Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

What’s new

FortiWeb 6.2.0 offers the following new features and enhancements.

New features

Bot mitigation

To quickly filter out automated threats, FortiWeb now provides a dedicated section that includes various protection mechanisms.

  • Biometrics Based Detection: FortiWeb can now verify whether a client is a bot by monitoring events such as mouse movement, keyboard, screen touch, and scroll, etc;
  • Threshold Based Detection: You can now define the occurrence, time period, etc. of suspicious behaviors;
  • Bot Deception: FortiWeb now provides a deception technique to identify bots. It inserts a hidden link into response pages. Clients that fetch the URL can accurately be classified as bots;
  • Mobile Application Identification: For mobile clients that cannot execute Java script or CAPTCHA, FortiWeb can now verify the request is legitimate by verifying the JTW-token a mobile application carries when it access a web server

For more information, see Bot mitigation.

Mobile API protection

You can now protect your Mobile APIs from malicious attacks by verifying the mobile device authenticity.

For more information, see Configuring mobile API protection.

API gateway

With API gateway you can now control and secure all access to you APIs. You can define API users, verify API keys, and perform access control, etc.

For more information, see API gateway.

 

High volume active-active HA mode

FortiWeb has added high volume active-active HA mode. In this mode, all the members in the HA group can send and receive packets to clients or back-end servers independently. It significantly increases the traffic throughput of the HA group; however, it requires additional manual configuration when setting up new servers.

For more information, see FortiWeb high availability (HA).

Support for multiple virtual IPs per server policy

Multiple virtual IPs can be attached to one virtual server so that you can apply the same server policy to more than one IP addresses.

For more information, see Configuring the network settings.

PSU monitoring support

You can now check the power supply’s health. When the power state is changed, a log and SNMP trap will

be sent. You can also run execute sersors-list to obtain PSU information.

New splunk log server support

Syslog now supports the Splunk log server, which can analyze the log data sent from FortiWeb, and present the logs in the form of histogram, pie chart, timing diagram, etc.

For more information, see FortiWeb and Splunk.

Support for ICAP server for additional scanning

With an ICAP server installed in your environment, you can enable Send Files to ICAP Server in FortiWeb so that files can be sent to ICAP server for threat detection.

For more information, see Creating an FTP file check rule.

Certificate expiration notification

FortiWeb checks certificate expiration dates and notifies administrators ahead of time.

For more information, see FortiWeb CLI Reference.

Proxy protocol support in Transparent Inspection and Offline Protection modes

You can enable Proxy Protocol from server pool settings. When Proxy Protocol is enabled, the proxy protocol versions (v1 and v2) are automatically detected.

New Content-Type application/octet-stream

Besides multipart/form-data, FortiWeb can now apply file upload limits to files that use application/octet-stream.

For more information, see Limiting file uploads.

WS-I basic verification added to XML protection rule

WS-I verification is supported in XML protection rule to verify whether the SOAP messages comply with the selected WSI rules.

For more information, see Creating XML protection rules.

Geo database version added for both GUI and CLI

You can now see the Geo Database Version information from System > Config > FortiGuard, or by running diagnose system update info.

Limit concurrent access into a user account

You can now configure FortiWeb to limit the concurrent number of users accessing the same account in Site Publish.

For more information, see Single sign-on (SSO) (site publishing).

Enhancements

Machine Learning: Anomaly detection model enhancement

New algorithm is introduced in the anomaly detection model to eliminate noise samples and reduce the false positive detections.

For more information, see Configuring anomaly detection policy.

Policy-level replacement message support

Instead of creating an ADOM that contains the custom pages for a specific policy, you can now configure and apply a replacement message for a specific policy.

For more information, see Customizing error and authentication pages (replacement messages).

Support using the source address of the proxy protocol in server policy

A CLI command set use-proxy-protocol-addr is added so that you can enable using the source address of the proxy protocol in server policy.

For more information, see FortiWeb CLI Reference.

