What's New

26.1 released February 1, 2026

WAF

Custom file type support for File Protection

You can now define and manage custom file types for File Protection under WAF > Security Rules > File Protection.

For more information, refer to File Protection.

Header exception support for Known Attacks

Known Attacks now supports configuring HTTP header name and value settings within Exception Rules.

For more information, refer to Known Attacks.

CSV upload support for Geo IP Exceptions

The Geo IP Exception feature now supports uploading a CSV file, in addition to manually entering IP addresses and IP ranges.

For more information, refer to IP Protection.

HTTP Request Constraints Update

Additional request limits have been added to bolster HTTP conformance and protocol security.

For more information, refer to Request Limits.

Advanced Bot Protection

AutoDiscovery Email Notifications

You will now receive email notifications when AutoDiscovery returns no results or encounters a connection issue.

Subresource Integrity

Advanced Bot Protection scripts now include integrity JS hash values to detect and prevent unauthorized changes.

Cross-Domain Cookie Support

Different root domains in your application are now recognized as a single client, enabling you to track the same user identity across multiple domains (for example, example.com, example.de, shop.example.com).

25.4.a released December 11, 2025

FortiAI Assistant Audit Logs Support

FortiAI Assistant now supports analyzing Audit Logs through natural language queries.

For more information, please refer to FortiAI Assistant.

Region IP Update

Additional scrubbing centers have deployed in the following regions. Please make sure to allow access to your application from the IP addresses listed below.

AWS me-central-1: Middle East (Abu Dhabi)

• 51.112.103.160
  2406:da17:467:6301:dd8e:37a:ecc0:6c27

• 3.29.150.238

  2406:da17:467:6301:8238:4a75:d770:efba

• 40.172.37.225

  2406:da17:467:6301:5574:fa67:6b36:bf01

• 40.172.219.217

  2406:da17:467:6302:bc1c:6849:e592:f869

• 51.112.133.247

  2406:da17:467:6302:cf79:1143:c4f7:eabc

• 158.252.80.239

  2406:da17:467:6302:f2d1:d1ec:4e63:b14b
  

GCP me-central2: Middle East (Dammam)

• 34.166.213.46

• 34.166.73.8

• 34.166.152.210

• 34.166.140.221

• 34.166.234.73

• 34.166.152.78

Client-Side Protection

The Client-Side Protection feature is currently on hold for a future release.

WAF

Customized Waiting Room Page

Waiting Room pages are now customizable. Configure this under WAF > System Settings > Custom Pages.

For more information, please refer to Custom Pages.

Trusted IP Enhancements

A new link on the IP List page has been added allowing to quickly review existing blocked IPs when setting up IP rules. From there, you can manually unblock any IPs if required.

For more information, please refer to IP Protection.

Exceptions for ML Based Bot Detection

ML Based Bot Detection now supports adding Exceptions for more granular control.

For more information, please refer to ML Based Bot Detection.

Geo IP Filtering in Custom Rules

Custom Rule now supports Geo IP filtering for precise, location-based traffic control.

For more information, please refer to Custom Rule.

GSLB

DNS Traffic Logs

DNS traffic logs are now available, providing enhanced visibility and a more complete analytics dashboard for GSLB.

Administrators can set the log storage region (US or EU) at both the FQDN and DNS Service levels. Existing FQDNs and DNS Services default to the EU region. To switch storage to the US, follow the configuration steps under FQDN or DNS Service.

GSLB Interface Enhancements

The GSLB dashboard now displays DNS traffic log data, with new FortiView pages to display detailed FQDN, Zone, and Resource analytics.

For more information, please refer to GSLB FortiView.

Advanced Bot Protection

SSL Certificate Verification

When adding or editing Entry Points, enabling SSL Certificate Verification ensures that the server’s SSL certificate is validated when Auto Discovery connects to the Entry Point.

This option is enabled by default. Disable it only when using self-signed or staging/test certificates that are not trusted by standard browsers.

For more information, please refer to Onboarding ABP Applications.

25.4 released November 6, 2025

FortiAI Assistant Enhancements

The FortiAI Assistant now supports analyzing Threat Analytics Incidents and Attack Logs from on-premises devices. enable directly from the log by clicking Analyze with AI, or by clicking the FortiAI icon in the top-right corner of the page.

For more information, please refer to FortiAI Assistant.

New 30-day License Upgrade Trial

If you have an active license, you can now explore more advanced features available in other FortiAppSec Cloud Plans with a free 30-day upgrade trial.

To enable, please contact Fortinet Sales.

Contract and Usage Status Alert

The Home page now displays alerts for contract and usage updates, such as license expirations, overages, and other critical notices.

