Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiProxy 7.2.7 Release Notes
    7.2.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.13
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.16
    7.2.15
    7.2.14
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.23
    7.0.22
    7.0.21
    7.0.20
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    2.0.14
    2.0.13
    2.0.12
    2.0.11
    2.0.10
    2.0.9
    2.0.8
    2.0.7
    2.0.6
    2.0.5
    2.0.4
    2.0.3
    2.0.2
    2.0.1
    2.0.0
    1.2.13
    1.2.12
    1.2.11
    1.2.10
    1.2.9
    1.2.8
    1.2.7
    1.2.6
    1.2.5
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2.0
    1.1.6
    1.1.5
    1.1.4
    1.1.3
    1.1.2
    1.1.1
    1.1.0
    1.0.7
    1.0.6
    1.0.5
    1.0.4
    1.0.3
    1.0.2
    1.0.1
    1.0.0

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.2.7:

    Forwarding FTP and SOCKS traffic to a forwarding server

    FortiProxy 7.2.7 can now forward FTP and SOCKS traffic (on top of the existing support for HTTP traffic) to a forwarding server. When creating a forward server, you can configure the proxy protocol using the new set protocol option under config web-proxy forward-server. The default value is http socks, which means both HTTP and SOCKS traffic is forwarded.

    config web-proxy forward-server

    edit "fpx221"

    set ip 10.60.1.221

    set port 1080

    set protocol http

    next

    end

    Traffic with an unsupported protocol will not be forwarded. For example, when the forward server is configured with HTTP as supported protocol, SOCKS or FTP traffic will not be forwarded. You can configure a forward server group with different types of SOCKS/HTTP/FTP servers so that the load balancing algorithm can pick a server that supports the protocol within the group automatically. If none of the configured servers supports the protocol of incoming traffic, the forward server group is ignored.

    Similar to the existing HTTP forwarding server, you can configure a nested SOCKS or explicit FTP proxy server so that all incoming FTP traffic to the FortiProxy is forwarded to the next SOCKS or explicit FTP proxy server, which can be an external FortiProxy or another SOCKS or explicit FTP proxy server.

    You can also configure the URLs to be exempted from caching and/or to be redirected to the forward server for SOCKS or FTP traffic using the config web-proxy url-match command. The set forward-server option adds support for SOCKS. For FTP, use the new set ftp-forward-server option.

    Reuse incoming port to connect to server

    In FortiProxy 7.2.7, when configuring explicit web proxy, you can reuse web proxy HTTPS incoming port to connect to server using the new set dstport-from-incoming sub-command under config web-proxy explicit-proxy.

    GUI support for VDOM links

    FortiProxy 7.2.7 adds GUI support for VDOM links, which allows VDOMs to communicate internally without using additional physical interfaces. When VDOM is enabled, you can configure VDOM link settings in the GUI.

    To configure a VDOM link in the GUI:
    1. In the Global VDOM, go to Network > Interfaces.
    2. Click Create New > VDOM Link.
    3. Configure the fields, including the Name, Virtual Domain, IP information, Administrative Access, and so on, then click OK.
    To delete a VDOM link in the GUI:
    1. In the Global VDOM, go to Network > Interfaces.
    2. Select a VDOM Link and click Delete.

    Refer to VDOM configuration in the FortiProxy 7.2 Administration Guide for more details about VDOM configuration.

    License sharing enhancements

    FortiProxy 7.2.7 includes the following enhancements and changes to security fabric license sharing:

    • When configuring seats distribution under config system csf, use the new set preferred-seats sub-command (which replaces the old set guaranteed-seats sub-command) to set the desired number of seats to allocate to the member. The number of guaranteed seats is the minimum of the number of local purchased seats and the number of preferred seats. When the preferred number of seat request fails or is only partially fulfilled due to lack of seats in the pool, the remaining preferred seats will be allocated from shared pool at higher priority.

    • The number of seats that members can request is changed to be (used / 0.9 + min_alloc) to avoid oscillating between request and release.

    • Offline members can now keep the allocated number of seats or locally purchased seats, whichever is greater, for eight hours before falling back to locally purchased seats.

    • Conserve mode is disabled.

    Improvements to ICAP logs

    FortiProxy 7.2.7 improves the way ICAP errors are presented in the log by categorizing ICAP errors and showing detailed messages for each error in the log.