Time information added in output of the command diagnose debug dnsproxy list

Last update time and update interval information is shown in the output of diagnose debug dnsproxy list. IPv4 addresses and IPv6 addresses have different update time and interval. All the domain names resolved by dnsproxy are listed in the output.

For more information, see FortiWeb CLI Reference.

New FDS server debug commands

execute fdnserver show is added to show the current FDS server list, while execute fdnserver delete is to delete all FDS servers. FortiWeb will update the FDS server list every time the system is updated.

For more information ,see fdnserver show and fdnserver delete.

Time period filter added for custom access rule

You can specify a daily or fixed time period that a request must match in order to be allowed.

For more information, see Combination access control & rate limiting

Blank password not supported any more for admin user

When an admin user logs into FortiWeb for the first time or imports a configuration file with a blank password, FortiWeb will force the user to change the password.

For more information, see Administrators.

SOAP attachment verification support

FortiWeb supports parsing attachments in SOAP messages, checking the MIME type of the file, and scanning the file for viruses and Trojans

For more information, see Creating XML protection rules.

Enhanced recognition method for known engines

The new method combines a User-Agent filter with DNS reverse lookup to identify more known engines.

http2-parse-error-output added in attack-log

This command is added to log errors of the HTTP/2 protocol parser.

For more information, see FortiWeb CLI Reference.

RPC protocol added in HTTP Protocol Constraints

Detect and alert/block traffic that uses the PRC protocol.

For more information, see HTTP/HTTPS protocol constraints.

Proxy protocol versions v1 and v2 support for Reverse Proxy and True Transparent Proxy modes

In Reverse Proxy and True Transparent Proxy modes, the proxy protocol version of the clients is automatically detected; while, for the back-end servers, you need to set the version in server pool.

For more information, see .Defining your web servers

 

OCSP Stapling optimized

Independent of other settings, OCSP stapling now works as a global setting, which supports all local certificates, including those used in multi-certificate.

For more information, see Configuring OCSP stapling.

Multiple servers in one KDC realm

You can configure multiple servers in one KDC realm to realize server complementing.

For more information, see Configuring a Kerberos Key Distribution Center (KDC) server.

What’s new

FortiWeb 6.2.0 offers the following new features and enhancements.

New features

Bot mitigation

To quickly filter out automated threats, FortiWeb now provides a dedicated section that includes various protection mechanisms.

  • Biometrics Based Detection: FortiWeb can now verify whether a client is a bot by monitoring events such as mouse movement, keyboard, screen touch, and scroll, etc;
  • Threshold Based Detection: You can now define the occurrence, time period, etc. of suspicious behaviors;
  • Bot Deception: FortiWeb now provides a deception technique to identify bots. It inserts a hidden link into response pages. Clients that fetch the URL can accurately be classified as bots;
  • Mobile Application Identification: For mobile clients that cannot execute Java script or CAPTCHA, FortiWeb can now verify the request is legitimate by verifying the JTW-token a mobile application carries when it access a web server

For more information, see Bot mitigation.

Mobile API protection

You can now protect your Mobile APIs from malicious attacks by verifying the mobile device authenticity.

For more information, see Configuring mobile API protection.

API gateway

With API gateway you can now control and secure all access to you APIs. You can define API users, verify API keys, and perform access control, etc.

For more information, see API gateway.

 

High volume active-active HA mode

FortiWeb has added high volume active-active HA mode. In this mode, all the members in the HA group can send and receive packets to clients or back-end servers independently. It significantly increases the traffic throughput of the HA group; however, it requires additional manual configuration when setting up new servers.

For more information, see FortiWeb high availability (HA).

Support for multiple virtual IPs per server policy

Multiple virtual IPs can be attached to one virtual server so that you can apply the same server policy to more than one IP addresses.

For more information, see Configuring the network settings.

PSU monitoring support

You can now check the power supply’s health. When the power state is changed, a log and SNMP trap will

be sent. You can also run execute sersors-list to obtain PSU information.

New splunk log server support

Syslog now supports the Splunk log server, which can analyze the log data sent from FortiWeb, and present the logs in the form of histogram, pie chart, timing diagram, etc.

For more information, see FortiWeb and Splunk.