Scheduled System Upgrade Notifications

FortiAppSec Cloud now displays banners notifying users of upcoming system upgrades and maintenance windows, improving visibility of potential feature unavailability and service delays.

WAF

Role-based Permissions Granularity Enhancement

To provide additional granularity for role-based access control, the WAF- Application permission profile in FortiCloud is now divided into WAF- Application Management, WAF- Application Networking, and WAF- Application Security. This allows for more precise control over permissions in the WAF module. For more details, please refer to the FortiAppSec Cloud User Guide.

For details on how this affects your applications, please refer to FortiCloud IAM.

API Gateway Template backend enhancements

The API Gateway feature has been restructured to improve security and fix permission issues.

Changing an API Gateway's template inheritance now automatically regenerates API keys. Replace any existing keys in use with the new ones to avoid service interruptions.

For more information, please refer to API Gateways.

GSLB

New Outbound Connections IP address

If you have connected a FortiGate server to a FortiAppSec Cloud GSLB application, you have received an email from no-reply-appsec@fortinet.com requesting you to update your allowlist.

To ensure uninterrupted connectivity, update your configuration to redirect all outbound connections to 44.241.230.143。

Backend Enhancements

GSLB now provides improved Security Fabric connectivity.

Advanced Bot Protection

New Self-Service Onboarding Capability

To improve efficiency, a new Advanced Bot Protection self-service Auto-Discovery capability has been added to replace manual Pre-Provisioning in application onboarding.

For details on the new concepts introduced in the onboarding system and configuration instructions, refer to Creating ABP Applications.

25.3.b released September 25, 2025

Audit Log Notifications

Stay informed with email alerts for important log events.

Go to General > Notification and enable Notification Emails to receive alerts based on your configured criteria.

For more information, please refer to Notifications.

Removed Support for OCI Platform

FortiAppSec Cloud no longer supports the OCI platform. All WAF scrubbing centers operating on OCI have been permanently removed.

If you have any questions or need assistance, please contact Support by submitting a support ticket.

WAF

Application Diagnostics Agent

Get AI-powered insights into application connectivity and troubleshooting.

Go to WAF > Network > Diagnostics, and activate FortiAI Assistant under Actions.

For more information, please refer to Diagnostics.

Client Certificate security enhancements

Strengthen authentication security by enabling Client Certificate Authentication to verify connecting clients. Once enabled, you can optionally activate:

• Strictly Require Client Certificate: only clients presenting a valid certificate are allowed.

• Client Certificate Forwarding: forward the certificate to your backend server for authentication, user-specific permissions, and access control.

For more information, please refer to Endpoints.

Origin Server Lock

Lock your origin server’s IP to ensure it can only be used by your account. This prevents other FortiAppSec Cloud accounts from targeting your server with malicious traffic. To enable, go to WAF > Applications, edit the desired server pool, and turn on Lock Server.

For more information, please refer to WAF Applications.

Threat Analytics

Centralized Log Export Configuration

You can now configure attack log export servers globally under Threat Analytics > Settings, rather than per application. This allows multiple applications to share the same export server configuration, reducing repetitive setup and improving export efficiency.

For more information, please refer to Threat Analytics Settings.

Attack Logs Signature Exceptions

Allow events when specific values match criteria such as Request Host, Request URL, Parameter Name and Value, Cookie Name, or JSON Element Name and Value.

Navigate to Threat Analytics > Attack Log, select the desired event, and click Add Exception.

For more information, please refer to Attack Logs.

Exception Rules Support Matching by Request Host

Exception Rules under Known Attacks, Information Leakage, and Attack Logs now support matching by Request Host, providing greater flexibility when defining exceptions.

Blocked Status Tag in Attack Logs

Attack logs now display a Blocked tag under Client Information when a source IP is blocked for a period of time.
You can hover over the tag to view the block duration and reason, or click Unblock to unblock the IP directly.

For more information, please refer to Attack Logs.

25.3.a released August 28, 2025

WAF

GEO IP Allow list

Under WAF > Access Rules > IP Protection, you can now also allow traffic based on specific countries for finer geo-based access control.

For more information, please refer to IP Protection.

Advanced Bot Protection

Backend Enhancements

Advanced Bot Protection now provides improved detection and defense against naive bots.

25.3 released July 31, 2025

FortiAI Chatbot

FortiAppSec Cloud is now integrated with FortiAI, Fortinet’s advanced artificial intelligence platform that enhances cybersecurity and network operations across the Fortinet Security Fabric. FortiAI uses generative AI (GenAI), machine learning, and automation to help security and network teams respond faster and more effectively.

