Fortinet black logo

Release Notes

Home FortiProxy 7.2.3 Release Notes
7.2.3
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.17
7.0.16
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0

What's new

What's new

The following sections describe new features, enhancements, and changes:

Health check on ICAP remote servers

Under Content Analyses > ICAP Remote Servers, you can now configure whether to enable health check of the ICAP remote server using the Health Check button. When enabled, FortiProxy attempts to connect to the ICAP remote server to verify that the server is operating normally and generates an event log each time the ICAP remote server health check fails or goes back online. You must also specify the ICAP service name to use for health check in the Health Check Service field.

In the ICAP remote server table, the Health Check column shows if health check is enabled for the ICAP remote server. The Status column shows the status of ICAP remote server, including Online, Offline, and Unknown.

Refer to Create or edit an ICAP remote server in the Admin Guide for more details about creating or editing an ICAP remote server.

Alternatively, you can configure the health status check via CLI:
config  icap remote-server

edit <name>

set healthcheck [disable|enable]

set healthcheck-service {string}

next

end

Forward server status monitoring

Use the new Forward Server Monitor widget to monitor the forward server status. See Dashboard in the Admin Guide for more information about this widget or other widgets available.

Alternatively, you can use the following new commands to monitor the forward server status:

  • diag wad webproxy forward-server—For monitoring forward servers.

  • diag wad webproxy forward-server-group—For monitoring forward server groups.

Sample output for monitoring forward servers:
VDOM=root group_name=1
lb-alg=weight n_servers=2 affinity=enable
hits=1 weight_total=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fpx-177
hits=1 status=up weight=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fos-136
hits=0 status=down weight=10 weight_gen=0 weight_cur=0
=========================
VDOM=root group_name=my_srv_grp
lb-alg=weight n_servers=1 affinity=enable
hits=0 weight_total=10 weight_gen=1 weight_cur=0
VDOM=root group_name=my_srv_grp server_name=fpx-177
hits=0 status=up weight=10 weight_gen=0 weight_cur=0
Sample output for monitoring forward server groups:
VDOM=root group_name=g1
lb-alg=active-passive n_servers=2 affinity=disable
hits=107 weight_total=0 weight_gen=1 weight_cur=0
VDOM=root group_name=g1 server_name=227
hits=107 status=up weight=10 weight_gen=0 weight_cur=0
VDOM=root group_name=g1 server_name=229
hits=0 status=up weight=10 weight_gen=0 weight_cur=0

New commands to diagnose conntrack

Use the following commands to diagnose conntrack:

  • diag sys session conntrack count

  • diag sys session conntrack list

  • diag sys session conntrack clear

  • diagnose sys session conntrack stats

  • diagnose sys session conntrack list-dying

  • diagnose sys session conntrack list-unconfirmed

New command to diagnose IP set lists

Use the new diagnose ipset list command to diagnose IP set lists in case of policy matching issues on the kernel, which means the IP table is correct while the IP set list might be problematic.

New command to configure trust hosts

Under config system admin, use the new config trusthosts command to configure a list of trust hosts without the limitation of only 10 trust hosts using the existing set trusthostX command:

config trusthosts

Description: Table of trusthosts.

edit <id>

set type [ipv4|ipv6]

set ipv4 {ipv4-classnet}

set ipv6 {ipv6-prefix}

next

end

Hold primary config-sync unit for some time before upgrading or rebooting

Under config system ha, use the new primary-hold-before-reboot {time} command to hold primary config-sync unit for some time before upgrading or rebooting. Valid time values are integers within 0 and 600.

Match FQDNs from domain-list against SNI header for HTTPS requests

Under config firewall policy, when setting data source (set dstaddr), you can now reference the "domain" type that you set in config system.external-resource to avoid connection leakage.

To reference the "domain" type data via CLI:
config  firewall policy

edit <policyid>

set dstaddr <external-resource domain list name>

next

end

Add local URL list as data source for firewall

To add local URL list as data source for firewall via CLI:
  1. Define the local URL list in web filter: 
    config  webfilter url-list

    edit <name>

    set uuid {uuid}

    set status [enable|disable]

    set comment {var-string}

    config entries

    edit <url>

    next

    end

    next

    end

  2. Configure the firewall proxy to use the local URL list: 
    config firewall proxy-address

    edit <name>

    set type url-list

    set url-list <External or webfilter URL list>

    next

    end

  3. Reference the local URL list as data source of firewall using the firewall.policy.dstaddr command.

Process file access monitoring

Use the new diag sys iotop command to monitor process file access, which is useful for tracing what causes frequent disk access. By default, the command prints results at an interval of 5 seconds. You can also customize the interval to suit your needs. To print results immediately, press Enter.

