Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiProxy 7.6.3 Release Notes
    7.6.3
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.13
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.16
    7.2.15
    7.2.14
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.23
    7.0.22
    7.0.21
    7.0.20
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    2.0.14
    2.0.13
    2.0.12
    2.0.11
    2.0.10
    2.0.9
    2.0.8
    2.0.7
    2.0.6
    2.0.5
    2.0.4
    2.0.3
    2.0.2
    2.0.1
    2.0.0
    1.2.13
    1.2.12
    1.2.11
    1.2.10
    1.2.9
    1.2.8
    1.2.7
    1.2.6
    1.2.5
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2.0
    1.1.6
    1.1.5
    1.1.4
    1.1.3
    1.1.2
    1.1.1
    1.1.0
    1.0.7
    1.0.6
    1.0.5
    1.0.4
    1.0.3
    1.0.2
    1.0.1
    1.0.0

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.6.3:

    Traffic shaping based on HTTP response

    FortiProxy 7.6.3 introduces the new response shaping policy, which is a specialized type of traffic shaping policy that works on the top of a traffic shaping policy to further match the traffic based on certain HTTP response header fields. When Http Response Match is enabled in a traffic shaping policy, any traffic that matches the traffic shaping policy is further evaluated against the list of response shaping policies. If a match is found, the traffic will be mapped to the traffic shaper or assigned to the class defined in the response shaping policy instead of the ones defined in the original matching traffic shaping policy.

    See Traffic shaping based on HTTP response in the Administration Guide for an end-to-end configuration example.

    OIDC enhancements

    FortiProxy 7.6.3 includes the following enhancements to OIDC:

    • Support for multiple OIDC identity providers (IdPs) in one authentication scheme

      When multiple IdPs are configured, users can select which IdP to use in the OIDC landing page, allowing for flexible authentication across different user groups. This feature is useful in the following scenarios:

      • The organization manages multiple IdPs for different user sets (e.g., Azure AD for employees, Google Identity for contractors).

      • A transition between identity providers is required (e.g., migrating from Okta to Azure AD).

      • Users need to choose their preferred IdP for authentication.

    • Support private and public key pairs during authentication communication between FortiProxy and the cloud IdP

      FortiProxy generates a private key, uploads the public key to the IdP, and authenticate with JWT using the private key. This is recommended for high-security environments where secret-based authentication is less desirable.

      To do so, use the following new CLI options under config user oidc:

      config user oidc

      edit <name>

      set auth-type private-key

      set auth-method private_key_jwt

      set private-key {string}

      next

      end

    • Authentication with FortiAuthenticator groups—You can now configure the OIDC server to be FortiAuthenticator using the group attribute name.

    • Disabling HTTPS certificate verification—You can now configure FortiProxy to disable HTTPS certificate verification during OIDC authentication using the new set verify-cert subcommand under config user oidc.

    ZTNA web portal enhancements

    FortiProxy 7.6.3 includes the following enhancements to ZTNA agentless web-based application access:

    • Dynamic bookmarks using SAML attributes—Administrators can define dynamic bookmarks to generate personalized application shortcuts using a SAML attribute within the user's SAML account so that bookmarks are auto-populated with the values defined in that attribute instead of static pre-defined IP or hostnames.

    • New login method using OIDC—You can now log into the ZTNA web portal using OIDC.

    Support for Securosys Primus HSM

    FortiProxy 7.6.3 adds support for Securosys Primus HSM.

    • Under config system nethsm, you can now configure the HSM vendor to be Securosys Primus and then configure the Primus-related settings:

      config system nethsm

      set status enable

      set vendor primus

      set primus-cfg <primus.cfg file content>

      set secret-content <Encrypted Config>

      config partitions

      edit "PRIMUSDEV270"

      set slot-id 1

      set pkcs11-pin <Encrypted password>

      next

      end

    • When configuring local keys and certificates using the config vpn certificate local command, you can now configure the HSM vendor to be Securosys Primus HSM and configure the HSM key type.

    • You can perform operations on Primus HSM using the new execute nethsm primus command.

    Support SHA-256 for digest authentication method

    FortiProxy 7.6.3 adds support for SHA-256, which is mandatory in RFC 7616.

    To configure the digest algorithm to be SHA-256:

    config authentication scheme

    edit "digest-scheme"

    set method digest

    set fsso-guest disable

    set digest-algo md5 sha-256

    next

    end

    Increase proxy-address configuration limit

    FortiProxy 7.6.3 includes the following changes to the proxy-address configuration limit for VM04 and VM08:

    Proxy address object

    New configuration limit for 7.6.3
    Proxy Address Object 80K
    Proxy Address Group 4096
    Proxy Address Group Member 30K

    CLI changes

    FortiProxy 7.6.3 includes the following CLI changes:

    • config system global—Use the new set tcp-random-source-port subcommand to enable or disable (default) TCP IPv4 random source port.

