Fortinet black logo

Release Notes

Home FortiProxy 7.4.2 Release Notes
7.4.2
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.17
7.0.16
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0

What's new

What's new

The following sections describe new features, enhancements, and changes in FortiProxy 7.4.2:

Configure a schedule for a shaping policy

FortiProxy 7.4.2 adds support for scheduling a shaping policy, which allows different traffic shaping for different days or different hours of the day without administrative intervention.

To add a schedule for a shaping policy in the GUI, use the Schedule option in the Create/Edit Shaping Policy window under Policy & Objects > Traffic Shaping > Traffic Shaping Policies > Create New/Edit. The default is always, which means the shaping policy is always applied. For more information, see Schedules.

Alternatively, use the set schedule option in the config firewall shaping-policy command in the CLI:

config firewall shaping-policy

edit 1

set status enable

set ip-version 4

set service-type service

set service "ALL"

set schedule "always"

set dstintf "any"

next

end

SOCKS proxy enhancements

FortiProxy 7.4.2 adds the following enhancements to SOCKS proxy:

  • UTM scan for HTTP/HTTPS over SOCKS—FortiProxy 7.4.2 redirects tunneled HTTP/HTTPS traffic over SOCKS server to the HTTP engine as HTTP/HTTPS traffic if the destination port is 80/443, respectively.

  • SOCKS L7 policy matching with webfilter rating—FortiProxy 7.4.2 supports webfilter and L7 policy match, such as url rating, and category matching for policy and SSL exempt, in SOCKS level, including HTTP/HTTPS over SOCKS. When an authentication rule exists, SOCKS4 connection is banned as SOCKS4 does not support authentication.

  • Isolating traffic from SOCKS proxy requests—FortiProxy 7.4.2 can now isolate traffic from SOCKS proxy requests when the isolator is a SOCKS forward server.

Support multiple server certificates

FortiProxy 7.4.2 adds support for multiple server certificates in the following scenarios. You can add multiple server certificates when configuring these types of proxy servers.

  • ZTNA Server IPv4/IPv6

  • ZTNA Service/Server Mapping

  • FTP Proxy

  • Explicit Proxy

  • ICAP Local Server (when secure ICAP connection is enabled)

Meanwhile, the set ssl-cert or set ssl-certificate option of the following commands now supports multiple certificates:

IPv6 proxy address support

FortiProxy 7.4.2 adds support for IPv6 proxy address object. You can create an IPv6 proxy address or address group in the Policy & Objects > Addresses tab and then use it as a source or destination address in firewall or shaping policies and authentication rules, the same way you use IPv4 proxy addresses.

Alternatively, use the new config firewall proxy-address6 or config firewall proxy-addrgrp6 commands in the CLI.

New parameters for policy matching

FortiProxy 7.4.2 adds support for policy matching using the following parameters when you create/edit a firewall policy or shaping policy:

  • Application

  • Application category

  • Application group

  • URL category (firewall policy only, CLI only)

Alternatively, use the following new options in the config firewall policy and config firewall shaping-policy commands in the CLI:

  • set application

  • set app-category

  • set app-group

  • set url-category (config firewall policy only, CLI only)

New option for enabling HTTP/HTTPS proxy

FortiProxy 7.4.2 adds the Enable HTTP/HTTPS proxy option when you create or edit an explicit proxy. The default is enabled. Alternatively, use the set http [enable|disable] option in the config web-proxy explicit-proxy command.

In FortiProxy 7.4.1 and 7.4.0, HTTP/HTTPS proxy is always enabled when explicit proxy is enabled. When you enable SOCKS proxy, HTTP/HTTPS proxy is also enabled as long as the explicit proxy is enabled. There is no way to enable SOCKS proxy without enabling HTTP/HTTPS proxy. The new option provides the flexibility to enable HTTP/HTTPS proxy independently so that you can enable SOCKS proxy without enabling HTTP/HTTPS proxy.

To ensure backward compatibility, if no port is configured for a specific protocol, FortiProxy uses http-incoming-port as the default port for the protocol, regardless of whether HTTP/HTTPS proxy is enabled, as long as explicit proxy is enabled.

DNS lookup support

FortiProxy 7.4.2 adds support for arbitrary DNS lookup, which is available in the new Policy & Objects > DNS Lookup tab in the GUI. FortiProxy returns an array of associated IPs (20 entries maximum) for the specified domain (FQDN) on the specified DNS server.