Support for ICAP server for additional scanning

With an ICAP server installed in your environment, you can enable Send Files to ICAP Server in FortiWeb so that files can be sent to ICAP server for threat detection.

For more information, see Creating an FTP file check rule.

Certificate expiration notification

FortiWeb checks certificate expiration dates and notifies administrators ahead of time.

For more information, see FortiWeb CLI Reference.

Proxy protocol support in Transparent Inspection and Offline Protection modes

You can enable Proxy Protocol from server pool settings. When Proxy Protocol is enabled, the proxy protocol versions (v1 and v2) are automatically detected.

New Content-Type application/octet-stream

Besides multipart/form-data, FortiWeb can now apply file upload limits to files that use application/octet-stream.

For more information, see Limiting file uploads.

WS-I basic verification added to XML protection rule

WS-I verification is supported in XML protection rule to verify whether the SOAP messages comply with the selected WSI rules.

For more information, see Creating XML protection rules.

Geo database version added for both GUI and CLI

You can now see the Geo Database Version information from System > Config > FortiGuard, or by running diagnose system update info.

Limit concurrent access into a user account

You can now configure FortiWeb to limit the concurrent number of users accessing the same account in Site Publish.

For more information, see Single sign-on (SSO) (site publishing).

Enhancements

Machine Learning: Anomaly detection model enhancement

New algorithm is introduced in the anomaly detection model to eliminate noise samples and reduce the false positive detections.

For more information, see Configuring anomaly detection policy.

Policy-level replacement message support

Instead of creating an ADOM that contains the custom pages for a specific policy, you can now configure and apply a replacement message for a specific policy.

For more information, see Customizing error and authentication pages (replacement messages).

Support using the source address of the proxy protocol in server policy

A CLI command set use-proxy-protocol-addr is added so that you can enable using the source address of the proxy protocol in server policy.

For more information, see FortiWeb CLI Reference.

Time information added in output of the command diagnose debug dnsproxy list

Last update time and update interval information is shown in the output of diagnose debug dnsproxy list. IPv4 addresses and IPv6 addresses have different update time and interval. All the domain names resolved by dnsproxy are listed in the output.

For more information, see FortiWeb CLI Reference.

New FDS server debug commands

execute fdnserver show is added to show the current FDS server list, while execute fdnserver delete is to delete all FDS servers. FortiWeb will update the FDS server list every time the system is updated.

For more information ,see fdnserver show and fdnserver delete.

Time period filter added for custom access rule

You can specify a daily or fixed time period that a request must match in order to be allowed.

For more information, see Combination access control & rate limiting

Blank password not supported any more for admin user

When an admin user logs into FortiWeb for the first time or imports a configuration file with a blank password, FortiWeb will force the user to change the password.

For more information, see Administrators.

SOAP attachment verification support

FortiWeb supports parsing attachments in SOAP messages, checking the MIME type of the file, and scanning the file for viruses and Trojans

For more information, see Creating XML protection rules.

Enhanced recognition method for known engines

The new method combines a User-Agent filter with DNS reverse lookup to identify more known engines.

http2-parse-error-output added in attack-log

This command is added to log errors of the HTTP/2 protocol parser.

For more information, see FortiWeb CLI Reference.

RPC protocol added in HTTP Protocol Constraints

Detect and alert/block traffic that uses the PRC protocol.

For more information, see HTTP/HTTPS protocol constraints.

Proxy protocol versions v1 and v2 support for Reverse Proxy and True Transparent Proxy modes

In Reverse Proxy and True Transparent Proxy modes, the proxy protocol version of the clients is automatically detected; while, for the back-end servers, you need to set the version in server pool.

For more information, see .Defining your web servers

 

OCSP Stapling optimized

Independent of other settings, OCSP stapling now works as a global setting, which supports all local certificates, including those used in multi-certificate.

For more information, see Configuring OCSP stapling.

Multiple servers in one KDC realm

You can configure multiple servers in one KDC realm to realize server complementing.

For more information, see Configuring a Kerberos Key Distribution Center (KDC) server.