no longer requires a DLP license for DLP scan for HTTP and FTP over HTTP traffic. To take advantage of the latest updates from the DLP knowledge base (such as DLP data type and sensor) and easier DLP configuration, you can purchase DLP service through FortiGuard.
CLI changes
FortiProxy 7.4.2 includes the following CLI changes:
- Use the new
config firewall proxy-address6
orconfig firewall proxy-addrgrp6
commands to configure IPv6 web proxy addresses or address groups. config firewall shaping-policy
—Use the newset schedule
option to configure a schedule for a shaping policy.-
Use the new
diag firewall nslookup [FQDN] [DNS-server IP or FQDN]
command to view a list of associated IPs (20 entries maximum) for a specific domain (FQDN) on a specific DNS server. -
Use the new
diagnose wad icap list
command to view detailed status information for each ICAP server. -
Use the new
diag netlink interface gso-tso
command to list all netlink interfaces. -
Use the new
diag wad process
[process_name] [index](-1 means all) [<cmd>] ...(up to 32 commands)
command to send commands to workers in batches. For example,diag wad process worker 1 103 104
means sending commands 103 and 104 to worker 1. -
The new
diag wad report <PROCESS name> <INDEX>
command consolidates the following signal-based diagnose commands:-
diag wad report session
-
diag wad report user
-
diag wad report policy
-
-
The
diag test app wad
command adds support for setting a specific group of processes as diagnosis process:-
diag test app wad 2yxx
means setting No.xx process of type y (0~9) as diagnosis process. -
diag test app wad 2yyxx
means setting No.xx process of type yy (10~99) as diagnosis process. -
diag test app wad 2yyxxx
means setting No.xx x process of type yy (0~9) as diagnosis process.
-
config web-proxy explicit-proxy
—Use the newset http [enable|disable]
option to enable/disable HTTP/HTTPS proxy.config system global
—Use the newset username-case-sensitivity
option to configure whether to check case when performing username matching for local and remote user accounts.config ips settings
—Use the newset proxy-inline-ips
option to enable or disable proxy inline IPS. The default isenable
.-
The
config firewall policy
andconfig firewall shaping-policy
commands include the following new options:-
set application
-
set app-category
-
set app-group
-
set url-category
(config firewall policy
only)
-
-
The following commands include the new
set status
option: -
config web-proxy global
—Use the newlog-app-id
option to enable/disable logging inline-IPS application type in traffic log. The default isdisable
. -
The
set ssl-cert
orset ssl-certificate
option of the following commands now supports multiple certificates: -
FortiProxy 7.4.2 replaces the target process selection commands (such as
diag test app
) withdiag wad process <PROCESS name> <INDEX>
, for example,diag wad process manager test manager
. For workers or processes with multiple instances, specify the instance index after the worker or process name. For example,diag wad process worker 0
. If no index is specified while multiple instances exist, FortiProxy defaults to index 0. This command supports the following process types:-
manager
-
dispatcher
-
worker
-
fast-match
-
informer
-
user-info
-
dev-vuln
-
cache-service-cs
-
cache-service-db
-
object-cache
-
byte-cache
-
cert-inspect
-
youtube-cache
-
user-info-history
-
debug
-
config
-
staled-worker
-
traffic
-
preload-daemon
-
TLS-fingerprint
-
image-analyzer
-
config isolator profile
—Theset right-click
andset copy-paste
options are removed.