What’s New
This section lists features and enhancements introduced in the FortiADC 7.4.1 release.
Global Load Balance
New Public SDN server type option for GSLB server
FortiADC now supports using Public SDN connectors as a remote GSLB server that can be used in virtual server pools.
Note: Currently, only AWS connectors are supported in this feature.
User-defined certificate for GSLB
You can now apply a self-defined certificate in Global server load balancing for authentication and allow trusted certificates to connect. This function is available in the Global Object Server configuration and the FQDN GLB Setting.
Server Load Balance
Enhancements to predefined client SSL profiles with OpenSSL upgrade
With the upgrade to OpenSSL version 3.1.1, FortiADC has added some new ciphers and removed some weaker ciphers. As a result, the following enhancements have been made to the predefined client SSL profiles:
-
Added new LB_CLIENT_SSL_PROF_MODERN that has more secure settings.
-
Updated existing predefined client SSL profiles:
Predefined Client SSL Profile
Updates made
LB_CLIENT_SSL_PROF_DEFAULT -
Removed weaker SSL ciphers:
ECDHE-RSA-AES128-SHAECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA
-
Updated Allowed SSL Versions:
Removed TLSv1.1
Added TLSv1.3 -
Added TLSv1.3 Cipher Suite List:
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256 -
Changed SSL DH Parameter Size to 2048 Bits
LB_CLIENT_SSL_PROF_FORWARD_PROXY -
Updated Allowed SSL Versions:
Removed TLSv1.1
Added TLSv1.3 -
Changed SSL DH Parameter Size to 2048 Bits
LB_CLIENT_SSL_PROF_HTTP2 -
Changed SSL DH Parameter Size to 2048 Bits
-
Packet forwarding and IP pool support for Layer 4 content routing
In Layer 4 content routing, you can now configure the packet forwarding method as Inherit or Full NAT, and configure the source IP pool list.
HTTP/3 virtual server support for multiple process through CLI
An advantage of HTTP/3 multiple process functionality is that it allows you to send multiple streams in parallel by using multiple CPU cores on the same virtual server.
Previously, HTTP/3 VS restricted multi-process to only 1 CPU core. Now in FortiADC7.4.1, this restriction has lifted and HTTP/3 VS can utilize multiple processes for service, allowing for optimal utilization of CPU resources which can significantly enhance the traffic performance of the HTTP/3 VS including the throughput and connections per second.
You can configure multiple processor functionality for HTTP/3 VS via the CLI set multi-process
option in config load-balance virtual-server
.
New TCP Lua scripting functions
Four new TCP scripts have been added:
-
TCP:after_timer_set() function creates and schedules a timer with a callback function and timeout value that allow you to create multiple timers each with a unique callback function name.
-
TCP:after_timer_cancel() function cancels a scheduled timer.
-
TCP:after_timer_get() function gets information about the scheduled timers.
-
TCP:close() function closes the TCP connection immediately.
Security
FortiGuard ABP (Advanced Bot Protection) integration
FortiGuard ABP (Advanced Bot Protection) is a Fortinet SaaS advanced bot mitigation solution designed to detect and mitigate sophisticated bots that may be used to conduct fraudulent activities, spamming, scraping, or other malicious attacks on websites, applications, or APIs. FortiGuard ABP incorporates a combination of approaches such as behavioral analysis and deep learning algorithms.
The FortiGuard ABP integration with FortiADC works by using client information collected by JavaScript insertion, which allow the client and FortiADC (via Fabric connector) to communicate with the Advanced Bot Protection Cloud for data telemetry information (such as headers and device fingerprinting). FortiGuard ABP then inspects the request to determine if the client is human or a bot and sends instructions back to FortiADC to initiate an action against the request (such as block, CAPTCHA, or allow).
Note: This feature requires a license. Currently, FortiGuard ABP is only available on a Standalone license which is a Fortinet support account based license that is verified by the FortiGuard ABP User Portal instead of through FortiGuard. For more information, login to https://fortiabp.forticloud.com/.
Enhancements to FortiADC Automation
New Automation GUI framework
FortiADC Automation now has a new look and feel where Automation triggers and actions are "stitched" together to form an Automation Stitch.
New Automation Trigger based on FortiADC logs
You can now create FortiADC Automation Stitches based on FortiADC logs as the trigger. This feature introduces Log IDs that correspond to different log events which can be used to trigger the automation action.
System
New System Global Resources pages
The Global Resources page has been added under the System menu in the GUI to display the global system resource usage, including current and maximum usage per resource.
Border Gateway Protocol (BGP) Bidirectional Forwarding Detection (BFD) support
FortiADC now supports BFD to provide fast failure detection for BGP sessions, enabling quicker rerouting of traffic in the event of a link or peer failure. In Network > Routing, you can now configure a BFD object and enable BFD in the BGP Neighbor configuration.
DNS Override support on VDOM level
Previously, system DNS settings can only be enabled at the Global level, which could not support configurations that require each user to have their own DNS server. With this new feature, you can now configure the System DNS resolver for non-root VDOMs and override Global DNS settings to set a DNS server IP per VDOM for more flexability and support topology configurations such as MSSP/hosting.
Reverse route cache support extended for IPv6 through CLI
Reverse Route Cache dynamically caches routing information to expedite packet forwarding by minimizing repeated route lookups. IPv4 reverse route caching is already supported in previous versions, and now FortiADC has extended this functionality to support IPv6 reverse route cache and exception IPv6 lists.
HA firmware upgrade by FTP through CLI
You now have the option to upgrade your HA firmware image from an FTP server through the CLI command execute restore image ftp-ha-sync
.
Introduce maturity firmware levels
Starting with FortiADC7.4.1, released FortiADC firmware images use tags to indicate the following maturity levels:
-
The Feature (F) tag indicates that the firmware release includes new features.
-
The Mature (M) tag indicates that the firmware release includes no new or major features. Mature firmware will contain bug fixes and vulnerability patches where applicable.
Instance Metadata Service v2 (IMDSv2) support on AWS
FortiADC now supports Instance Metadata Service v2 (IMDSv2) on the AWS Platform.
Client-side certificate validation against public SDN
FortiADC now uses a third-party certificate bundle to validate public SDN certificates to protect against security vulnerabilities.
Troubleshooting
Debug filter option for fnginx modules through CLI
You can now set debug filters to view specific load balancing information for fnginx modules from the CLI diagnose debug module fnginx
.
Note: The debug filter is only supported for fnginx_new modules: SMTP, FTP, MSSQL, RADIUS, and ISO8583.
New debug module for named daemon issues added in CLI
You can now generate a comprehensive log to debug named daemon issues using the new CLI command diagnose debug module named
.