Fortinet black logo

Release Notes

Home FortiProxy 7.2.8 Release Notes
7.2.8
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.17
7.0.16
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0

What's new

What's new

The following sections describe new features, enhancements, and changes in FortiProxy 7.2.8:

Configure a schedule for a shaping policy

FortiProxy 7.2.8 adds support for scheduling a shaping policy, which allows different traffic shaping for different days or different hours of the day without administrative intervention.

To add a schedule for a shaping policy in the GUI, use the Schedule option in the Create/Edit Shaping Policy window under Policy & Objects > Traffic Shaping > Traffic Shaping Policies > Create New/Edit. The default is always, which means the shaping policy is always applied. For more information, see Schedules.

Alternatively, use the set schedule option in the config firewall shaping-policy command in the CLI:

config firewall shaping-policy

edit 1

set status enable

set ip-version 4

set service-type service

set service "ALL"

set schedule "always"

set dstintf "any"

next

end

SOCKS proxy enhancements

FortiProxy 7.2.8 adds the following enhancements to SOCKS proxy:

  • UTM scan for HTTP/HTTPS over SOCKS—FortiProxy 7.2.8 redirects tunneled HTTP/HTTPS traffic over SOCKS server to the HTTP engine as HTTP/HTTPS traffic if the destination port is 80/443, respectively.

  • SOCKS L7 policy matching with webfilter rating—FortiProxy 7.2.8 supports webfilter and L7 policy match, such as url rating, and category matching for policy and SSL exempt, in SOCKS level, including HTTP/HTTPS over SOCKS. When an authentication rule exists, SOCKS4 connection is banned as SOCKS4 does not support authentication.

  • Isolating traffic from SOCKS proxy requests—FortiProxy 7.2.8 can now isolate traffic from SOCKS proxy requests when the isolator is a SOCKS forward server.

New option for enabling HTTP/HTTPS proxy

FortiProxy 7.2.8 adds the Enable HTTP/HTTPS proxy option when you create or edit an explicit proxy. The default is enabled. Alternatively, use the set http [enable|disable] option in the config web-proxy explicit-proxy command.

In FortiProxy 7.2.7 and earlier, HTTP/HTTPS proxy is always enabled when explicit proxy is enabled. When you enable SOCKS proxy, HTTP/HTTPS proxy is also enabled as long as the explicit proxy is enabled. There is no way to enable SOCKS proxy without enabling HTTP/HTTPS proxy. The new option provides the flexibility to enable HTTP/HTTPS proxy independently so that you can enable SOCKS proxy without enabling HTTP/HTTPS proxy.

To ensure backward compatibility, if no port is configured for a specific protocol, FortiProxy uses http-incoming-port as the default port for the protocol, regardless of whether HTTP/HTTPS proxy is enabled, as long as explicit proxy is enabled.

DNS lookup support

FortiProxy 7.2.8 adds support for arbitrary DNS lookup, which is available in the new Policy & Objects > DNS Lookup tab in the GUI. FortiProxy returns an array of associated IPs (20 entries maximum) for the specified domain (FQDN) on the specified DNS server.

Alternatively, use the new diag firewall nslookup [FQDN] [DNS-server IP or FQDN] command:

diag firewall nslookup http://www.example.com 8.8.8.8

GUI support for isolator settings

FortiProxy 7.2.8 adds the Security Profiles > Isolator Setting page for configuring the default isolator profile and/or configure the action to perform on isolator sessions that do not match any existing policies (unmatched-session) or have missing information (defective-session).

Configure case-sensitivity for user accounts

In FortiProxy 7.2.8, you can configure whether to check case when performing username matching for local and remote user accounts using the new set username-case-sensitivity option under config system global:

config system global

set username-case-sensitivity [enable|disable]

end

More details for diagnosing ICAP servers

FortiProxy 7.2.8 adds ICAP server status and IP (if capable) information in ICAP HTTP error messages to aid troubleshooting. You can also view detailed status information for each ICAP server using the new diagnose wad icap list command. Example output:

icap-server-name: server1 status: online

VDOM=root addr=ip/0.0.0.0:1344 health_check=disable

conns: succ=0 fail=0 ongoing=0 hits=0 blocked=0

monitor: succ=0 fail=0

error: stats.no_report_err=0

num_worker_load=1

Increase threat feed size limit

FortiProxy 7.2.8 increases the threat feed file size limit and line limit as follows:

7.2.7 and earlier

7.2.8

File size limit

 10 MB 16 MB

Line limit

 128K 200K

CLI changes

FortiProxy 7.2.8 includes the following CLI changes:

  • config firewall shaping-policy—Use the new set schedule option to configure a schedule for a shaping policy.
  • Use the new diag firewall nslookup [FQDN] [DNS-server IP or FQDN] command to view a list of associated IPs (20 entries maximum) for a specific domain (FQDN) on a specific DNS server.
  • Use the new diagnose wad icap list command to view detailed status information for each ICAP server.
  • Use the new diag wad process [process_name] [index](-1 means all) [<cmd>] ...(up to 32 commands) command to send commands to workers in batches. For example, diag wad process worker 1 103 104 means sending commands 103 and 104 to worker 1.