Alternatively, use the new diag firewall nslookup [FQDN] [DNS-server IP or FQDN] command:

diag firewall nslookup http://www.example.com 8.8.8.8

Configure case-sensitivity for user accounts

In FortiProxy 7.4.2, you can configure whether to check case when performing username matching for local and remote user accounts using the new set username-case-sensitivity option under config system global:

config system global

set username-case-sensitivity [enable|disable]

end

More details for diagnosing ICAP servers

FortiProxy 7.4.2 adds ICAP server status and IP (if capable) information in ICAP HTTP error messages to aid troubleshooting. You can also view detailed status information for each ICAP server using the new diagnose wad icap list command. Example output:

icap-server-name: server1 status: online

VDOM=root addr=ip/0.0.0.0:1344 health_check=disable

conns: succ=0 fail=0 ongoing=0 hits=0 blocked=0

monitor: succ=0 fail=0

error: stats.no_report_err=0

num_worker_load=1

SSL keyring encryption

FortiProxy 7.4.2 adds encryption for the SSL keyring file stored on the FortiProxy disk using aes256 gsm and a random salt. When you upgrade to FortiProxy 7.4.2, encryption is added to all existing keyring lists. You can also update the encryption when private password changes.

Pre-populated list of HTTP incoming IP for explicit proxy

FortiProxy 7.4.2 provides a pre-populated list of HTTP incoming IP for you to pick from when you create an explicit proxy.

Increase threat feed size limit

FortiProxy 7.4.2 increases the threat feed file size limit and line limit as follows:

7.4.1 and earlier

7.4.2

File size limit

 10 MB 16 MB

Line limit

 128K 200K

Panic logging

FortiProxy 7.4.2 adds hardware support for capturing panic traces, which allows you to automatically log panic traces with no user intervention. This feature adds convenience as you no longer need to connect a laptop via serial and reproduce the panic.

DLP license changes

FortiProxy 7.4.2 excludes the DLP license from license sharing and no longer requires a DLP license for DLP scan for HTTP and FTP over HTTP traffic. To take advantage of the latest updates from the DLP knowledge base (such as DLP data type and sensor) and easier DLP configuration, you can purchase DLP service through FortiGuard.

CLI changes

FortiProxy 7.4.2 includes the following CLI changes:

  • Use the new config firewall proxy-address6 or config firewall proxy-addrgrp6 commands to configure IPv6 web proxy addresses or address groups.
  • config firewall shaping-policy—Use the new set schedule option to configure a schedule for a shaping policy.
  • Use the new diag firewall nslookup [FQDN] [DNS-server IP or FQDN] command to view a list of associated IPs (20 entries maximum) for a specific domain (FQDN) on a specific DNS server.
  • Use the new diagnose wad icap list command to view detailed status information for each ICAP server.

  • Use the new diag netlink interface gso-tso command to list all netlink interfaces.

  • Use the new diag wad process [process_name] [index](-1 means all) [<cmd>] ...(up to 32 commands) command to send commands to workers in batches. For example, diag wad process worker 1 103 104 means sending commands 103 and 104 to worker 1.

  • The new diag wad report <PROCESS name> <INDEX> command consolidates the following signal-based diagnose commands:

    • diag wad report session

    • diag wad report user

    • diag wad report policy

  • The diag test app wad command adds support for setting a specific group of processes as diagnosis process:

    • diag test app wad 2yxx means setting No.xx process of type y (0~9) as diagnosis process.

    • diag test app wad 2yyxx means setting No.xx process of type yy (10~99) as diagnosis process.

    • diag test app wad 2yyxxx means setting No.xx x process of type yy (0~9) as diagnosis process.

  • config web-proxy explicit-proxy—Use the new set http [enable|disable] option to enable/disable HTTP/HTTPS proxy.
  • config system global—Use the new set username-case-sensitivity option to configure whether to check case when performing username matching for local and remote user accounts.
  • config ips settings—Use the new set proxy-inline-ips option to enable or disable proxy inline IPS. The default is enable.

  • The config firewall policy and config firewall shaping-policy commands include the following new options:

    • set application

    • set app-category

    • set app-group

    • set url-category (config firewall policy only)

  • The following commands include the new set status option:

  • config web-proxy global—Use the new log-app-id option to enable/disable logging inline-IPS application type in traffic log. The default is disable.

  • The set ssl-cert or set ssl-certificate option of the following commands now supports multiple certificates:

  • FortiProxy 7.4.2 replaces the target process selection commands (such as diag test app) with diag wad process <PROCESS name> <INDEX>, for example, diag wad process manager test manager. For workers or processes with multiple instances, specify the instance index after the worker or process name. For example, diag wad process worker 0. If no index is specified while multiple instances exist, FortiProxy defaults to index 0. This command supports the following process types:

    • manager

    • dispatcher

    • worker

    • fast-match

    • informer

    • user-info

    • dev-vuln

    • cache-service-cs

    • cache-service-db

    • object-cache

    • byte-cache

    • cert-inspect

    • youtube-cache

    • user-info-history

    • debug

    • config

    • staled-worker

    • traffic

    • preload-daemon

    • TLS-fingerprint

    • image-analyzer

  • config isolator profile—The set right-click and set copy-paste options are removed.
Previous
Next

What's new

The following sections describe new features, enhancements, and changes in FortiProxy 7.4.2:

Configure a schedule for a shaping policy

FortiProxy 7.4.2 adds support for scheduling a shaping policy, which allows different traffic shaping for different days or different hours of the day without administrative intervention.

