Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiProxy 7.0.5 Release Notes
    7.0.5
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.13
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.16
    7.2.15
    7.2.14
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.23
    7.0.22
    7.0.21
    7.0.20
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    2.0.14
    2.0.13
    2.0.12
    2.0.11
    2.0.10
    2.0.9
    2.0.8
    2.0.7
    2.0.6
    2.0.5
    2.0.4
    2.0.3
    2.0.2
    2.0.1
    2.0.0
    1.2.13
    1.2.12
    1.2.11
    1.2.10
    1.2.9
    1.2.8
    1.2.7
    1.2.6
    1.2.5
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2.0
    1.1.6
    1.1.5
    1.1.4
    1.1.3
    1.1.2
    1.1.1
    1.1.0
    1.0.7
    1.0.6
    1.0.5
    1.0.4
    1.0.3
    1.0.2
    1.0.1
    1.0.0

    Whatʼs new

    Whatʼs new

    The following sections describe new features and enhancements:

    SSH policy matching

    When configuring a firewall policy, the ssh-policy-check command has replaced the ssh-policy-redirect command.

    SSH policy check is disabled by default, and can be enabled in transparent and explicit-web policies. When it is enabled, SSH policy matching will only match the SSH policy.

    To configure SSH policy check in the CLI:
    config firewall policy
    edit <policy>
        set ssh-policy-check {disable | enable}
    next
end
    To configure SSH policy check in the CLI:

    1. Go to Policy & Objects > Policy.

    2. Edit a transparent or explicit policy, or create a new policy and set Type to Transparent or Explicit.

    3. Enable or disable Enable SSH policy check.

    4. Click OK.

    Set CIFS profile in a policy removed

    The cifs-profile command is removed from the firewall policy options.

    CIFS can be configure in the GUI by creating or editing a proxy option under Proxy Settings > Proxy Options, and in the CLI using the config firewall profile-protocol-options command:

    config firewall profile-protocol-options
    edit <option>
        config cifs
            set ports <port>
            set status {enable | disable}
            set options <string>
            set oversize-limit <integer>
            set uncompressed-oversize-limit <integer>
            set uncompressed-nest-limit <integer>
            set scan-bzip2 {enable | disable}
            set tcp-window-type {auto-tuning | system | static | dynamic}
            set server-credential-type {none | credential-replication | credential-keytab}
        end
    next
end

    The proxy option can be then be used in a policy:

    • In the CLI, select the option using the set profile-protocol-options <option> command:

      config firewall policy
    edit 1
        set profile-protocol-options <option>
    next
end

    • In the GUI, select the option in the Protocol Options field when editing a policy.

    External threat feed through forwarding server

    FortiProxy can download external threat feeds as a downstream-proxy in an isolated environment, where the upstream-proxy only has internet access. All SWG functions, including SSL deep-inspection, are performed by the downstream proxy. FDS updates and management is done on the FortiManager.

    To configure the external proxy:
    config system external-resource
    edit <resource>
        set proxy <proxy_server> 
        set proxy-port <port>
        set proxy-username <username>
        set proxy-password <password>
    next
end

    proxy <proxy_server>

    Proxy server host (IP or domain name).

    proxy-port <port>

    Port number that the proxy server expects to receive HTTP sessions on (1 - 65535, default = 8080).

    proxy-username <username>

    HTTP proxy basic authentication user name.

    proxy-password <password>

    HTTP proxy basic authentication password.

    Device ownership CLI command

    When device ownership is enabled, ownership enforcement is done at policy level. It is disabled by default.

    To enable device ownership:
    config firewall policy
    edit 2
        set ztna-status enable
        set ztna-ems-tag "FCTEMS_ALL_FORTICLOUD_SERVERS"
        set device-ownership enable
        ...
    next
end

    Custom virtual host replacement message

    Custom messages can be configured for each ZTNA virtual host, to be shown when verification fails. The ZTNA detail tag (%%ZTNA_DETAIL_TAG%%) can be included to show the reason for the verification failure.

    To use a custom replacement message:

    1. Configure a replacement message that includes the ZTNA detail tag in the message:

      config system replacemsg-group
    edit "test-vhost"
        set comment ''
        set group-type utm
        config webproxy
            edit "ztna-block"
                set buffer "This is a test message: %%ZTNA_DETAIL_TAG%%"
                set header http
                set format html
            next
        end
    next
end

    2. Apply the replacement message to a virtual host:

      config firewall access-proxy-virtual-host
    edit "test"
        set host "10.1.200.102"
        set replacemsg-group "test-vhost"
    next
end

    Proxy policy FTPS handling improvements

    To improve FTPS handling in proxy policies:

    • When explicit-ftp-tls is enabled in the FTP protocol options, FTP is always redirected, regardless of the FTPS status, and deep inspection is done for the explicit FTPS session.

      config firewall profile-protocol-options
    edit "test"
        config ftp
            set ports 21
            set status enable
            set explicit-ftp-tls {disable | enable}
        end
    next
end

    • When deep inspection is enabled, FTPS is always redirected.