  • The new diag wad report <PROCESS name> <INDEX> command consolidates the following signal-based diagnose commands:

    • diag wad report session

    • diag wad report user

    • diag wad report policy

  • The diag test app wad command adds support for setting a specific group of processes as diagnosis process:

    • diag test app wad 2yxx means setting No.xx process of type y (0~9) as diagnosis process.

    • diag test app wad 2yyxx means setting No.xx process of type yy (10~99) as diagnosis process.

    • diag test app wad 2yyxxx means setting No.xx x process of type yy (0~9) as diagnosis process.

  • config web-proxy explicit-proxy—Use the new set http [enable|disable] option to enable/disable HTTP/HTTPS proxy.
  • config system global—Use the new set username-case-sensitivity option to configure whether to check case when performing username matching for local and remote user accounts.

  • FortiProxy 7.2.8 replaces the target process selection commands (such as diag test app) with diag wad process <PROCESS name> <INDEX>, for example, diag wad process manager test manager. For workers or processes with multiple instances, specify the instance index after the worker or process name. For example, diag wad process worker 0. If no index is specified while multiple instances exist, FortiProxy defaults to index 0. This command supports the following process types:

    • manager

    • dispatcher

    • worker

    • fast-match

    • informer

    • user-info

    • dev-vuln

    • cache-service-cs

    • cache-service-db

    • object-cache

    • byte-cache

    • cert-inspect

    • youtube-cache

    • user-info-history

    • debug

    • config

    • staled-worker

    • traffic

    • preload-daemon

    • TLS-fingerprint

    • image-analyzer

  • config isolator profile—The set right-click and set copy-paste options are removed.
Previous
Next

What's new

The following sections describe new features, enhancements, and changes in FortiProxy 7.2.8:

Configure a schedule for a shaping policy

FortiProxy 7.2.8 adds support for scheduling a shaping policy, which allows different traffic shaping for different days or different hours of the day without administrative intervention.

To add a schedule for a shaping policy in the GUI, use the Schedule option in the Create/Edit Shaping Policy window under Policy & Objects > Traffic Shaping > Traffic Shaping Policies > Create New/Edit. The default is always, which means the shaping policy is always applied. For more information, see Schedules.

Alternatively, use the set schedule option in the config firewall shaping-policy command in the CLI:

config firewall shaping-policy

edit 1

set status enable

set ip-version 4

set service-type service

set service "ALL"

set schedule "always"

set dstintf "any"

next

end

SOCKS proxy enhancements

FortiProxy 7.2.8 adds the following enhancements to SOCKS proxy:

  • UTM scan for HTTP/HTTPS over SOCKS—FortiProxy 7.2.8 redirects tunneled HTTP/HTTPS traffic over SOCKS server to the HTTP engine as HTTP/HTTPS traffic if the destination port is 80/443, respectively.

  • SOCKS L7 policy matching with webfilter rating—FortiProxy 7.2.8 supports webfilter and L7 policy match, such as url rating, and category matching for policy and SSL exempt, in SOCKS level, including HTTP/HTTPS over SOCKS. When an authentication rule exists, SOCKS4 connection is banned as SOCKS4 does not support authentication.

  • Isolating traffic from SOCKS proxy requests—FortiProxy 7.2.8 can now isolate traffic from SOCKS proxy requests when the isolator is a SOCKS forward server.

New option for enabling HTTP/HTTPS proxy

FortiProxy 7.2.8 adds the Enable HTTP/HTTPS proxy option when you create or edit an explicit proxy. The default is enabled. Alternatively, use the set http [enable|disable] option in the config web-proxy explicit-proxy command.

