Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

What's new

FortiADC 5.3.0 offers the following new features:

Security

Intrusion Prevention System (IPS) protection (Powered by FortiGuard)

IPS service will allow you to protect your virtual servers from the latest network intrusions by actively detecting and blocking external threats before they can reach potentially vulnerable devices. The combination of real-time threat intelligence updates and thousands of existing intrusion prevention rules delivers the industry’s best IPS protection.

Application and Networking DDoS Protection

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. FortiADC support 2 layers DDoS protection:

1. Networking DoS protection

  • IP fragmentation

    The attacker sends a huge volume of large or uncompleted IP fragmentation packets to the victim, to exhaust the victim’s resources. The IP fragmentation protection here limits the total IP fragmentation memory size to avoid memory exhaustion.

  • TCP SYN flood

    By enabling SYN-Cookie to all the SYN packets that exceed the threshold, the system will drop all the fake SYN packets sent to the virtual server.

  • TCP slow data flood

    The attacker uses very slow traffic to consume all the target server’s resources; it is difficult to distinguish it from normal traffic. This protection will detect this type of attack by dynamically probing client 0 windows; if it comes in "last" several times, the FortiADC will rest this connection on server.

2. Application DoS protection

  • HTTP access limit

    Limits the amount of HTTP requests-per-second from a certain IP.

  • HTTP connection flood

    Limits the number of TCP connections with the same session cookie.

  • HTTP request flood

    Limits the number of HTTP requests-per-second with the same session cookie.

Web Application Firewall

FortiADC web application firewalls provide advanced features that defend web applications from known and zero-day threats. FortiADC offers a complete security coverage for your web-based applications from the OWASP Top 10 and many other threats.

1. Signature DB enhancement

Enhances WAF engine to more efficiently scan for packets, also significantly increasing the detection rate.

2. New WAF signature wizard on GUI

Helps customer configure the WAF signature profile.

3. WAF Action enhancement

Besides deny and pass, supports 2 more actions for all WAF modules: Redirect and Block period.

4. CSRF protection

A cross-site request forgery (CSRF) is an attack that exploits the trust that a site has in a user's browser to transmit unauthorized commands.

To protect back-end servers from CSRF attacks, FortiADC has two lists:

  • Web pages to protect against CSRF attacks – for insert JS
  • URLs found in the requests that the pages generate – for Token/cookie validation

5. Input validation

FortiADC provides advanced validation of input fields, including parameter validation, hidden field validation and file security. This function will verify the user input from scan points like URL parameter, HTML form, hidden fields, upload file. If the format isn't correct or other attacks exist, the request will be blocked.

6. Brute force detection

FortiADC can prevent brute force login attacks. Brute force attackers attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight or advance knowledge of application logic or data.

7. Data loss protection

The data loss prevention (DLP) feature allows FortiADC to prevent information leaks, damages and loss.

It provides desensitization and warning measures for sensitive information leaks on websites (SSN numbers, and credit card information) and the leakage of sensitive keywords.

8. Cookie Security

HTTP cookie is a small piece of data sent from a website and stored in the client’s computer. In some cases, it will store some sensitive date inside, e.g. password.

If the client sends out the request that Fortiadc doesn’t recognize, it will take corresponding action (alert/ deny/ period-block/ remove-cookie).

9. Page anti-defacement

The anti-defacement features monitor your websites for defacement attacks. If it detects a change, it can automatically reverse the damage.

This feature monitors the modification of customer's specified page; once the modification is consider as abnormal, the specified action will be triggered, such as "restore changed page," "send email," "acknowledge changed page," or "just record log."

10. Web scraping detection

FortiADC provides an advanced access control for customers who want to have agility within web application (specific IP, files, connections).

FortiADC checks the http header content-type and the response code; if it matches the occurrence limit and is over the match percentage, it will detect it as web scraping.

11. Web vulnerability scanner enhancement

  • Supports exception

    Able to add URL into the exception list.