You can ask the FortiAI chatbot questions by clicking its icon in the top right corner.

For more information, please refer to FortiAI Assistant

Asset Groups

You can now manage role-based permissions at a more granular, application-specific level and assign user access permissions at the application level. To access this page, go to General > Settings and enable Asset Groups.

For more information, please refer to Asset Groups.

In-Portal Public Marketplace license downgrade

You can now downgrade your FortiAppSec Cloud subscription plan to reduce supported features and contract capacity directly through the FortiAppSec portal.

For more information, please refer to Contracts.

WAF

Support for HTTP Header Insertion and Removal in Server Responses

You can now configure HTTP header insertion and removal for server response types under URL Rewriting.

For more information, please refer to Rewriting Requests.

Support for HTTP Header Referrer Policy

You can now control how much referrer information is shared in HTTP requests by enabling the Referrer-Policy option and selecting your desired policy value.

For more information, please refer to HTTP Header Security.

Support for Content Routing Based on Client Certificate X509

When configuring Content Routing, you can now set the match object to X509 Certificate subject and X509 Certificate extension fields.

For more information, please refer to Content Routing.

GSLB

DNS Validation

You can now check the DNS Status to view the resolution status of configured FQDNs. This helps identify DNS issues and assists with proper DNS zone configuration.

For more information, please refer to FQDN .

Geolocation Enhancements with EDNS Client Subnet (ECS)

GSLB now supports EDNS Client Subnet (ECS), enabling more accurate client geolocation during DNS resolution. With ECS enabled, the authoritative DNS server can consider the client’s subnet when making load-balancing decisions. This improves DNS-based traffic steering, especially for users behind public DNS resolvers, by routing them to the nearest or most optimal data center based on their actual location.

DNS Security Improvements

The DNS Security feature has been enhanced to protect against a wide range of potential attacks, including denial-of-service (DoS), cache poisoning, and memory corruption exploits. This also includes detection and mitigation of malformed queries, such as those with invalid label lengths or malformed headers.

25.2.a released June 26, 2025

WAF

SOCaaS Integration

You can now enable Security Operations Center-as-a-Service (SOCaaS) for your WAF applications by clicking the Enable SOCaaS button on the WAF > System Settings > Settings page. This opens the SOCaaS portal to complete onboarding. SOCaaS is available for customers with the Enterprise bundle or customers that purchased the SOCaaS SKU.

Once onboarding is successful, you should see the updated SOCaaS status on the same Settings page.

For more information, please refer to WAF Settings

GSLB

Enhanced Diagnostics for GSLB Topology (VS/HC) and Fabric Connectors

You can now run diagnostics on Virtual Servers, Fabric Connectors, and Health Checks directly from the GSLB Topology view by selecting the item and clicking Diagnose. This provides quick visibility into connection and health check issues.

For more information, please refer to Topology.

25.2 released June 3, 2025

Contract and License Update

FortiAppSec Cloud has expanded supported contract and license offerings, and restructured license offerings for some products.

Enterprise Plan Support

FortiAppSec Cloud introduces the Enterprise plan, an all-inclusive annual subscription that bundles Advanced WAF features, Advanced Bot Protection, DAST, and GSLB services into one plan. Pricing is simplified to a predictable bandwidth-only model.

For more information, please refer to License & Contract.

AWS, Azure, and GCP Marketplace License Support

You can now purchase and manage FortiAppSec Cloud contracts through AWS, Azure, and GCP marketplaces.

For more information on the new license options, please refer to Public Cloud Marketplace subscriptions.

If you are looking to transfer a legacy FortiWeb Cloud Marketplace License to the FortiAppSec Cloud AWS, Azure, or GCP license, please refer to Migrating from existing Fortinet services.

FortiFlex License Support

FortiAppSec Cloud now supports FortiFlex, a flexible, usage-based security licensing program from Fortinet that allows organizations to provision FortiAppSec Cloud on-demand, paying only for what you consume. It eliminates the need for pre-planning, over-provisioning, or under-provisioning, offering a simplified and flexible licensing model.

For more information on this new license option, please refer to FortiFlex.

If you are looking to transfer a legacy FortiFlex entitlement to the FortiAppSec Cloud Fortiflex entitlement, please refer to Migrating from existing Fortinet services.

Advanced Bot Protection and DAST Contract Model Update

Dynamic Application Security Testing (DAST) and Advanced Bot Protection (ABP) are now included in the Advanced and Enterprise subscription plans respectively. These services are no longer available as standalone contracts. For more information, please refer to License & Contract.