    Adding rating information in REST API responses

    FortiProxy 7.2.7 adds rating information for subcategory in POST call. See example response below:

    {

    "url": "facebook.com",

    "category": "General Interest - Personal",

    "subcategory": "Social Networking",

    "rating": "G"

    },

    {

    "url": "dropbox.com",

    "category": "Bandwidth Consuming",

    "subcategory": "File Sharing and Storage"

    "rating": "PG-13",

    }

    Remove Active Sessions for global resources and VDOM

    The Active Sessions information is no longer available in the table under System > Global Resources and System > VDOM > Edit > Resource Usage.

    FNBI enhancements

    FortiProxy 7.2.7 includes the following Browser Isolation (FortiNBI) enhancements:

    • Support for communication with client-side FNBI application using TLS

    • Support for multiple FNBI extensions

    • Microsoft Edge support

    • More exempted URLs

    • Isolator module download through HTTPS

    • State reset of the Isolator file system on startup

    • Validation of rating server addresses that you enter

    • Modernized GUI with new FortiNBI logo and graphics

    Refer to the FortiProxy 7.2.7 Browser Isolation Deployment Guide for more detailed information about deploying and using the FortiNBI.

    CLI changes

    FortiProxy 7.2.7 includes the following CLI changes:

    • config firewall profile-protocol-options—Use the new config proxy-redirect sub-command to enable/disable the scanning of this protocol and configure the ports to inspect all for content.

    • config firewall ssl-ssh-profile—Use the new set inspect-all sub-command to define the level of SSL inspection.

    • config web-proxy explicit-proxy—Use the new set dstport-from-incoming sub-command to enable/disable reusing incoming port to connect to server for explicit web proxy.

    • config web-proxy forward-server—Use the new set protocol sub-command to configure the proxy protocol for the forward server. The default value is http socks, which means both HTTP and SOCKS traffic is forwarded.

    • config web-proxy url-match—The set forward-server sub-command adds support for SOCKS traffic. Use the new set ftp-forward-server option to configure the URLs to be exempted from caching and/or to be redirected to the forward server for FTP traffic.

    • config system csf—Use the new set preferred-seats sub-command (which replaces the old set guaranteed-seats sub-command) to configure the desired number of seats to allocate to the member. The number of guaranteed seats is the minimum of the number of local purchased seats and the number of preferred seats. When the preferred number of seat request fails or is only partially fulfilled due to lack of seats in the pool, the remaining preferred seats will be allocated from shared pool at higher priority.

    • diag wad—Use the new filter process-id-by-src option to filter processes with source IPs. For example, diag wad filter process-id-by-src 10.2.2.2.

    Previous
    Next

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.2.7:

    Forwarding FTP and SOCKS traffic to a forwarding server

    FortiProxy 7.2.7 can now forward FTP and SOCKS traffic (on top of the existing support for HTTP traffic) to a forwarding server. When creating a forward server, you can configure the proxy protocol using the new set protocol option under config web-proxy forward-server. The default value is http socks, which means both HTTP and SOCKS traffic is forwarded.

    config web-proxy forward-server

    edit "fpx221"

    set ip 10.60.1.221

    set port 1080

    set protocol http

    next

    end

    Traffic with an unsupported protocol will not be forwarded. For example, when the forward server is configured with HTTP as supported protocol, SOCKS or FTP traffic will not be forwarded. You can configure a forward server group with different types of SOCKS/HTTP/FTP servers so that the load balancing algorithm can pick a server that supports the protocol within the group automatically. If none of the configured servers supports the protocol of incoming traffic, the forward server group is ignored.

    Similar to the existing HTTP forwarding server, you can configure a nested SOCKS or explicit FTP proxy server so that all incoming FTP traffic to the FortiProxy is forwarded to the next SOCKS or explicit FTP proxy server, which can be an external FortiProxy or another SOCKS or explicit FTP proxy server.

    You can also configure the URLs to be exempted from caching and/or to be redirected to the forward server for SOCKS or FTP traffic using the config web-proxy url-match command. The set forward-server option adds support for SOCKS. For FTP, use the new set ftp-forward-server option.

    Reuse incoming port to connect to server

    In FortiProxy 7.2.7, when configuring explicit web proxy, you can reuse web proxy HTTPS incoming port to connect to server using the new set dstport-from-incoming sub-command under config web-proxy explicit-proxy.