  • Supports form-based login

    Supports form-based login for web servers.

Firewall policy support address book

FortiADC firewall now supports address book in the policy.

Server Load Balancing

Two Factor Authentication (with FortiToken and Google Authenticator)

Two-factor authentication is a type of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors. FortiADC can use script to do 2-step verification with FortiToken and Google Authenticator.

Health Check Enhancement

Adds more detailed report for each health check failure log, so the customer can quickly grasp why the health check failed and what happened on the real server.

Supports CLI “diagnose debug slb_hc_status” to show the health check status for all the SLB pool.

Cloud and Automation

Cloud platform (AWS/Azure/OCI)

The BYOL FortiADC images are listed on the AWS/Azure/OCI cloud marketplace now, and the customer can deploy them through these cloud marketplaces.

Ansible support

Ansible is an automation platform that makes your applications and systems easy to deploy. FortiADC modules allow the customer to automatically initiate the configuration or manage the configuration on any kind of FortiADC devices, including physical devices, VM in hypervisor or cloud.

System

Export local generated unencrypted certificate

Both encrypted and unencrypted private key are allowed to be exported; it is necessary for the customer to move FortiADC hosted HTTPS services.

Supports TLS1.3 in SSL profiles
Supports TCP/TCP-SSL syslog server

Besides UDP-based syslog server, FortiADC supports TCP/TCP-SSL based remote syslog servers in case the customer needs more confidential security for the logs.

Allows global syslog server to be shared by all vdoms

In some multiple vdom deployments, some non-root vdom administrators may need to send logs to global syslog server in case of networking issues in their vdom. This feature allows the global syslog server to be shared among all non-root vdoms.

Support logical topology for LLB and GSLB

Shows all the LLB group/member status, and GSLB host status, by a topology graph on FortiView.

SSL Updated to OpenSSL version 1.1.1

Hardware

FortiADC support 2 new hardware models:

• FortiADC 300F

• FortiADC 400F

For more info on new hardware, please review the FortiADC Datasheet.

What's new

FortiADC 5.3.0 offers the following new features:

Security

Intrusion Prevention System (IPS) protection (Powered by FortiGuard)

IPS service will allow you to protect your virtual servers from the latest network intrusions by actively detecting and blocking external threats before they can reach potentially vulnerable devices. The combination of real-time threat intelligence updates and thousands of existing intrusion prevention rules delivers the industry’s best IPS protection.

Application and Networking DDoS Protection

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. FortiADC support 2 layers DDoS protection:

1. Networking DoS protection

  • IP fragmentation

    The attacker sends a huge volume of large or uncompleted IP fragmentation packets to the victim, to exhaust the victim’s resources. The IP fragmentation protection here limits the total IP fragmentation memory size to avoid memory exhaustion.

  • TCP SYN flood

    By enabling SYN-Cookie to all the SYN packets that exceed the threshold, the system will drop all the fake SYN packets sent to the virtual server.

  • TCP slow data flood

    The attacker uses very slow traffic to consume all the target server’s resources; it is difficult to distinguish it from normal traffic. This protection will detect this type of attack by dynamically probing client 0 windows; if it comes in "last" several times, the FortiADC will rest this connection on server.

2. Application DoS protection

  • HTTP access limit

    Limits the amount of HTTP requests-per-second from a certain IP.

  • HTTP connection flood

    Limits the number of TCP connections with the same session cookie.

  • HTTP request flood

    Limits the number of HTTP requests-per-second with the same session cookie.

Web Application Firewall

FortiADC web application firewalls provide advanced features that defend web applications from known and zero-day threats. FortiADC offers a complete security coverage for your web-based applications from the OWASP Top 10 and many other threats.

1. Signature DB enhancement

Enhances WAF engine to more efficiently scan for packets, also significantly increasing the detection rate.

2. New WAF signature wizard on GUI

Helps customer configure the WAF signature profile.

3. WAF Action enhancement

Besides deny and pass, supports 2 more actions for all WAF modules: Redirect and Block period.