To add a schedule for a shaping policy in the GUI, use the Schedule option in the Create/Edit Shaping Policy window under Policy & Objects > Traffic Shaping > Traffic Shaping Policies > Create New/Edit. The default is always, which means the shaping policy is always applied. For more information, see Schedules.

Alternatively, use the set schedule option in the config firewall shaping-policy command in the CLI:

config firewall shaping-policy

edit 1

set status enable

set ip-version 4

set service-type service

set service "ALL"

set schedule "always"

set dstintf "any"

next

end

SOCKS proxy enhancements

FortiProxy 7.4.2 adds the following enhancements to SOCKS proxy:

  • UTM scan for HTTP/HTTPS over SOCKS—FortiProxy 7.4.2 redirects tunneled HTTP/HTTPS traffic over SOCKS server to the HTTP engine as HTTP/HTTPS traffic if the destination port is 80/443, respectively.

  • SOCKS L7 policy matching with webfilter rating—FortiProxy 7.4.2 supports webfilter and L7 policy match, such as url rating, and category matching for policy and SSL exempt, in SOCKS level, including HTTP/HTTPS over SOCKS. When an authentication rule exists, SOCKS4 connection is banned as SOCKS4 does not support authentication.

  • Isolating traffic from SOCKS proxy requests—FortiProxy 7.4.2 can now isolate traffic from SOCKS proxy requests when the isolator is a SOCKS forward server.

Support multiple server certificates

FortiProxy 7.4.2 adds support for multiple server certificates in the following scenarios. You can add multiple server certificates when configuring these types of proxy servers.

  • ZTNA Server IPv4/IPv6

  • ZTNA Service/Server Mapping

  • FTP Proxy

  • Explicit Proxy

  • ICAP Local Server (when secure ICAP connection is enabled)

Meanwhile, the set ssl-cert or set ssl-certificate option of the following commands now supports multiple certificates:

IPv6 proxy address support

FortiProxy 7.4.2 adds support for IPv6 proxy address object. You can create an IPv6 proxy address or address group in the Policy & Objects > Addresses tab and then use it as a source or destination address in firewall or shaping policies and authentication rules, the same way you use IPv4 proxy addresses.

Alternatively, use the new config firewall proxy-address6 or config firewall proxy-addrgrp6 commands in the CLI.

New parameters for policy matching

FortiProxy 7.4.2 adds support for policy matching using the following parameters when you create/edit a firewall policy or shaping policy:

  • Application

  • Application category

  • Application group

  • URL category (firewall policy only, CLI only)

Alternatively, use the following new options in the config firewall policy and config firewall shaping-policy commands in the CLI:

  • set application

  • set app-category

  • set app-group

  • set url-category (config firewall policy only, CLI only)

New option for enabling HTTP/HTTPS proxy

FortiProxy 7.4.2 adds the Enable HTTP/HTTPS proxy option when you create or edit an explicit proxy. The default is enabled. Alternatively, use the set http [enable|disable] option in the config web-proxy explicit-proxy command.

In FortiProxy 7.4.1 and 7.4.0, HTTP/HTTPS proxy is always enabled when explicit proxy is enabled. When you enable SOCKS proxy, HTTP/HTTPS proxy is also enabled as long as the explicit proxy is enabled. There is no way to enable SOCKS proxy without enabling HTTP/HTTPS proxy. The new option provides the flexibility to enable HTTP/HTTPS proxy independently so that you can enable SOCKS proxy without enabling HTTP/HTTPS proxy.

To ensure backward compatibility, if no port is configured for a specific protocol, FortiProxy uses http-incoming-port as the default port for the protocol, regardless of whether HTTP/HTTPS proxy is enabled, as long as explicit proxy is enabled.

DNS lookup support

FortiProxy 7.4.2 adds support for arbitrary DNS lookup, which is available in the new Policy & Objects > DNS Lookup tab in the GUI. FortiProxy returns an array of associated IPs (20 entries maximum) for the specified domain (FQDN) on the specified DNS server.