For each file access, the following information is displayed: PID, process name, accessed file path, and the number of open, read, write, or close events during the interval. Delete and move information is not included. You can also use blacklists to hide sensitive or irrelevant files.

Sample output:

# diag sys iotop

PID #O #R #W #C PROCESS FILE

1078 1 0 2 0 miglogd /var/log/log/root/alog.65504

1078 1 0 2 0 miglogd /var/log/log/root/dlog.65504

1078 1 0 2 0 miglogd /var/log/log/root/hlog.65504

Using existing HTTP header content for ICAP

Under config icap profile, use the config icap-headers command to extract the HTTP header content for use in ICAP:

config icap-headers

Description: Configure ICAP forwarded request headers.

edit <id>

set name {string}

set source [content|http-header|...]

set content {string}

set http-header {string}

set sesson-info-type [client-ip|user|...]

set base64-encoding [disable|enable]

next

end

Parameter

Description

Type

Size

Default

name

HTTP forwarded header name.

string

Maximum length: 79

source

HTTP append header source.

option

-

content

Option

Description

content

Create ICAP header from content.

http-header

Create ICAP header from HTTP header.

session

Create ICAP header from session info.

content

HTTP header content.

string

Maximum length: 255

http-header

HTTP header-field name.

string

Maximum length: 79

sesson-info-type

Session info type.

option

-

client-ip

Option

Description

client-ip

Client ip address.

user

Authentication user name.

upn

Authentication user principal name.

domain

User domain name.

local-grp

Firewall group name.

remote-grp

Group name from authentication server.

proxy-name

Proxy realm name.

auth-user-uri

Authenticated user uri.

auth-group-uri

Authenticated group uri.

base64-encoding

Enable/disable use of base64 encoding of HTTP content.

option

-

disable

Option

Description

disable

Disable use of base64 encoding of HTTP content.

enable

Enable use of base64 encoding of HTTP content.

Reverse proxy server support

Under config firewall vip, you can now configure the type to be server-load-balance and specify the load balancing method. You can also define the health check protocol using the set health-check-proto command under config realservers under config firewall access-proxy.

config firewall vip

Description: Configure virtual IP for IPv4.

edit <name>

set type [static-nat|server-load-balance|...]

set ldb-method [static|round-robin|...]

config realservers

Description: Select the real servers that this server load balancing VIP will distribute traffic to.

edit <id>

set type [ip|address]

set healthcheck [disable|enable]

set health-check-proto [ping|http]

next

end

Parameter

Description

Type

Size

Default

type

Configure between a static NAT and access proxy VIP.

option

-

static-nat

Option

Description

static-nat

Static NAT.

server-load-balance

Server load balance.

access-proxy

Access proxy.

ldb-method

Method used to distribute sessions to real servers.

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

healthcheck

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

Option

Description

ping

Use PING to test the link with the server.

http

Use HTTP-GET to test the link with the server.

Detect configuration changes in Windows Active Directory server

To configure FortiProxy to detect configuration changes in Windows Active Directory server via CLI:
config  user domain-controller

edit <name>

set change-detection [enable|disable]

set change-detection-period {integer}

next

end

enable

Enable detection of configuration changes in the Active Directory server.

disable

Disable detection of configuration changes in the Active Directory server (default).

integer

Intervals (in minutes) to detect configuration changes in the Active Directory server. Valid value range is between 5 and 10080. The default is 60.

Diagnose memory of all wad processes

Use the new diagnose wad memory workers command to show all wad processes cmem stats, as opposed to only workers.

Use the diagnose wad memory track command to show all wad processes cmem stats, fmem stats, pool stats, block stats, mmap stats, mallinfo summed up, and then mmap stats, pool stats, block stats, mallinfo, top 6 cmem stats, top 5 fmem stats per process. mallinfo is written to process shm every 30 seconds.

Changes to set domain-fronting configuration

Under config firewall profile-protocol-options, the options for the set domain-fronting configuration change from

[enable|disable] to [allow|block|monitor].

allow Allow domain fronting.
block Block and log domain fronting.
monitor Allow and log domain fronting.

Remove config fabric-device configuration

Under config system csf, the config fabric-device configuration is removed.

New event logs to indicate source port usage

The following logs are added for reporting or warning about source port usage:

  • High source port usage—This log is recorded when more than half of the available source ports on an IP is in use during the last few consecutive attempts of the FortiProxy to get a source port.

