What's new
The following sections describe new features, enhancements, and changes:
- New command to configure trust hosts
-
Hold primary config-sync unit for some time before upgrading or rebooting
-
Match FQDNs from domain-list against SNI header for HTTPS requests
- Using existing HTTP header content for ICAP
- Reverse proxy server support
-
Detect configuration changes in Windows Active Directory server
- New event logs to indicate source port usage
Health check on ICAP remote servers
Under Content Analyses > ICAP Remote Servers, you can now configure whether to enable health check of the ICAP remote server using the Health Check button. When enabled, FortiProxy attempts to connect to the ICAP remote server to verify that the server is operating normally and generates an event log each time the ICAP remote server health check fails or goes back online. You must also specify the ICAP service name to use for health check in the Health Check Service field.
In the ICAP remote server table, the Health Check column shows if health check is enabled for the ICAP remote server. The Status column shows the status of ICAP remote server, including Online, Offline, and Unknown.
Refer to Create or edit an ICAP remote server in the Admin Guide for more details about creating or editing an ICAP remote server.
Alternatively, you can configure the health status check via CLI:
config icap remote-server
edit <name>
set healthcheck [disable|enable]
set healthcheck-service {string}
next
end
Forward server status monitoring
Use the new Forward Server Monitor widget to monitor the forward server status. See Dashboard in the Admin Guide for more information about this widget or other widgets available.
Alternatively, you can use the following new commands to monitor the forward server status:
-
diag wad webproxy forward-server
—For monitoring forward servers. -
diag wad webproxy forward-server-group
—For monitoring forward server groups.
Sample output for monitoring forward servers:
VDOM=root group_name=1
lb-alg=weight n_servers=2 affinity=enable
hits=1 weight_total=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fpx-177
hits=1 status=up weight=10 weight_gen=2 weight_cur=9
VDOM=root group_name=1 server_name=fos-136
hits=0 status=down weight=10 weight_gen=0 weight_cur=0
=========================
VDOM=root group_name=my_srv_grp
lb-alg=weight n_servers=1 affinity=enable
hits=0 weight_total=10 weight_gen=1 weight_cur=0
VDOM=root group_name=my_srv_grp server_name=fpx-177
hits=0 status=up weight=10 weight_gen=0 weight_cur=0
Sample output for monitoring forward server groups:
VDOM=root group_name=g1
lb-alg=active-passive n_servers=2 affinity=disable
hits=107 weight_total=0 weight_gen=1 weight_cur=0
VDOM=root group_name=g1 server_name=227
hits=107 status=up weight=10 weight_gen=0 weight_cur=0
VDOM=root group_name=g1 server_name=229
hits=0 status=up weight=10 weight_gen=0 weight_cur=0
New commands to diagnose conntrack
Use the following commands to diagnose conntrack:
-
diag sys session conntrack count
-
diag sys session conntrack list
-
diag sys session conntrack clear
-
diagnose sys session conntrack stats
-
diagnose sys session conntrack list-dying
-
diagnose sys session conntrack list-unconfirmed
New command to diagnose IP set lists
Use the new diagnose ipset list
command to diagnose IP set lists in case of policy matching issues on the kernel, which means the IP table is correct while the IP set list might be problematic.
New command to configure trust hosts
Under config system admin
, use the new config trusthosts
command to configure a list of trust hosts without the limitation of only 10 trust hosts using the existing set trusthostX
command:
config trusthosts
Description: Table of trusthosts.
edit <id>
set type [ipv4|ipv6]
set ipv4 {ipv4-classnet}
set ipv6 {ipv6-prefix}
next
end
Hold primary config-sync unit for some time before upgrading or rebooting
Under config system ha
, use the new primary-hold-before-reboot {time}
command to hold primary config-sync unit for some time before upgrading or rebooting. Valid time values are integers within 0 and 600.
Match FQDNs from domain-list against SNI header for HTTPS requests
Under config firewall policy
, when setting data source (set dstaddr
), you can now reference the "domain" type that you set in config system.external-resource
to avoid connection leakage.
To reference the "domain" type data via CLI:
config firewall policy
edit <policyid>
set dstaddr <external-resource domain list name>
next
end
Add local URL list as data source for firewall
To add local URL list as data source for firewall via CLI:
- Define the local URL list in web filter:
config webfilter url-list
edit <name>
set uuid {uuid}
set status [enable|disable]
set comment {var-string}
config entries
edit <url>
next
end
next
end
- Configure the
firewall proxy to use the local URL list:
config firewall proxy-address
edit <name>
set type url-list
set url-list <External or webfilter URL list>
next
end
- Reference the local URL list as data source of firewall using the
firewall.policy.dstaddr
command.