    • config webfilter urlfilter—Use the new set include-subdomains subcommand to enable (default) or disable (default) matching subdomains.

    • config vpn certificate local—This command adds support for Securosys Primus HSM with the following changes:

      • Use the new hsm-vendor subcommand to configure the HSM vendor.

        safenet

        Safenet HSM.

        primus

        		Securosys Primus HSM.

      • Use the new hsm-keytype subcommand to configure the HSM key type.

        rsa RSA key type.
        ec

        EC key type.

      • The nethsm-slot command is renamed hsm-slot.

      • The execute nethsm command is renamed execute nethsm safenet.

        Use the new execute nethsm primus command to perform operations on Primus HSM with the following options:

        # execute nethsm primus

        clear-pkcs-provider-log Clear logs from /tmp/pkcs11.log, generated by pkcs11.so, the OpenSSL provider.

        clear-primus-log Clear logs from /tmp/primus.log, generated by libprimusP11.so.

        delete-object Delete Hardware Security Module object(s).

        dump-pkcs-provider-log Dump logs from /tmp/pkcs11.log, generated by pkcs11.so, the OpenSSL provider.

        dump-primus-log Dump logs from /tmp/primus.log, generated by libprimusP11.so.

        inspect-primus-library-info Display information about the integrated libprimusP11.so library.

        list-objects List Hardware Security Module objects.

        upload-primus-cfg Upload nethsm primus.cfg file.

        upload-primus-cfg-raw Upload nethsm primus.cfg file.

      • config system nethsm—The set vendor parameter includes the new primus option to configure the HSM vendor to be Securosys Primus. You can then configure the Primus-related settings:

        config system nethsm

        set status enable

        set vendor primus

        set primus-cfg <primus.cfg file content>

        set secret-content <Encrypted Config>

        config partitions

        edit "PRIMUSDEV270"

        set slot-id 1

        set pkcs11-pin <Encrypted password>

        next

        end

    • config vpn certificate hsm-local—The set gch-cryptokey-algorithm subcommand includes the following new options:

      Option

      Description

      rsa-sign-pss-3072-sha256

      3072 bit RSA - PSS padding - SHA256 Digest.

      rsa-sign-pss-4096-sha256

      4096 bit RSA - PSS padding - SHA256 Digest.

      rsa-sign-pss-4096-sha512

      4096 bit RSA - PSS padding - SHA256 Digest.

      ec-sign-p256-sha256

      Elliptic Curve P-256 - SHA256 Digest.

    • config icap remote-server and config user ldap—The set validate-server-certificate subcommand is removed.

    • diagnose wad worker oidc refresh-server—Use this new command to manually refresh OIDC discovery servers.

      The automatic refresh rate is once per minute for servers in error state and once per hour for servers in ready state.

    Previous
    Next

    What's new

    What's new

    The following sections describe new features, enhancements, and changes in FortiProxy 7.6.3:

    Traffic shaping based on HTTP response

    FortiProxy 7.6.3 introduces the new response shaping policy, which is a specialized type of traffic shaping policy that works on the top of a traffic shaping policy to further match the traffic based on certain HTTP response header fields. When Http Response Match is enabled in a traffic shaping policy, any traffic that matches the traffic shaping policy is further evaluated against the list of response shaping policies. If a match is found, the traffic will be mapped to the traffic shaper or assigned to the class defined in the response shaping policy instead of the ones defined in the original matching traffic shaping policy.

    See Traffic shaping based on HTTP response in the Administration Guide for an end-to-end configuration example.

    OIDC enhancements

    FortiProxy 7.6.3 includes the following enhancements to OIDC:

    • Support for multiple OIDC identity providers (IdPs) in one authentication scheme

      When multiple IdPs are configured, users can select which IdP to use in the OIDC landing page, allowing for flexible authentication across different user groups. This feature is useful in the following scenarios:

      • The organization manages multiple IdPs for different user sets (e.g., Azure AD for employees, Google Identity for contractors).

      • A transition between identity providers is required (e.g., migrating from Okta to Azure AD).

      • Users need to choose their preferred IdP for authentication.

    • Support private and public key pairs during authentication communication between FortiProxy and the cloud IdP

      FortiProxy generates a private key, uploads the public key to the IdP, and authenticate with JWT using the private key. This is recommended for high-security environments where secret-based authentication is less desirable.

      To do so, use the following new CLI options under config user oidc:

      config user oidc

      edit <name>

      set auth-type private-key

      set auth-method private_key_jwt

      set private-key {string}

      next

      end

    • Authentication with FortiAuthenticator groups—You can now configure the OIDC server to be FortiAuthenticator using the group attribute name.

    • Disabling HTTPS certificate verification—You can now configure FortiProxy to disable HTTPS certificate verification during OIDC authentication using the new set verify-cert subcommand under config user oidc.