    SSL options can be configured in SSL/SSH profiles when the protocol is disabled:

    config firewall ssl-ssh-profile
    edit "no-inspection"
        config ftps
            set status disable
            set client-certificate bypass
            set unsupported-ssl-version allow
            set unsupported-ssl-cipher allow
            set unsupported-ssl-negotiation allow
            set expired-server-cert block
            set revoked-server-cert block
            set untrusted-server-cert allow
            set cert-validation-timeout allow
            set cert-validation-failure block
            set min-allowed-ssl-version tls-1.1
        end
    next
end

    Forward traffic logs and HTTP transaction logs include the forwardedfor field

    The HTTP transaction and Forward session logs include the ClientIP column, that records the client IP address based on the learn-client-ip configuration. By default, the original-source-ip is recorded.

    config web-proxy global
    set learn-client-ip {enable | disable}
    set learn-client-ip-from-header {true-client-ip x-real-ip x-forwarded-for}
    set learn-client-ip-srcaddr <address>
    set learn-client-ip-srcaddr6 <address>
end

    learn-client-ip {enable | disable}

    Enable/disable learning the client's IP address from headers (default = disable).

    learn-client-ip-from-header {true-client-ip | x-real-ip | x-forwarded-for}

    Learn client IP address from the specified headers: True-Client-IP, X-Real-IP, and X-Forwarded-For.

    learn-client-ip-srcaddr(6) <address>

    Source address name (srcaddr or srcaddr6 must be set).

    Display the correct information when doing NTLM authentication

    When doing NTLM authentication, the domain is extracted based on the following:

    1. If the domain controller has a domain name configured, it is used.

    2. Otherwise, if the NTLM type 3 message, from the user, is configured, it is used.

    3. Otherwise, if the domain name from the NTLM type 2 message, from the DC, is configured, it is used.

    To configure the domain name source, if it is not set:
    config user domain-controller
    edit "adfs-dc"
        set ip-address 192.168.130.200
        unset domain-name
        set domain-name-src {server | client}
        set ldap-server "adfsldap"
    next
end

    The domain name can be extracted from either the server's (DC) data, or from the client's data.

    Previous
    Next

    On This Page

    SSH policy matching
    Set CIFS profile in a policy removed
    External threat feed through forwarding server
    Device ownership CLI command
    Custom virtual host replacement message
    Proxy policy FTPS handling improvements
    Whatʼs new

    Whatʼs new

    Whatʼs new

    The following sections describe new features and enhancements:

    SSH policy matching

    When configuring a firewall policy, the ssh-policy-check command has replaced the ssh-policy-redirect command.

    SSH policy check is disabled by default, and can be enabled in transparent and explicit-web policies. When it is enabled, SSH policy matching will only match the SSH policy.

    To configure SSH policy check in the CLI:
    config firewall policy
    edit <policy>
        set ssh-policy-check {disable | enable}
    next
end
    To configure SSH policy check in the CLI:

    1. Go to Policy & Objects > Policy.

    2. Edit a transparent or explicit policy, or create a new policy and set Type to Transparent or Explicit.

    3. Enable or disable Enable SSH policy check.

    4. Click OK.

    Set CIFS profile in a policy removed

    The cifs-profile command is removed from the firewall policy options.

    CIFS can be configure in the GUI by creating or editing a proxy option under Proxy Settings > Proxy Options, and in the CLI using the config firewall profile-protocol-options command:

    config firewall profile-protocol-options
    edit <option>
        config cifs
            set ports <port>
            set status {enable | disable}
            set options <string>
            set oversize-limit <integer>
            set uncompressed-oversize-limit <integer>
            set uncompressed-nest-limit <integer>
            set scan-bzip2 {enable | disable}
            set tcp-window-type {auto-tuning | system | static | dynamic}
            set server-credential-type {none | credential-replication | credential-keytab}
        end
    next
end

    The proxy option can be then be used in a policy:

    • In the CLI, select the option using the set profile-protocol-options <option> command:

      config firewall policy
    edit 1
        set profile-protocol-options <option>
    next
end

    • In the GUI, select the option in the Protocol Options field when editing a policy.