Use the following two diagnose commands to dump the cache of recent events for the new event types:

  • dia test app forticron 50

  • dia test app forticron 51

Previous
Next

What's new

The following sections describe new features, enhancements, and changes:

Health check on ICAP remote servers

Under Content Analyses > ICAP Remote Servers, you can now configure whether to enable health check of the ICAP remote server using the Health Check button. When enabled, FortiProxy attempts to connect to the ICAP remote server to verify that the server is operating normally and generates an event log each time the ICAP remote server health check fails or goes back online. You must also specify the ICAP service name to use for health check in the Health Check Service field.

In the ICAP remote server table, the Health Check column shows if health check is enabled for the ICAP remote server. The Status column shows the status of ICAP remote server, including Online, Offline, and Unknown.

Refer to Create or edit an ICAP remote server in the Admin Guide for more details about creating or editing an ICAP remote server.

Alternatively, you can configure the health status check via CLI:
config  icap remote-server

edit <name>

set healthcheck [disable|enable]

set healthcheck-service {string}

next

end

Forward server status monitoring

Use the new Forward Server Monitor widget to monitor the forward server status. See Dashboard in the Admin Guide for more information about this widget or other widgets available.

Alternatively, you can use the following new commands to monitor the forward server status:

  • diag wad webproxy forward-server—For monitoring forward servers.

  • diag wad webproxy forward-server-group—For monitoring forward server groups.

Sample output for monitoring forward servers:
VDOM=root group_name=1
lb-alg=weight n_servers=2 affinity=enable
hits=1 weight_total=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fpx-177
hits=1 status=up weight=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fos-136
hits=0 status=down weight=10 weight_gen=0 weight_cur=0
=========================
VDOM=root group_name=my_srv_grp
lb-alg=weight n_servers=1 affinity=enable
hits=0 weight_total=10 weight_gen=1 weight_cur=0
VDOM=root group_name=my_srv_grp server_name=fpx-177
hits=0 status=up weight=10 weight_gen=0 weight_cur=0
Sample output for monitoring forward server groups:
VDOM=root group_name=g1
lb-alg=active-passive n_servers=2 affinity=disable
hits=107 weight_total=0 weight_gen=1 weight_cur=0
VDOM=root group_name=g1 server_name=227
hits=107 status=up weight=10 weight_gen=0 weight_cur=0
VDOM=root group_name=g1 server_name=229
hits=0 status=up weight=10 weight_gen=0 weight_cur=0

New commands to diagnose conntrack

Use the following commands to diagnose conntrack:

  • diag sys session conntrack count

  • diag sys session conntrack list

  • diag sys session conntrack clear

  • diagnose sys session conntrack stats

  • diagnose sys session conntrack list-dying

  • diagnose sys session conntrack list-unconfirmed

New command to diagnose IP set lists

Use the new diagnose ipset list command to diagnose IP set lists in case of policy matching issues on the kernel, which means the IP table is correct while the IP set list might be problematic.

New command to configure trust hosts

Under config system admin, use the new config trusthosts command to configure a list of trust hosts without the limitation of only 10 trust hosts using the existing set trusthostX command:

config trusthosts

Description: Table of trusthosts.

edit <id>

set type [ipv4|ipv6]

set ipv4 {ipv4-classnet}

set ipv6 {ipv6-prefix}

next

end

Hold primary config-sync unit for some time before upgrading or rebooting

Under config system ha, use the new primary-hold-before-reboot {time} command to hold primary config-sync unit for some time before upgrading or rebooting. Valid time values are integers within 0 and 600.

Match FQDNs from domain-list against SNI header for HTTPS requests

Under config firewall policy, when setting data source (set dstaddr), you can now reference the "domain" type that you set in config system.external-resource to avoid connection leakage.

To reference the "domain" type data via CLI:
config  firewall policy

edit <policyid>

set dstaddr <external-resource domain list name>

next

end

Add local URL list as data source for firewall

To add local URL list as data source for firewall via CLI:
  1. Define the local URL list in web filter: 
    config  webfilter url-list

    edit <name>

    set uuid {uuid}

    set status [enable|disable]

    set comment {var-string}

    config entries

    edit <url>

    next

    end

    next

    end

  2. Configure the firewall proxy to use the local URL list: 
    config firewall proxy-address

    edit <name>

    set type url-list

    set url-list <External or webfilter URL list>

    next

    end

  3. Reference the local URL list as data source of firewall using the firewall.policy.dstaddr command.

Process file access monitoring

Use the new diag sys iotop command to monitor process file access, which is useful for tracing what causes frequent disk access. By default, the command prints results at an interval of 5 seconds. You can also customize the interval to suit your needs. To print results immediately, press Enter.