4. CSRF protection

A cross-site request forgery (CSRF) is an attack that exploits the trust that a site has in a user's browser to transmit unauthorized commands.

To protect back-end servers from CSRF attacks, FortiADC has two lists:

  • Web pages to protect against CSRF attacks – for insert JS
  • URLs found in the requests that the pages generate – for Token/cookie validation

5. Input validation

FortiADC provides advanced validation of input fields, including parameter validation, hidden field validation and file security. This function will verify the user input from scan points like URL parameter, HTML form, hidden fields, upload file. If the format isn't correct or other attacks exist, the request will be blocked.

6. Brute force detection

FortiADC can prevent brute force login attacks. Brute force attackers attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight or advance knowledge of application logic or data.

7. Data loss protection

The data loss prevention (DLP) feature allows FortiADC to prevent information leaks, damages and loss.

It provides desensitization and warning measures for sensitive information leaks on websites (SSN numbers, and credit card information) and the leakage of sensitive keywords.

8. Cookie Security

HTTP cookie is a small piece of data sent from a website and stored in the client’s computer. In some cases, it will store some sensitive date inside, e.g. password.

If the client sends out the request that Fortiadc doesn’t recognize, it will take corresponding action (alert/ deny/ period-block/ remove-cookie).

9. Page anti-defacement

The anti-defacement features monitor your websites for defacement attacks. If it detects a change, it can automatically reverse the damage.

This feature monitors the modification of customer's specified page; once the modification is consider as abnormal, the specified action will be triggered, such as "restore changed page," "send email," "acknowledge changed page," or "just record log."

10. Web scraping detection

FortiADC provides an advanced access control for customers who want to have agility within web application (specific IP, files, connections).

FortiADC checks the http header content-type and the response code; if it matches the occurrence limit and is over the match percentage, it will detect it as web scraping.

11. Web vulnerability scanner enhancement

  • Supports exception

    Able to add URL into the exception list.

  • Supports form-based login

    Supports form-based login for web servers.

Firewall policy support address book

FortiADC firewall now supports address book in the policy.

Server Load Balancing

Two Factor Authentication (with FortiToken and Google Authenticator)

Two-factor authentication is a type of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors. FortiADC can use script to do 2-step verification with FortiToken and Google Authenticator.

Health Check Enhancement

Adds more detailed report for each health check failure log, so the customer can quickly grasp why the health check failed and what happened on the real server.

Supports CLI “diagnose debug slb_hc_status” to show the health check status for all the SLB pool.

Cloud and Automation

Cloud platform (AWS/Azure/OCI)

The BYOL FortiADC images are listed on the AWS/Azure/OCI cloud marketplace now, and the customer can deploy them through these cloud marketplaces.

Ansible support

Ansible is an automation platform that makes your applications and systems easy to deploy. FortiADC modules allow the customer to automatically initiate the configuration or manage the configuration on any kind of FortiADC devices, including physical devices, VM in hypervisor or cloud.

System

Export local generated unencrypted certificate

Both encrypted and unencrypted private key are allowed to be exported; it is necessary for the customer to move FortiADC hosted HTTPS services.

Supports TLS1.3 in SSL profiles
Supports TCP/TCP-SSL syslog server

Besides UDP-based syslog server, FortiADC supports TCP/TCP-SSL based remote syslog servers in case the customer needs more confidential security for the logs.

Allows global syslog server to be shared by all vdoms

In some multiple vdom deployments, some non-root vdom administrators may need to send logs to global syslog server in case of networking issues in their vdom. This feature allows the global syslog server to be shared among all non-root vdoms.

Support logical topology for LLB and GSLB

Shows all the LLB group/member status, and GSLB host status, by a topology graph on FortiView.

SSL Updated to OpenSSL version 1.1.1

Hardware

FortiADC support 2 new hardware models:

• FortiADC 300F

• FortiADC 400F

For more info on new hardware, please review the FortiADC Datasheet.