What's new
New features
Multiple service ports support in server policy
You can specify a maximum number of 128 server ports in custom service so that one IP can listen to multiple ports.
Secure flag added to internal cookies for persistence policy
You can now configure the secure cookie to force browsers to return the cookie only for HTTPS traffic.
JSON file upload enhancement
FortiWeb now supports parsing the file contained in the uploaded JSON file to check whether it violates the file security policy.
For more information, see Configuring a file security rule.
HTTP header removal
It's now supported to remove HTTP headers when HTTP requests are rewritten.
For more information, see Rewriting & redirecting.
Length limit extended in URL rewriting rule
For URL rewriting rules, the length of the following four fields is extended from 256 bytes to 1024 bytes: Replacement URL, Replacement Referer, Request Replacement Location, and Response Replacement Location.
HTTP header value check in Global White list
You can specify the HTTP header value for it to be added Global White list. FortiWeb will skip scans if the traffic hits the match.
For more information, see Configuring the global object white list.
OpenAPI validation enhancement
- OpenAPI files with recursive references can be uploaded.
- JSON format of OpenAPI file is supported.
- OpenAPI files with relative URL path can be uploaded.
- Add CLI
set ignore-undefined-query-param {enable | disable}to bypass undefined query parameters in OpenAPI files.
RESTful API support for deleting blocked IP/users
You can now delete multiple blocked IPs/users under one server policy with RESTful API.
For more information, see FortiWeb RESTful API Reference.
Local configuration backup to FortiWeb disk
You can now back up system configuration and web protection profiles to FortiWeb disk.
Machine learning data backup
You can set ml-flag to back up machine learning data when executing full-config backup.
For more information, see config system backup.
SSL version setting for admin login
When HTTPS access is configured, administrators can set the SSL versions in admin settings.
For more information, see Global web UI & CLI settings.
SameSite flag enhancement
In addition to Client Management, now the SameSite flag also applies to User Tracking, Anomaly Detection, and Site Publish.
For more information, see server-policy policy.
Two-Factor Authentication support for admin access
An extra layer of security 2FA is introduced when logging into FortiWeb GUI. With 2FA, you have to log in with your username and password and provide token authentication that only you know or have access to.
For more information, see config system global.
Offline license support for more VM platforms
Besides Hyper-V platform, offline licenses are now also allowed to import to VMware, KVM, and XEN platforms.
FIPS compliance mode
The fips-ciphers mode is introduced in FortiWeb-VMs on AWS and Azure.
For more information, see config system-fips-cc.
HA enhancements for FortiWeb on public cloud platforms
FortiWeb HA on public cloud platforms are implemented with the following enhancements in this release:
- Active-active-standard mode is no longer supported. After upgrading to 6.3.6, FortiWeb-VMs with this mode will automatically switch to active-active-high-volume mode.
- For FortiWeb-VMs in active-passive mode, the configurations of the active VM's interface IP, static route, policy route, and firewall policy will not be synchronized to the standby VM.
- In earlier versions, enabling HA requires all interfaces to enable DHCP mode. From 6.3.6, only port1 is required to enable DHCP mode.
FortiWeb BYOL image on Alibaba Cloud
You can now deploy FortiWeb with a BYOL license from Alibaba Cloud Marketplace.
FortiWeb hybrid autoscaling on AWS
FortiWeb now supports hybrid autoscaling solution on AWS. You can deploy a fixed number of BYOL instances and a variable number of PAYG instances.
FortiWeb available on AWS China Marketplace
You can now deploy FortiWeb from AWS China Marketplace. Only standalone mode is supported for now.
New model 100E introduced
FortiWeb 100E is introduced to replace 100D. It has better performance than 100D.
New RESTful API
New RESTful API is introduced in FortiWeb in this release.
For more information ,see FortiWeb RESTful API reference.
Enhancements
Optimization on Certificates
- Certificates tab is moved from System to Server Objects.
- Local and Multi-certificate tabs are integrated into Local in Server Objects > Certificates.
- Certificate Verify and Server Certificate Verify tabs are integrated into Certificate Verify in Server Objects > Certificates.
WCCP Client configurable only in WCCP mode
When in non-WCCP modes, WCCP Client tab is invisible and non-configurable from GUI.
Multiple features integrated in feature visibility
You can customize more features shown on GUI by setting them in System > Config > Feature Visibility.
Signature scan enhancement
The response body of content types including binary, media, and picture are no longer scanned against signature rules.
Support HEX decoding for HTTP arguments
FortiWeb's HTTP parser now supports decoding the parameter values containing HEX characters.
Enhancements on the trust items
FortiWeb no longer executes subsequent scans for the items listed in IP List, Global White List, and Known Bots. This reduces false positives and improves performance.
Add exceptions of SQL/XSS Syntax Based Detection from attack log
FortiWeb now supports adding SQL/XSS Syntax Based Detection exceptions from attack logs.
Add exceptions of Known Bots from attack log
FortiWeb now supports adding Known Bots exceptions from attack logs.
XML Entities check enhancement
FortiWeb will not download external entity references when it checks the XML format, and it will not treat the XML as "XML Format error" if it can't find the external definition.
Client Management debug
The client Management debug information can be printed using the command diagnose debug application client-management.
Changes of supported SSL ciphers
The following changes are implemented for the Customized SSL ciphers list.
New added:
- ECDHE-ARIA128-GCM-SHA256
- DHE-RSA-ARIA128-GCM-SHA256
- DHE-RSA-ARIA256-GCM-SHA384
- ECDHE-ARIA256-GCM-SHA384
No longer supported:
- DHE-RSA-CAMELLIA128-SHA
- DHE-DSS-CAMELLIA128-SHA
- CAMELLIA256-SHA
- CAMELLIA128-SHA
For a complete SSL ciphers list supported by FortiWeb, see Supported cipher suites & protocol versions.
Brute Force Login removed from predefined custom policy
To avoid false positives, Brute Force Login is removed from the predefined custom policies.
Bot confirmation disabled in predefined Brute Force Login Alert Only custom rule
Bot confirmation is disabled as the alert only custom rule is not supposed to block requests.
GEO DB package upload moved to FortiGuard
The GEO DB setting is moved from System > Config > Maintenance to System > Config > FortiGuard.
FortiSandbox connectivity status moved
The FortiSandbox connectivity status is displayed on the FortiSandbox page instead of the landing page widget.
Page Access and Start Pages modules completely removed
Page Access and Start Pages modules were removed from GUI in 630. Now the CLI commands of these two modules are also removed.