Alternatively, use the new diag firewall nslookup [FQDN] [DNS-server IP or FQDN] command:

diag firewall nslookup http://www.example.com 8.8.8.8

Configure case-sensitivity for user accounts

In FortiProxy 7.4.2, you can configure whether to check case when performing username matching for local and remote user accounts using the new set username-case-sensitivity option under config system global:

config system global

set username-case-sensitivity [enable|disable]

end

More details for diagnosing ICAP servers

FortiProxy 7.4.2 adds ICAP server status and IP (if capable) information in ICAP HTTP error messages to aid troubleshooting. You can also view detailed status information for each ICAP server using the new diagnose wad icap list command. Example output:

icap-server-name: server1 status: online

VDOM=root addr=ip/0.0.0.0:1344 health_check=disable

conns: succ=0 fail=0 ongoing=0 hits=0 blocked=0

monitor: succ=0 fail=0

error: stats.no_report_err=0

num_worker_load=1

SSL keyring encryption

FortiProxy 7.4.2 adds encryption for the SSL keyring file stored on the FortiProxy disk using aes256 gsm and a random salt. When you upgrade to FortiProxy 7.4.2, encryption is added to all existing keyring lists. You can also update the encryption when private password changes.

Pre-populated list of HTTP incoming IP for explicit proxy

FortiProxy 7.4.2 provides a pre-populated list of HTTP incoming IP for you to pick from when you create an explicit proxy.

Increase threat feed size limit

FortiProxy 7.4.2 increases the threat feed file size limit and line limit as follows:

7.4.1 and earlier

7.4.2

File size limit

 10 MB 16 MB

Line limit

 128K 200K

Panic logging

FortiProxy 7.4.2 adds hardware support for capturing panic traces, which allows you to automatically log panic traces with no user intervention. This feature adds convenience as you no longer need to connect a laptop via serial and reproduce the panic.

DLP license changes

FortiProxy 7.4.2 excludes the DLP license from license sharing and no longer requires a DLP license for DLP scan for HTTP and FTP over HTTP traffic. To take advantage of the latest updates from the DLP knowledge base (such as DLP data type and sensor) and easier DLP configuration, you can purchase DLP service through FortiGuard.

CLI changes

FortiProxy 7.4.2 includes the following CLI changes:

  • Use the new config firewall proxy-address6 or config firewall proxy-addrgrp6 commands to configure IPv6 web proxy addresses or address groups.
  • config firewall shaping-policy—Use the new set schedule option to configure a schedule for a shaping policy.
  • Use the new diag firewall nslookup [FQDN] [DNS-server IP or FQDN] command to view a list of associated IPs (20 entries maximum) for a specific domain (FQDN) on a specific DNS server.
  • Use the new diagnose wad icap list command to view detailed status information for each ICAP server.

  • Use the new diag netlink interface gso-tso command to list all netlink interfaces.

  • Use the new diag wad process [process_name] [index](-1 means all) [<cmd>] ...(up to 32 commands) command to send commands to workers in batches. For example, diag wad process worker 1 103 104 means sending commands 103 and 104 to worker 1.

  • The new diag wad report <PROCESS name> <INDEX> command consolidates the following signal-based diagnose commands:

    • diag wad report session

    • diag wad report user

    • diag wad report policy

  • The diag test app wad command adds support for setting a specific group of processes as diagnosis process:

    • diag test app wad 2yxx means setting No.xx process of type y (0~9) as diagnosis process.

    • diag test app wad 2yyxx means setting No.xx process of type yy (10~99) as diagnosis process.

    • diag test app wad 2yyxxx means setting No.xx x process of type yy (0~9) as diagnosis process.

  • config web-proxy explicit-proxy—Use the new set http [enable|disable] option to enable/disable HTTP/HTTPS proxy.
  • config system global—Use the new set username-case-sensitivity option to configure whether to check case when performing username matching for local and remote user accounts.
  • config ips settings—Use the new set proxy-inline-ips option to enable or disable proxy inline IPS. The default is enable.

  • The config firewall policy and config firewall shaping-policy commands include the following new options:

    • set application

    • set app-category

    • set app-group

    • set url-category (config firewall policy only)

  • The following commands include the new set status option:

  • config web-proxy global—Use the new log-app-id option to enable/disable logging inline-IPS application type in traffic log. The default is disable.

  • The set ssl-cert or set ssl-certificate option of the following commands now supports multiple certificates:

  • FortiProxy 7.4.2 replaces the target process selection commands (such as diag test app) with diag wad process <PROCESS name> <INDEX>, for example, diag wad process manager test manager. For workers or processes with multiple instances, specify the instance index after the worker or process name. For example, diag wad process worker 0. If no index is specified while multiple instances exist, FortiProxy defaults to index 0. This command supports the following process types:

    • manager

    • dispatcher

    • worker

    • fast-match

    • informer

    • user-info

    • dev-vuln

    • cache-service-cs

    • cache-service-db

    • object-cache

    • byte-cache

    • cert-inspect

    • youtube-cache

    • user-info-history

    • debug

    • config

    • staled-worker

    • traffic

    • preload-daemon

    • TLS-fingerprint

    • image-analyzer

  • config isolator profile—The set right-click and set copy-paste options are removed.
Previous
Next