Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiProxy 7.6.2 Release Notes
    7.6.2
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.13
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.16
    7.2.15
    7.2.14
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.23
    7.0.22
    7.0.21
    7.0.20
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    2.0.14
    2.0.13
    2.0.12
    2.0.11
    2.0.10
    2.0.9
    2.0.8
    2.0.7
    2.0.6
    2.0.5
    2.0.4
    2.0.3
    2.0.2
    2.0.1
    2.0.0
    1.2.13
    1.2.12
    1.2.11
    1.2.10
    1.2.9
    1.2.8
    1.2.7
    1.2.6
    1.2.5
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2.0
    1.1.6
    1.1.5
    1.1.4
    1.1.3
    1.1.2
    1.1.1
    1.1.0
    1.0.7
    1.0.6
    1.0.5
    1.0.4
    1.0.3
    1.0.2
    1.0.1
    1.0.0

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.6.2:

    ZTNA agentless web-based application access

    A ZTNA web portal is now available to provide end-user access to applications without FortiClient or client certificate checks. The ZTNA portal handles authentication and authorization of traffic destined for the protected resources. It is implemented entirely in WAD. When end-users connect to the ZTNA web portal, they are directed to a login page. Once logged in, end-users can access bookmarks defined by the administrator. Administrators can define dynamic bookmarks to generate personalized application shortcuts using an LDAP or SAML attribute within the user's LDAP or SAML account so that bookmarks are auto-populated with the values defined in that attribute instead of static pre-defined IP or hostnames.

    See ZTNA agentless web-based application access in the Administration Guide for more details.

    Authentication with OpenID Connect (OIDC)

    FortiProxy 7.6.2 adds support for authentication with OpenID Connect (OIDC), a widely adopted JSON-based identity layer built on top of the OAuth 2.0 protocol. If you have an Identity Provider (IdP) like Azure AD, Google Identity, or any other service that supports OIDC, you can use it to authenticate users seamlessly across your FortiProxy instance and other integrated systems.

    To configure OIDC, go to the User & Authentication > OIDC tab or use the config user oidc command.

    Support switching to an alternate FortiSandbox if the main FortiSandbox is unavailable

    FolrtiProxy 7.6.2 adds support for switching to an alternate FortiSandbox when the main FortiSandbox is unavailable. Once the connectivity is restored, it will automatically fall back to the primary FortiSandbox. You can configure an alternate FortiSandbox using the new Alt server option when configuring a FortiSandbox connector:

    Alternatively, use the new alt-server option under config system fortisandbox. Use the new health-check-interval option to configure the interval of health check for the failover.

    Log sample:

    1: date=2025-01-09 time=07:15:56 eventtime=1736363756320902685 logid="0100022948"

    type="event" subtype="system" level="warning" vd="root" logdesc="FSA failover status warning" name="sandbox" interface="undefined" probeproto="ping" msg="FortiSandbox changed

    state from alive to dead, Peer:Primary status Primary:DOWN Alternate:DOWN protocol: ping."

    Policy-based service connector traffic forwarding

    FortiProxy 7.6.2 adds support for policy-based service connector traffic forwarding. In previous versions, the service connector must be configured within the traffic forward proxy, accessible only through ZTNA proxy.

    To configure policy-based service connector traffic forwarding:

    config firewall policy

    edit 1

    set service-connector "fpx166"

    next

    end

    Change to HTTP header content maximum length

    In FortiProxy 7.6.2, the HTTP header content maximum length is increased from 1023 to 4000.

    New data type support for DLP and file filter

    FortiProxy 7.6.2 adds support for .com, .jar, .jnlp, .css, and .dll files for DLP and file filter.

    UEFI support for GCP

    FortiProxy 7.6.2 adds UEFI support for GCP.

    CLI changes

    FortiProxy 7.6.2 includes the following CLI changes:

    • config firewall ssl-ssh-profile—The set client-certificate subcommand adds the new bypass-on-cert-req option to configure FortiProxy to bypass on certificate requests.

