FortiWeb 7.0 offers the following new features and enhancements.
API Discovery and Protection
Machine Learning Based API Discovery and Protection is introduced. Using machine learning algorithms FortiWeb parses the REST API schema and data structure and builds mathematical models to block any malicious API requests.
For more information, see Configuring API Protection Policy.
Dashboard and FortiView enhancements
New Widgets are introduced in Dashboard to display System information, security events, user tracking information, and FortiView statistics. The Monitor tab and FortiView tab are removed in this release.
For more information, see Dashboard.
New Action Type – Client ID Block Period
A new action type has been added - Client ID Block Period. It allows blocking a malicious user based on the FortiWeb generated client ID rather than source IP.
For more information, see the Block Method option in Client management.
Ability to block directly from FortiView
You can now conveniently block source IP addresses from FortiView.
OAuth 2.0 support
FortiWeb now supports OAuth 2.0 in Site Publish for front-end authentication.
For more information, see OAuth Authorization.
Personally Identifiable Information
The Personally Identifiable Information signature dictionary can now be used in custom rules.
Credential stuffing online query
It is now possible to use the extended FortiGuard credential stuffing database using an online query instead of the local DB query. The online database is larger and covers additional leaked credentials from data breaches. Enable it using the online database from CLI.
For more information, see "Credential Stuffing Online Check" in Tracking.
Exceptions in SQL/XSS-Syntax-Based-Detection (SBD) and Bot-Mitigation
You can now add exceptions in SQL/XSS-Syntax-Based-Detection (SBD) and Bot-Mitigation modules to mitigate false positives.
For more information, see Exception Policy.
Default route enhancements
To avoid conflict, the system route, HA static route, and DHCP route are now assigned with different priorities. Duplicate destination verification will be performed.
For more information, see "Static route priority" in Configuring the network settings.
Support for multiple wildcard admin users
It's now supported to set more than one wildcard admin users.
For more information, see "Group Name" in Grouping remote authentication queries and certificates for administrators
Shell access support
FortiWeb now supports Shell access SSH. You can enable it through
config system global/set shell-access enable.
For more information, see
config system global.
Support for HSM HA group
FortiWeb now supports HSM HA group containing two HSM servers.
For more information, see To integrate FortiWeb with SafeNet Network HSM 7 - HA mode.
LDAP server health check
You can now enable LDAP server health check so that user authentication will not be affected if some of the IP addresses associated with the LDAP domain name are down. Run
config server-policy policy/set ldap-health enable to enable it.
Configuration change event logging enhancement
The event log has been enhanced to include additional information when the configuration changes (Log&Report > Event).
Traffic logging default behavior change
To avoid unnecessary resource consumption, the system by default doesn't generate traffic log for all server policies unless specified. In order for the traffic log to work, not only should it be enabled via “Other Log Settings” under Log&Report, but also in server policy settings via the CLI command
config server-policy policy.
New VM16 license
VM-16 license is introduced to support up to 16 vCPUs.
FortiWeb-VM on OpenStack license file importing method update
FortiWeb-VM on Openstack has changed the license file importing method due to OpenStack changes.
Openstack Wallaby Support
FortiWeb-VM now supports the Openstack version Wallaby.
Azure load balancer support enhancements
FortiWeb-VMs can now be deployed in multiple shared back-end pools behind an Azure load balancer.
Optimization of GEO IP, IP List, and IP Reputation
To optimize performance FortiWeb now executes GEO IP, IP List, and IP Reputation policies at the TCP layer to avoid HTTP data being processed unnecessarily. This is only enabled when Server Objects > X-Forwarded-For is not used. It's now also supported to set the trigger action to Deny (no log) or Period Block to avoid alert flooding.
For more information, see the description of "Ignore X-Forwarded-For" and "Trigger Action" in GEO IP, IP List, and IP Reputation.