    GUI support for VDOM links

    FortiProxy 7.2.7 adds GUI support for VDOM links, which allows VDOMs to communicate internally without using additional physical interfaces. When VDOM is enabled, you can configure VDOM link settings in the GUI.

    To configure a VDOM link in the GUI:
    1. In the Global VDOM, go to Network > Interfaces.
    2. Click Create New > VDOM Link.
    3. Configure the fields, including the Name, Virtual Domain, IP information, Administrative Access, and so on, then click OK.
    To delete a VDOM link in the GUI:
    1. In the Global VDOM, go to Network > Interfaces.
    2. Select a VDOM Link and click Delete.

    Refer to VDOM configuration in the FortiProxy 7.2 Administration Guide for more details about VDOM configuration.

    License sharing enhancements

    FortiProxy 7.2.7 includes the following enhancements and changes to security fabric license sharing:

    • When configuring seats distribution under config system csf, use the new set preferred-seats sub-command (which replaces the old set guaranteed-seats sub-command) to set the desired number of seats to allocate to the member. The number of guaranteed seats is the minimum of the number of local purchased seats and the number of preferred seats. When the preferred number of seat request fails or is only partially fulfilled due to lack of seats in the pool, the remaining preferred seats will be allocated from shared pool at higher priority.

    • The number of seats that members can request is changed to be (used / 0.9 + min_alloc) to avoid oscillating between request and release.

    • Offline members can now keep the allocated number of seats or locally purchased seats, whichever is greater, for eight hours before falling back to locally purchased seats.

    • Conserve mode is disabled.

    Improvements to ICAP logs

    FortiProxy 7.2.7 improves the way ICAP errors are presented in the log by categorizing ICAP errors and showing detailed messages for each error in the log.

    Adding rating information in REST API responses

    FortiProxy 7.2.7 adds rating information for subcategory in POST call. See example response below:

    {

    "url": "facebook.com",

    "category": "General Interest - Personal",

    "subcategory": "Social Networking",

    "rating": "G"

    },

    {

    "url": "dropbox.com",

    "category": "Bandwidth Consuming",

    "subcategory": "File Sharing and Storage"

    "rating": "PG-13",

    }

    Remove Active Sessions for global resources and VDOM

    The Active Sessions information is no longer available in the table under System > Global Resources and System > VDOM > Edit > Resource Usage.

    FNBI enhancements

    FortiProxy 7.2.7 includes the following Browser Isolation (FortiNBI) enhancements:

    • Support for communication with client-side FNBI application using TLS

    • Support for multiple FNBI extensions

    • Microsoft Edge support

    • More exempted URLs

    • Isolator module download through HTTPS

    • State reset of the Isolator file system on startup

    • Validation of rating server addresses that you enter

    • Modernized GUI with new FortiNBI logo and graphics

    Refer to the FortiProxy 7.2.7 Browser Isolation Deployment Guide for more detailed information about deploying and using the FortiNBI.

    CLI changes

    FortiProxy 7.2.7 includes the following CLI changes:

    • config firewall profile-protocol-options—Use the new config proxy-redirect sub-command to enable/disable the scanning of this protocol and configure the ports to inspect all for content.

    • config firewall ssl-ssh-profile—Use the new set inspect-all sub-command to define the level of SSL inspection.

    • config web-proxy explicit-proxy—Use the new set dstport-from-incoming sub-command to enable/disable reusing incoming port to connect to server for explicit web proxy.

    • config web-proxy forward-server—Use the new set protocol sub-command to configure the proxy protocol for the forward server. The default value is http socks, which means both HTTP and SOCKS traffic is forwarded.

    • config web-proxy url-match—The set forward-server sub-command adds support for SOCKS traffic. Use the new set ftp-forward-server option to configure the URLs to be exempted from caching and/or to be redirected to the forward server for FTP traffic.

    • config system csf—Use the new set preferred-seats sub-command (which replaces the old set guaranteed-seats sub-command) to configure the desired number of seats to allocate to the member. The number of guaranteed seats is the minimum of the number of local purchased seats and the number of preferred seats. When the preferred number of seat request fails or is only partially fulfilled due to lack of seats in the pool, the remaining preferred seats will be allocated from shared pool at higher priority.

    • diag wad—Use the new filter process-id-by-src option to filter processes with source IPs. For example, diag wad filter process-id-by-src 10.2.2.2.

    Previous
    Next