    • config system fortisandbox—Use the new alt-server option to configure an alternate FortiSandbox to be used when the main FortiSandbox is unavailable. Use the new health-check-interval option to configure the interval of health check for the failover.

    • config firewall policy—This command includes the following new options:

      • Use the new set service-connector option configure a policy-based service connector for traffic forwarding.

      • Use the new set https-sub-category option to enable or disable HTTPS sub-category policy matching. The default is disable.

    • config web-proxy global—The set policy-category-deep-inspect option is removed.

    Previous
    Next

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.6.2:

    ZTNA agentless web-based application access

    A ZTNA web portal is now available to provide end-user access to applications without FortiClient or client certificate checks. The ZTNA portal handles authentication and authorization of traffic destined for the protected resources. It is implemented entirely in WAD. When end-users connect to the ZTNA web portal, they are directed to a login page. Once logged in, end-users can access bookmarks defined by the administrator. Administrators can define dynamic bookmarks to generate personalized application shortcuts using an LDAP or SAML attribute within the user's LDAP or SAML account so that bookmarks are auto-populated with the values defined in that attribute instead of static pre-defined IP or hostnames.

    See ZTNA agentless web-based application access in the Administration Guide for more details.

    Authentication with OpenID Connect (OIDC)

    FortiProxy 7.6.2 adds support for authentication with OpenID Connect (OIDC), a widely adopted JSON-based identity layer built on top of the OAuth 2.0 protocol. If you have an Identity Provider (IdP) like Azure AD, Google Identity, or any other service that supports OIDC, you can use it to authenticate users seamlessly across your FortiProxy instance and other integrated systems.

    To configure OIDC, go to the User & Authentication > OIDC tab or use the config user oidc command.

    Support switching to an alternate FortiSandbox if the main FortiSandbox is unavailable

    FolrtiProxy 7.6.2 adds support for switching to an alternate FortiSandbox when the main FortiSandbox is unavailable. Once the connectivity is restored, it will automatically fall back to the primary FortiSandbox. You can configure an alternate FortiSandbox using the new Alt server option when configuring a FortiSandbox connector:

    Alternatively, use the new alt-server option under config system fortisandbox. Use the new health-check-interval option to configure the interval of health check for the failover.

    Log sample:

    1: date=2025-01-09 time=07:15:56 eventtime=1736363756320902685 logid="0100022948"

    type="event" subtype="system" level="warning" vd="root" logdesc="FSA failover status warning" name="sandbox" interface="undefined" probeproto="ping" msg="FortiSandbox changed

    state from alive to dead, Peer:Primary status Primary:DOWN Alternate:DOWN protocol: ping."

    Policy-based service connector traffic forwarding

    FortiProxy 7.6.2 adds support for policy-based service connector traffic forwarding. In previous versions, the service connector must be configured within the traffic forward proxy, accessible only through ZTNA proxy.

    To configure policy-based service connector traffic forwarding:

    config firewall policy

    edit 1

    set service-connector "fpx166"

    next

    end

    Change to HTTP header content maximum length

    In FortiProxy 7.6.2, the HTTP header content maximum length is increased from 1023 to 4000.

    New data type support for DLP and file filter

    FortiProxy 7.6.2 adds support for .com, .jar, .jnlp, .css, and .dll files for DLP and file filter.

    UEFI support for GCP

    FortiProxy 7.6.2 adds UEFI support for GCP.

    CLI changes

    FortiProxy 7.6.2 includes the following CLI changes:

    • config firewall ssl-ssh-profile—The set client-certificate subcommand adds the new bypass-on-cert-req option to configure FortiProxy to bypass on certificate requests.

    • config system fortisandbox—Use the new alt-server option to configure an alternate FortiSandbox to be used when the main FortiSandbox is unavailable. Use the new health-check-interval option to configure the interval of health check for the failover.

    • config firewall policy—This command includes the following new options:

      • Use the new set service-connector option configure a policy-based service connector for traffic forwarding.

      • Use the new set https-sub-category option to enable or disable HTTPS sub-category policy matching. The default is disable.

    • config web-proxy global—The set policy-category-deep-inspect option is removed.

    Previous
    Next