In FortiProxy 7.2.7 and earlier, HTTP/HTTPS proxy is always enabled when explicit proxy is enabled. When you enable SOCKS proxy, HTTP/HTTPS proxy is also enabled as long as the explicit proxy is enabled. There is no way to enable SOCKS proxy without enabling HTTP/HTTPS proxy. The new option provides the flexibility to enable HTTP/HTTPS proxy independently so that you can enable SOCKS proxy without enabling HTTP/HTTPS proxy.

To ensure backward compatibility, if no port is configured for a specific protocol, FortiProxy uses http-incoming-port as the default port for the protocol, regardless of whether HTTP/HTTPS proxy is enabled, as long as explicit proxy is enabled.

DNS lookup support

FortiProxy 7.2.8 adds support for arbitrary DNS lookup, which is available in the new Policy & Objects > DNS Lookup tab in the GUI. FortiProxy returns an array of associated IPs (20 entries maximum) for the specified domain (FQDN) on the specified DNS server.

Alternatively, use the new diag firewall nslookup [FQDN] [DNS-server IP or FQDN] command:

diag firewall nslookup http://www.example.com 8.8.8.8

GUI support for isolator settings

FortiProxy 7.2.8 adds the Security Profiles > Isolator Setting page for configuring the default isolator profile and/or configure the action to perform on isolator sessions that do not match any existing policies (unmatched-session) or have missing information (defective-session).

Configure case-sensitivity for user accounts

In FortiProxy 7.2.8, you can configure whether to check case when performing username matching for local and remote user accounts using the new set username-case-sensitivity option under config system global:

config system global

set username-case-sensitivity [enable|disable]

end

More details for diagnosing ICAP servers

FortiProxy 7.2.8 adds ICAP server status and IP (if capable) information in ICAP HTTP error messages to aid troubleshooting. You can also view detailed status information for each ICAP server using the new diagnose wad icap list command. Example output:

icap-server-name: server1 status: online

VDOM=root addr=ip/0.0.0.0:1344 health_check=disable

conns: succ=0 fail=0 ongoing=0 hits=0 blocked=0

monitor: succ=0 fail=0

error: stats.no_report_err=0

num_worker_load=1

Increase threat feed size limit

FortiProxy 7.2.8 increases the threat feed file size limit and line limit as follows:

7.2.7 and earlier

7.2.8

File size limit

 10 MB 16 MB

Line limit

 128K 200K

CLI changes

FortiProxy 7.2.8 includes the following CLI changes:

  • config firewall shaping-policy—Use the new set schedule option to configure a schedule for a shaping policy.
  • Use the new diag firewall nslookup [FQDN] [DNS-server IP or FQDN] command to view a list of associated IPs (20 entries maximum) for a specific domain (FQDN) on a specific DNS server.
  • Use the new diagnose wad icap list command to view detailed status information for each ICAP server.
  • Use the new diag wad process [process_name] [index](-1 means all) [<cmd>] ...(up to 32 commands) command to send commands to workers in batches. For example, diag wad process worker 1 103 104 means sending commands 103 and 104 to worker 1.

  • The new diag wad report <PROCESS name> <INDEX> command consolidates the following signal-based diagnose commands:

    • diag wad report session

    • diag wad report user

    • diag wad report policy

  • The diag test app wad command adds support for setting a specific group of processes as diagnosis process:

    • diag test app wad 2yxx means setting No.xx process of type y (0~9) as diagnosis process.

    • diag test app wad 2yyxx means setting No.xx process of type yy (10~99) as diagnosis process.

    • diag test app wad 2yyxxx means setting No.xx x process of type yy (0~9) as diagnosis process.

  • config web-proxy explicit-proxy—Use the new set http [enable|disable] option to enable/disable HTTP/HTTPS proxy.
  • config system global—Use the new set username-case-sensitivity option to configure whether to check case when performing username matching for local and remote user accounts.

  • FortiProxy 7.2.8 replaces the target process selection commands (such as diag test app) with diag wad process <PROCESS name> <INDEX>, for example, diag wad process manager test manager. For workers or processes with multiple instances, specify the instance index after the worker or process name. For example, diag wad process worker 0. If no index is specified while multiple instances exist, FortiProxy defaults to index 0. This command supports the following process types:

    • manager

    • dispatcher

    • worker

    • fast-match

    • informer

    • user-info

    • dev-vuln

    • cache-service-cs

    • cache-service-db

    • object-cache

    • byte-cache

    • cert-inspect

    • youtube-cache

    • user-info-history

    • debug

    • config

    • staled-worker

    • traffic

    • preload-daemon

    • TLS-fingerprint

    • image-analyzer

  • config isolator profile—The set right-click and set copy-paste options are removed.
Previous
Next