Process file access monitoring
Use the new diag sys iotop
command to monitor process file access, which is useful for tracing what causes frequent disk access. By default, the command prints results at an interval of 5 seconds. You can also customize the interval to suit your needs. To print results immediately, press Enter
.
For each file access, the following information is displayed: PID, process name, accessed file path, and the number of open, read, write, or close events during the interval. Delete and move information is not included. You can also use blacklists to hide sensitive or irrelevant files.
Sample output:
# diag sys iotop
PID #O #R #W #C PROCESS FILE
1078 1 0 2 0 miglogd /var/log/log/root/alog.65504
1078 1 0 2 0 miglogd /var/log/log/root/dlog.65504
1078 1 0 2 0 miglogd /var/log/log/root/hlog.65504
Using existing HTTP header content for ICAP
Under config icap profile
, use the config icap-headers
command to extract the HTTP header content for use in ICAP:
config icap-headers
Description: Configure ICAP forwarded request headers.
edit <id>
set name {string}
set source [content|http-header|...]
set content {string}
set http-header {string}
set sesson-info-type [client-ip|user|...]
set base64-encoding [disable|enable]
next
end
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
name |
HTTP forwarded header name. |
string |
Maximum length: 79 |
|
||||||||||||||||||||
source |
HTTP append header source. |
option |
- |
content |
||||||||||||||||||||
|
|
|||||||||||||||||||||||
content |
HTTP header content. |
string |
Maximum length: 255 |
|
||||||||||||||||||||
http-header |
HTTP header-field name. |
string |
Maximum length: 79 |
|
||||||||||||||||||||
sesson-info-type |
Session info type. |
option |
- |
client-ip |
||||||||||||||||||||
|
|
|||||||||||||||||||||||
base64-encoding |
Enable/disable use of base64 encoding of HTTP content. |
option |
- |
disable |
||||||||||||||||||||
|
|
Reverse proxy server support
Under config firewall vip
, you can now configure the type to be server-load-balance
and specify the load balancing method. You can also define the health check protocol using the set health-check-proto
command under config realservers
under config firewall access-proxy
.
config firewall vip
Description: Configure virtual IP for IPv4.
edit <name>
set type [static-nat|server-load-balance|...]
set ldb-method [static|round-robin|...]
config realservers
Description: Select the real servers that this server load balancing VIP will distribute traffic to.
edit <id>
set type [ip|address]
set healthcheck [disable|enable]
set health-check-proto [ping|http]
next
end
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
type |
Configure between a static NAT and access proxy VIP. |
option |
- |
static-nat |
||||||||||||
|
|
|||||||||||||||
ldb-method |
Method used to distribute sessions to real servers. |
|||||||||||||||
|
|
|||||||||||||||
healthcheck |
Enable to check the responsiveness of the real server before forwarding traffic. |
option |
- |
|
||||||||||||
health-check-proto |
Protocol of the health check monitor to use when polling to determine server's connectivity status. |
option |
- |
ping |
||||||||||||
|
|
Detect configuration changes in Windows Active Directory server
To configure FortiProxy to detect configuration changes in Windows Active Directory server via CLI:
config user domain-controller
edit <name>
set change-detection [enable|disable]
set change-detection-period {integer}
next
end
enable |
Enable detection of configuration changes in the Active Directory server. |
disable |
Disable detection of configuration changes in the Active Directory server (default). |
|
Intervals (in minutes) to detect configuration changes in the Active Directory server. Valid value range is between 5 and 10080. The default is 60. |
Diagnose memory of all wad processes
Use the new diagnose wad memory workers
command to show all wad processes cmem stats, as opposed to only workers.
Use the diagnose wad memory track
command to show all wad processes cmem stats, fmem stats, pool stats, block stats, mmap stats, mallinfo summed up, and then mmap stats, pool stats, block stats, mallinfo, top 6 cmem stats, top 5 fmem stats per process. mallinfo is written to process shm every 30 seconds.
Changes to set domain-fronting
configuration
Under config firewall profile-protocol-options
, the options for the set domain-fronting
configuration change from
[enable|disable]
to [allow|block|monitor]
.
allow
|
Allow domain fronting. |
block
|
Block and log domain fronting. |
monitor
|
Allow and log domain fronting. |
Remove config fabric-device
configuration
Under config system csf
, the config fabric-device
configuration is removed.
New event logs to indicate source port usage
The following logs are added for reporting or warning about source port usage:
-
High source port usage—This log is recorded when more than half of the available source ports on an IP is in use during the last few consecutive attempts of the FortiProxy to get a source port.
-
Source port exhaustion—This log is recorded when no available source port can be found for a source IP.
Use the following two diagnose commands to dump the cache of recent events for the new event types:
-
dia test app forticron 50
-
dia test app forticron 51