What’s new
FortiWeb 6.2.0 offers the following new features and enhancements.
New features
Bot mitigation
To quickly filter out automated threats, FortiWeb now provides a dedicated section that includes various protection mechanisms.
- Biometrics Based Detection: FortiWeb can now verify whether a client is a bot by monitoring events such as mouse movement, keyboard, screen touch, and scroll, etc;
- Threshold Based Detection: You can now define the occurrence, time period, etc. of suspicious behaviors;
- Bot Deception: FortiWeb now provides a deception technique to identify bots. It inserts a hidden link into response pages. Clients that fetch the URL can accurately be classified as bots;
- Mobile Application Identification: For mobile clients that cannot execute Java script or CAPTCHA, FortiWeb can now verify the request is legitimate by verifying the JTW-token a mobile application carries when it access a web server
For more information, see Bot mitigation.
Mobile API protection
You can now protect your Mobile APIs from malicious attacks by verifying the mobile device authenticity.
For more information, see Configuring mobile API protection.
API gateway
With API gateway you can now control and secure all access to you APIs. You can define API users, verify API keys, and perform access control, etc.
For more information, see API gateway.
High volume active-active HA mode
FortiWeb has added high volume active-active HA mode. In this mode, all the members in the HA group can send and receive packets to clients or back-end servers independently. It significantly increases the traffic throughput of the HA group; however, it requires additional manual configuration when setting up new servers.
For more information, see FortiWeb high availability (HA).
Support for multiple virtual IPs per server policy
Multiple virtual IPs can be attached to one virtual server so that you can apply the same server policy to more than one IP addresses.
For more information, see Configuring the network settings.
PSU monitoring support
You can now check the power supply’s health. When the power state is changed, a log and SNMP trap will
be sent. You can also run execute sersors-list
to obtain PSU information.
New splunk log server support
Syslog now supports the Splunk log server, which can analyze the log data sent from FortiWeb, and present the logs in the form of histogram, pie chart, timing diagram, etc.
For more information, see FortiWeb and Splunk.
Support for ICAP server for additional scanning
With an ICAP server installed in your environment, you can enable Send Files to ICAP Server in FortiWeb so that files can be sent to ICAP server for threat detection.
For more information, see Creating an FTP file check rule.
Certificate expiration notification
FortiWeb checks certificate expiration dates and notifies administrators ahead of time.
For more information, see FortiWeb CLI Reference.
Proxy protocol support in Transparent Inspection and Offline Protection modes
You can enable Proxy Protocol from server pool settings. When Proxy Protocol is enabled, the proxy protocol versions (v1 and v2) are automatically detected.
New Content-Type application/octet-stream
Besides multipart/form-data, FortiWeb can now apply file upload limits to files that use application/octet-stream.
For more information, see Limiting file uploads.
WS-I basic verification added to XML protection rule
WS-I verification is supported in XML protection rule to verify whether the SOAP messages comply with the selected WSI rules.
For more information, see Creating XML protection rules.
Geo database version added for both GUI and CLI
You can now see the Geo Database Version information from System > Config > FortiGuard, or by running diagnose system update info
.
Limit concurrent access into a user account
You can now configure FortiWeb to limit the concurrent number of users accessing the same account in Site Publish.
For more information, see Single sign-on (SSO) (site publishing).
Enhancements
Machine Learning: Anomaly detection model enhancement
New algorithm is introduced in the anomaly detection model to eliminate noise samples and reduce the false positive detections.
For more information, see Configuring anomaly detection policy.
Policy-level replacement message support
Instead of creating an ADOM that contains the custom pages for a specific policy, you can now configure and apply a replacement message for a specific policy.
For more information, see Customizing error and authentication pages (replacement messages).
Support using the source address of the proxy protocol in server policy
A CLI command set use-proxy-protocol-addr
is added so that you can enable using the source address of the proxy protocol in server policy.
For more information, see FortiWeb CLI Reference.
Time information added in output of the command diagnose debug dnsproxy list
Last update time and update interval information is shown in the output of diagnose debug dnsproxy list
. IPv4 addresses and IPv6 addresses have different update time and interval. All the domain names resolved by dnsproxy are listed in the output.
For more information, see FortiWeb CLI Reference.
New FDS server debug commands
execute fdnserver show
is added to show the current FDS server list, while execute fdnserver delete
is to delete all FDS servers. FortiWeb will update the FDS server list every time the system is updated.
For more information ,see fdnserver show and fdnserver delete.
Time period filter added for custom access rule
You can specify a daily or fixed time period that a request must match in order to be allowed.
For more information, see Combination access control & rate limiting
Blank password not supported any more for admin user
When an admin user logs into FortiWeb for the first time or imports a configuration file with a blank password, FortiWeb will force the user to change the password.
For more information, see Administrators.
SOAP attachment verification support
FortiWeb supports parsing attachments in SOAP messages, checking the MIME type of the file, and scanning the file for viruses and Trojans
For more information, see Creating XML protection rules.
Enhanced recognition method for known engines
The new method combines a User-Agent filter with DNS reverse lookup to identify more known engines.
http2-parse-error-output
added in attack-log
This command is added to log errors of the HTTP/2 protocol parser.
For more information, see FortiWeb CLI Reference.
RPC protocol added in HTTP Protocol Constraints
Detect and alert/block traffic that uses the PRC protocol.
For more information, see HTTP/HTTPS protocol constraints.
Proxy protocol versions v1 and v2 support for Reverse Proxy and True Transparent Proxy modes
In Reverse Proxy and True Transparent Proxy modes, the proxy protocol version of the clients is automatically detected; while, for the back-end servers, you need to set the version in server pool.
For more information, see .Defining your web servers
OCSP Stapling optimized
Independent of other settings, OCSP stapling now works as a global setting, which supports all local certificates, including those used in multi-certificate.
For more information, see Configuring OCSP stapling.
Multiple servers in one KDC realm
You can configure multiple servers in one KDC realm to realize server complementing.
For more information, see Configuring a Kerberos Key Distribution Center (KDC) server.