Security Fabric - Single Sign On with FortiGate
The Security Fabric integration has been enhanced. New Fabric connectors tab is added. You can now use SSO to log in to FortiWeb directly from FortiGate.
For more information, see Fabric Connector: Single Sign On with FortiGate.
Machine Learning Anomaly Detection enhancement
Anomaly Detection in Machine Learning is enhanced to simplify the configuration and refine the process of model refreshing. Sample Collection mode and Parameter Model Update have been removed and are now fully automated.
For more information, see Configuring anomaly detection policy.
Web Shell Detection
The Trojan detection in File Security is upgraded to a separate tab named Web Shell Detection. This feature becomes more powerful as it not only detects known web shells but also performs fuzzy hash based web shell detection.
For more information, see Web Shell Detection.
Let's Encrypt certificate support
Integration with Let’s Encrypt is now supported, allowing to automatically generate server certificates alleviating the need to upload private certificates.
For more information, see Let's Encrypt certificates.
AWS and Azure External Connectors
You can configure External Connectors to authorize FortiWeb to access your public cloud resources on AWS and Azure in order to automatically obtain and dynamically update the IP addresses of the back-end servers.
reCAPTCHA for bot detection is now available. It's integrated into features such as Dos Protect and Bot Mitigation to confirm whether the client is a bot or not.
For more information, see Creating reCAPTCHA servers.
SQL/XSS Syntax Based Detection enhancement
Additional scan targets have been added to SQL/XSS Syntax Based Detection. "User-Agent", "Referer", and all other HTTP headers are now supported in addition to the existing "Parameter Name", "Parameter Value" and "Request Cookie".
For more information, see Syntax-based SQL/XSS injection detection.
Predefined policies in SQL/XSS Syntax Based Detection
Predefined SQL/XSS Syntax Based Detection policies are added so that you can quickly apply them in a web protection profile.
NTLM Authentication support in Site Publish rule
FortiWeb now supports authenticating clients by NTLM in HTTP. In Site Publish rule, you can select NTLM Authentication for Client Authentication Method, then select Kerberos Constrained Delegation for Authentication Delegation.
For more information, see Client Authentication Method in Offloaded authentication and optional SSO configuration.
New RADIUS authorization support for client certificate authentication
New options are added in Site Publish rule to support extracting username from the client certificate and send it to the RADIUS server for an additional authorization step.
For more information, see Authentication Delegation in Offloaded authentication and optional SSO configuration.
HTTP header append
The Referer-policy and Feature-Policy headers are now supported in HTTP Header Security.
For more information, see HTTP Security Headers.
HTTP header rewrite
It's now supported to rewrite HTTP headers in response packets by defining the HTTP Header Insertion and HTTP Header Removal list in URL Rewriting rule.
For more information, see Rewriting & redirecting.
Base64 decoding in payload
FortiWeb now supports decoding base64 payloads in parameters.
For more information, see Advanced Decoding.
UTF-16 JS decoding in payload
FortiWeb now supports UTF-16 JS payload decoding.
The OpenAPI Validation feature is enhanced to support the security mechanism in OpenAPI 3.0.x specifications.
Health check in TTP mode
FortiWeb now supports executing health check to the back-end server in TTP mode. An exception is when FortiWeb is deployed in active-active standard HA mode.
For more information, see Defining your web servers.
FortiWeb admin interface web server certificate enhancement
You can now import an intermediate certificate for the FortiWeb admin interface.
For more information, see To upload the intermediate CA for the administrator.
7-day threats data in FortiView
FortiWeb now displays 7-day threats data in FortiView on 3000E and 4000E.
Additional events monitored by SNMP traps and OIDs
FortiWeb now allows you to monitor the following events by SNMP traps and OIDs.
Events monitored by SNMP OIDs: Virtual Server Object status, Server-Pool object status, Server Policy status, and Policy/Virtual Server traffic.
Events monitored by SNMP traps: Policy LDAP auth failure and Policy RADIUS auth failure.
Maximum configuration number increased on FortiWeb-VM
For FortiWeb-VM, its maximums for server policy, server pool, pool member, and virtual server are all increased to 1024 if the memory is larger than 64 GB; The maximums for all types of certificates are lifted to 1024 as well.
Administrator trusted host maximum increased
The maximum of trusted host per Administrator (configured in Admin > Administrator) is increased from 3 to 10.
Cookieless cache in Site Publish rule
cookieless-cache CLI option is added for cookieless authentication in the Site Publish rule to allow flexible setting of the cache timeout value. When it's set to 0, FortiWeb will send authentication requests to the authentication server every time the user logs in.
For more information, see
waf site-publish-helper rule.