GSLB

DNSSEC Enhancement

The DNSSEC feature in GSLB been enhanced with advanced cryptographic algorithms, providing stronger protection against DNS spoofing and related threats.

For more information on how to enable this feature, please refer to How to enable DNSSEC on GSLB.

Multi-Region Health Check Support

FortiAppSec Cloud GSLB now supports health checks from additional areas: Europe and Asia Pacific, alongside the existing North America option.

When configuring a health check, you can select its area of origin. Multiple health checks from different areas can be assigned to the same virtual server. GSLB aggregates results from all selected areas to determine server health, improving the accuracy of global availability monitoring.

For the list of IP addresses to add to your application's allowlist, please refer to Health check.

Enhanced Server Status Descriptions

When a server or virtual server is marked as down, the web portal now displays the specific reason.

Hovering over the server status icons on the Topology and FQDN pages reveals detailed messages with clear diagnostic information.

AWS Connector Load Balancing Support

GSLB now supports load balancing with AWS connectors using CNAME record types and single-record responses. This enhancement enables AWS-based applications to participate in traffic distribution. Only CNAME records are supported when using AWS connectors.

For more information, please refer to Fabric connectors with AWS and Azure.

Topology Page Filtering

The Topology page now includes a filter option, allowing you to quickly locate specific servers or virtual servers by name or status.

Advanced Bot Protection

FortiWeb Version Requirement Update

Advanced Bot Protection integration with FortiWeb now requires FortiWeb version 7.4.8 or later for continued compatibility.

25.1.a released March 27, 2025

Bug Fixes

This release fixes several bugs for improved stability and experience.

25.1 released February 27, 2025

WAF

Enhanced Known Attacks

Known Attacks has been enhanced with Extended Mode. This adds additional signatures to every Sensitivity Level but should be used with caution as it may result in higher false positive rates. For more information, please see Known Attacks.

Bot Mitigation Exception Policies

Exceptions (whitelisting) are now supported for Bot mitigation policies. Build granular exceptions based on elements such as client IPs, hostnames and URLs. For more information, please see Exception Policy.

Cloud Deployment Granularity

Application onboarding now allows choosing the Cloud platform and region during WAF onboarding. For more information, please refer to Onboard WAF applications.

View Server Health Check Status on Applications Page

You can now view the status of all origin servers for an application under the Health Check column on the WAF > Applications page. For more information, please refer to WAF Applications.

Log Format for Attack Logs

Attack Logs now support the Template Name and Destination IP field when Log Format is set to Custom. For more information on Attack Log Server options, please refer to Log Settings.

Splunk URL change

The FortiAppSec Cloud Splunk Add-On has been updated with new URLs. For more information, please refer to Using WAF with Splunk.

Region IP Update

Additional scrubbing centers have deployed in the following regions. Please make sure to allow access to your application from the IP addresses listed below.

• AWS ap-southeast-3: Asia Pacific (Jakarta)

  • 16.78.99.255

    2406:da19:4a2:1f01:4bfd:3d35:eeea:9960

  • 16.78.217.33

    2406:da19:4a2:1f02:f4ff:d71d:bc20:34fe

  • 16.78.170.51

    2406:da19:4a2:1f01:a2d8:6f29:242:b8d3

  • 43.218.33.190

    2406:da19:4a2:1f02:621a:ed16:4cea:df5d

  • 16.78.206.248

    2406:da19:4a2:1f01:4e37:3198:afa2:103f

  • 108.137.179.56

    2406:da19:4a2:1f02:e03c:7d81:aa91:7c29

• Azure South Africa North (Johannesburg)

  • 4.221.199.162

  • 4.221.192.56

  • 4.221.113.144

  • 4.222.21.210

  • 4.222.18.196

  • 4.222.21.170

  • 10.40.1.10

  • 4.221.143.107

Advanced Bot Protection

Web Portal Improvements

Several pages under Advanced Bot Protection > [Application name] > Traffic Insights have been enhanced with additional graphs and navigation elements. For more information on the updated pages, please see Dashboard, Transactions , Bot Monitor, and Exploration.

Attack Query Enhancement

The web portal now includes a page with historical charts and statistics for Attack Query insights. For more information, please refer to Attack Query.

GSLB

Support DNS CAA Record in GSLB

GSLB now supports Certificate Authority Authorization (CAA) records, enabling administrators to specify authorized CAs for their domains. This ensures secure and compliant certificate issuance while maintaining GSLB’s high availability and performance. For more information, please refer to DNS.

24.4.p1 released on January 9, 2024

Bug Fixes

This release fixes several bugs for improved stability and experience.