    ZTNA web portal enhancements

    FortiProxy 7.6.3 includes the following enhancements to ZTNA agentless web-based application access:

    • Dynamic bookmarks using SAML attributes—Administrators can define dynamic bookmarks to generate personalized application shortcuts using a SAML attribute within the user's SAML account so that bookmarks are auto-populated with the values defined in that attribute instead of static pre-defined IP or hostnames.

    • New login method using OIDC—You can now log into the ZTNA web portal using OIDC.

    Support for Securosys Primus HSM

    FortiProxy 7.6.3 adds support for Securosys Primus HSM.

    • Under config system nethsm, you can now configure the HSM vendor to be Securosys Primus and then configure the Primus-related settings:

      config system nethsm

      set status enable

      set vendor primus

      set primus-cfg <primus.cfg file content>

      set secret-content <Encrypted Config>

      config partitions

      edit "PRIMUSDEV270"

      set slot-id 1

      set pkcs11-pin <Encrypted password>

      next

      end

    • When configuring local keys and certificates using the config vpn certificate local command, you can now configure the HSM vendor to be Securosys Primus HSM and configure the HSM key type.

    • You can perform operations on Primus HSM using the new execute nethsm primus command.

    Support SHA-256 for digest authentication method

    FortiProxy 7.6.3 adds support for SHA-256, which is mandatory in RFC 7616.

    To configure the digest algorithm to be SHA-256:

    config authentication scheme

    edit "digest-scheme"

    set method digest

    set fsso-guest disable

    set digest-algo md5 sha-256

    next

    end

    Increase proxy-address configuration limit

    FortiProxy 7.6.3 includes the following changes to the proxy-address configuration limit for VM04 and VM08:

    Proxy address object

    New configuration limit for 7.6.3
    Proxy Address Object 80K
    Proxy Address Group 4096
    Proxy Address Group Member 30K

    CLI changes

    FortiProxy 7.6.3 includes the following CLI changes:

    • config system global—Use the new set tcp-random-source-port subcommand to enable or disable (default) TCP IPv4 random source port.

    • config webfilter urlfilter—Use the new set include-subdomains subcommand to enable (default) or disable (default) matching subdomains.

    • config vpn certificate local—This command adds support for Securosys Primus HSM with the following changes:

      • Use the new hsm-vendor subcommand to configure the HSM vendor.

        safenet

        Safenet HSM.

        primus

        		Securosys Primus HSM.

      • Use the new hsm-keytype subcommand to configure the HSM key type.

        rsa RSA key type.
        ec

        EC key type.

      • The nethsm-slot command is renamed hsm-slot.

      • The execute nethsm command is renamed execute nethsm safenet.

        Use the new execute nethsm primus command to perform operations on Primus HSM with the following options:

        # execute nethsm primus

        clear-pkcs-provider-log Clear logs from /tmp/pkcs11.log, generated by pkcs11.so, the OpenSSL provider.

        clear-primus-log Clear logs from /tmp/primus.log, generated by libprimusP11.so.

        delete-object Delete Hardware Security Module object(s).

        dump-pkcs-provider-log Dump logs from /tmp/pkcs11.log, generated by pkcs11.so, the OpenSSL provider.

        dump-primus-log Dump logs from /tmp/primus.log, generated by libprimusP11.so.

        inspect-primus-library-info Display information about the integrated libprimusP11.so library.

        list-objects List Hardware Security Module objects.

        upload-primus-cfg Upload nethsm primus.cfg file.

        upload-primus-cfg-raw Upload nethsm primus.cfg file.

      • config system nethsm—The set vendor parameter includes the new primus option to configure the HSM vendor to be Securosys Primus. You can then configure the Primus-related settings:

        config system nethsm

        set status enable

        set vendor primus

        set primus-cfg <primus.cfg file content>

        set secret-content <Encrypted Config>

        config partitions

        edit "PRIMUSDEV270"

        set slot-id 1

        set pkcs11-pin <Encrypted password>

        next

        end

    • config vpn certificate hsm-local—The set gch-cryptokey-algorithm subcommand includes the following new options:

      Option

      Description

      rsa-sign-pss-3072-sha256

      3072 bit RSA - PSS padding - SHA256 Digest.

      rsa-sign-pss-4096-sha256

      4096 bit RSA - PSS padding - SHA256 Digest.

      rsa-sign-pss-4096-sha512

      4096 bit RSA - PSS padding - SHA256 Digest.

      ec-sign-p256-sha256

      Elliptic Curve P-256 - SHA256 Digest.

    • config icap remote-server and config user ldap—The set validate-server-certificate subcommand is removed.

    • diagnose wad worker oidc refresh-server—Use this new command to manually refresh OIDC discovery servers.

      The automatic refresh rate is once per minute for servers in error state and once per hour for servers in ready state.

    Previous
    Next