For each file access, the following information is displayed: PID, process name, accessed file path, and the number of open, read, write, or close events during the interval. Delete and move information is not included. You can also use blacklists to hide sensitive or irrelevant files.

Sample output:

# diag sys iotop

PID #O #R #W #C PROCESS FILE

1078 1 0 2 0 miglogd /var/log/log/root/alog.65504

1078 1 0 2 0 miglogd /var/log/log/root/dlog.65504

1078 1 0 2 0 miglogd /var/log/log/root/hlog.65504

Using existing HTTP header content for ICAP

Under config icap profile, use the config icap-headers command to extract the HTTP header content for use in ICAP:

config icap-headers

Description: Configure ICAP forwarded request headers.

edit <id>

set name {string}

set source [content|http-header|...]

set content {string}

set http-header {string}

set sesson-info-type [client-ip|user|...]

set base64-encoding [disable|enable]

next

end

Parameter

Description

Type

Size

Default

name

HTTP forwarded header name.

string

Maximum length: 79

source

HTTP append header source.

option

-

content

Option

Description

content

Create ICAP header from content.

http-header

Create ICAP header from HTTP header.

session

Create ICAP header from session info.

content

HTTP header content.

string

Maximum length: 255

http-header

HTTP header-field name.

string

Maximum length: 79

sesson-info-type

Session info type.

option

-

client-ip

Option

Description

client-ip

Client ip address.

user

Authentication user name.

upn

Authentication user principal name.

domain

User domain name.

local-grp

Firewall group name.

remote-grp

Group name from authentication server.

proxy-name

Proxy realm name.

auth-user-uri

Authenticated user uri.

auth-group-uri

Authenticated group uri.

base64-encoding

Enable/disable use of base64 encoding of HTTP content.

option

-

disable

Option

Description

disable

Disable use of base64 encoding of HTTP content.

enable

Enable use of base64 encoding of HTTP content.

Reverse proxy server support

Under config firewall vip, you can now configure the type to be server-load-balance and specify the load balancing method. You can also define the health check protocol using the set health-check-proto command under config realservers under config firewall access-proxy.

config firewall vip

Description: Configure virtual IP for IPv4.

edit <name>

set type [static-nat|server-load-balance|...]

set ldb-method [static|round-robin|...]

config realservers

Description: Select the real servers that this server load balancing VIP will distribute traffic to.

edit <id>

set type [ip|address]

set healthcheck [disable|enable]

set health-check-proto [ping|http]

next

end

Parameter

Description

Type

Size

Default

type

Configure between a static NAT and access proxy VIP.

option

-

static-nat

Option

Description

static-nat

Static NAT.

server-load-balance

Server load balance.

access-proxy

Access proxy.

ldb-method

Method used to distribute sessions to real servers.

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

healthcheck

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

Option

Description

ping

Use PING to test the link with the server.

http

Use HTTP-GET to test the link with the server.

Detect configuration changes in Windows Active Directory server

To configure FortiProxy to detect configuration changes in Windows Active Directory server via CLI:
config  user domain-controller

edit <name>

set change-detection [enable|disable]

set change-detection-period {integer}

next

end

enable

Enable detection of configuration changes in the Active Directory server.

disable

Disable detection of configuration changes in the Active Directory server (default).

integer

Intervals (in minutes) to detect configuration changes in the Active Directory server. Valid value range is between 5 and 10080. The default is 60.

Diagnose memory of all wad processes

Use the new diagnose wad memory workers command to show all wad processes cmem stats, as opposed to only workers.

Use the diagnose wad memory track command to show all wad processes cmem stats, fmem stats, pool stats, block stats, mmap stats, mallinfo summed up, and then mmap stats, pool stats, block stats, mallinfo, top 6 cmem stats, top 5 fmem stats per process. mallinfo is written to process shm every 30 seconds.

Changes to set domain-fronting configuration

Under config firewall profile-protocol-options, the options for the set domain-fronting configuration change from

[enable|disable] to [allow|block|monitor].

allow Allow domain fronting.
block Block and log domain fronting.
monitor Allow and log domain fronting.

Remove config fabric-device configuration

Under config system csf, the config fabric-device configuration is removed.

New event logs to indicate source port usage

The following logs are added for reporting or warning about source port usage:

  • High source port usage—This log is recorded when more than half of the available source ports on an IP is in use during the last few consecutive attempts of the FortiProxy to get a source port.

Use the following two diagnose commands to dump the cache of recent events for the new event types:

  • dia test app forticron 50

  • dia test app forticron 51

Previous
Next