To upgrade from versions earlier than 6.3.9, you need to upgrade to 6.3.9 first , then to 6.3.16.
If you are currently running 6.3.12, please upgrade immediately.
Version 6.3.12 has a potential issue when FortiWeb is deployed in HA mode and it is now obsoleted.
Alert interval for custom signature violations
To mitigate alert floods you can now configure the alert interval for custom signature violations.
For more information, see the description of "Maximum Alert Interval" in Defining custom data leak & attack signatures.
Ignore X-Forwarded-For header in GEO IP scan
To optimize performance you can configure FortiWeb to execute Geo IP scan at the TCP layer to avoid HTTP packets being processed unnecessarily (only when Server Objects > X-Forwarded-For is not used). It's now also supported to set the trigger action to Deny (no log) or Period Block to avoid alerts flooding.
For more information, see the description of "Ignore X-Forwarded-For" and "Trigger Action" in GEO IP - Blocklisting & whitelisting countries & regions
Serial Console support for FortiWeb-VMs on public cloud platforms
You can now access FortiWeb-VMs through serial console on AWS, Azure, Google Cloud, and OCI.
For more information, see FortiWeb-VM Deployment Guide on public platforms.
SMTP username length increase
The SMTP username in Email policy now supports up to 163 characters.