    External threat feed through forwarding server

    FortiProxy can download external threat feeds as a downstream-proxy in an isolated environment, where the upstream-proxy only has internet access. All SWG functions, including SSL deep-inspection, are performed by the downstream proxy. FDS updates and management is done on the FortiManager.

    To configure the external proxy:
    config system external-resource
    edit <resource>
        set proxy <proxy_server> 
        set proxy-port <port>
        set proxy-username <username>
        set proxy-password <password>
    next
end

    proxy <proxy_server>

    Proxy server host (IP or domain name).

    proxy-port <port>

    Port number that the proxy server expects to receive HTTP sessions on (1 - 65535, default = 8080).

    proxy-username <username>

    HTTP proxy basic authentication user name.

    proxy-password <password>

    HTTP proxy basic authentication password.

    Device ownership CLI command

    When device ownership is enabled, ownership enforcement is done at policy level. It is disabled by default.

    To enable device ownership:
    config firewall policy
    edit 2
        set ztna-status enable
        set ztna-ems-tag "FCTEMS_ALL_FORTICLOUD_SERVERS"
        set device-ownership enable
        ...
    next
end

    Custom virtual host replacement message

    Custom messages can be configured for each ZTNA virtual host, to be shown when verification fails. The ZTNA detail tag (%%ZTNA_DETAIL_TAG%%) can be included to show the reason for the verification failure.

    To use a custom replacement message:

    1. Configure a replacement message that includes the ZTNA detail tag in the message:

      config system replacemsg-group
    edit "test-vhost"
        set comment ''
        set group-type utm
        config webproxy
            edit "ztna-block"
                set buffer "This is a test message: %%ZTNA_DETAIL_TAG%%"
                set header http
                set format html
            next
        end
    next
end

    2. Apply the replacement message to a virtual host:

      config firewall access-proxy-virtual-host
    edit "test"
        set host "10.1.200.102"
        set replacemsg-group "test-vhost"
    next
end

    Proxy policy FTPS handling improvements

    To improve FTPS handling in proxy policies:

    • When explicit-ftp-tls is enabled in the FTP protocol options, FTP is always redirected, regardless of the FTPS status, and deep inspection is done for the explicit FTPS session.

      config firewall profile-protocol-options
    edit "test"
        config ftp
            set ports 21
            set status enable
            set explicit-ftp-tls {disable | enable}
        end
    next
end

    • When deep inspection is enabled, FTPS is always redirected.

    SSL options can be configured in SSL/SSH profiles when the protocol is disabled:

    config firewall ssl-ssh-profile
    edit "no-inspection"
        config ftps
            set status disable
            set client-certificate bypass
            set unsupported-ssl-version allow
            set unsupported-ssl-cipher allow
            set unsupported-ssl-negotiation allow
            set expired-server-cert block
            set revoked-server-cert block
            set untrusted-server-cert allow
            set cert-validation-timeout allow
            set cert-validation-failure block
            set min-allowed-ssl-version tls-1.1
        end
    next
end

    Forward traffic logs and HTTP transaction logs include the forwardedfor field

    The HTTP transaction and Forward session logs include the ClientIP column, that records the client IP address based on the learn-client-ip configuration. By default, the original-source-ip is recorded.

    config web-proxy global
    set learn-client-ip {enable | disable}
    set learn-client-ip-from-header {true-client-ip x-real-ip x-forwarded-for}
    set learn-client-ip-srcaddr <address>
    set learn-client-ip-srcaddr6 <address>
end

    learn-client-ip {enable | disable}

    Enable/disable learning the client's IP address from headers (default = disable).

    learn-client-ip-from-header {true-client-ip | x-real-ip | x-forwarded-for}

    Learn client IP address from the specified headers: True-Client-IP, X-Real-IP, and X-Forwarded-For.

    learn-client-ip-srcaddr(6) <address>

    Source address name (srcaddr or srcaddr6 must be set).

    Display the correct information when doing NTLM authentication

    When doing NTLM authentication, the domain is extracted based on the following:

    1. If the domain controller has a domain name configured, it is used.

    2. Otherwise, if the NTLM type 3 message, from the user, is configured, it is used.

    3. Otherwise, if the domain name from the NTLM type 2 message, from the DC, is configured, it is used.

    To configure the domain name source, if it is not set:
    config user domain-controller
    edit "adfs-dc"
        set ip-address 192.168.130.200
        unset domain-name
        set domain-name-src {server | client}
        set ldap-server "adfsldap"
    next
end

    The domain name can be extracted from either the server's (DC) data, or from the client's data.

    Previous
    Next