Fortinet black logo

Administration Guide

What's new

What's new

FortiWeb 7.2.0 offers the following new features and enhancements.

API Gateway enhancements

  • User rate limit setting is added in API Protection > API Gateway to rate limit API requests by users. When enabled, if a user sends too many API requests, subsequent requests from the same user will be blocked.

  • X-RateLimit-* headers can be added in the response packet if the user exceeds the rate limit. The following information can be displayed to users: the request limit, the remaining requests, and the minimum time to wait before the user is allowed to send the next request.

  • More ways to secure the API key. It's now possible to refresh the standard API key. Dynamic key and 3rd party key such as JWT are also supported.

For more information, see API gateway.

Parameter Validation enhancements

It's now supported to configure the following options in Parameter Validation:

  • Whether the parameters to be scanned are in URL or the request body;

  • Limit the maximum number of parameters in a request;

  • Whether to check the parameters in JSON or not.

For more information, see Validating parameters (“input rules”)

Client Management enhancements

  • You can now configure multiple Threat Score profiles in an ADOM.

  • In addition to Block Period by IP or Client ID, you can also set the action to Alert or Alert&Deny for suspicious and malicious clients.

  • You can limit Threat Score threshold calculation to signature violations only thus only using this feature for signature violations. When enabled, Action will only be taken based on the calculated threshold rather than the signature category action configuration.

  • Multiple history threats are now recorded in Client Management attack logs.

For more information, see Client management.

Sensitivity level for signatures available in GUI

You can now set the sensitivity level for signatures in GUI as well as in CLI.

Added to CLI only in version 7.0.2, this feature lets you choose from four categories of attack signatures (L1 to L4) based on their sensitivity to false positives and their requirement for a higher security level. Every level adds additional signatures thus increasing security but also the possibility of blocking legitimate traffic

FortiToken mobile notification

If you are using FAC Radius server to authenticate clients, it's now supported to send FortiToken mobile notification automatically to clients for extra token authentication.

Run the following command to enable it:

config user radius-user

edit "fac-radius"

set fac-push enable

next

end

Server policy tags

Administrators can now use tags for server policy. This helps in labeling server policy for future usage such as sorting, filtering and acknowledging policies.

For more information, see Configuring a server policy

Certificate verification for LDAP server

LDAP authentication now supports certificate and hostname verification for TLS connections. Both commercial and private certificates are supported.

TLS-ALPN-01 and DNS challenges from Let's Encrypt

To avoid using port 80 on FortiWeb when Let's Encrypt validates your ownership of the domain names, the following two challenge methods are now supported:

  • TLS-ALPN-01: This method allows Let's Encrypt to send HTTPS requests to FortiWeb for validation. It requires HTTPS service to be enabled on FortiWeb.

  • DNS-01: This method allows Let's Encrypt to do validation through your DNS provider. FortiWeb will generate a TXT record, then you need to add this TXT record to the DNS record.

For more information, see Let's Encrypt certificates.

Tracking users with JSON format login

It's now supported to track users with JSON format login credentials such as the token based API login.

Lua script update

A new predefined Lua script "HTTP_REWRITE_BODY" is added. It can be used to find, remove, and replace data in the body of an HTTP request. For example, during Site Publishing authentication you can use it to parse and modify the Username field located in the HTTP Request Body before it's sent to the back-end server.

For more information, see "Data Collect" and "Body Rewrite" in Script Reference.

Global resource

Global Resources page is added under System to display the current usage and maximum configuration values of the FortiWeb appliance.

HA debug enhancement

HA debug commands are enhanced to be more user friendly.

For more information, see debug asan.

Debug file download for the secondary appliances

The debug file for the secondary FortiWeb can now be downloaded in System > High Availability > Topology of the primary node in an HA group.

Real time packet capture

Packet captures and flow debug logs can now be recorded in real-time and viewed in Network > Packet Capture.

TCP buffer size increase

The TCP buffer size can now be set to at most 3992 KB. Run:

config system network-option

set tcp-buffer ultra

end

ASAN executable integrated into debug symbol file

To enhance the deployment of ASAN (Address Sanitization), the ASAN bin files are now bundled as part of the debug symbol file "image.out.debug.zip", which can be loaded onto FortiWeb through Maintenance > Debug > Upload Debug Symbol File.

For more information, see debug asan.

Event log on JSON Schema file upload failure

The error message of the JSON Schema file upload failure now reveals more details on the possible causes, and an event log will also be recorded.

Administrator password hash change

The administrator user password hash is changed from sha1 to sha256 in this release.

If you upgrade FortiWeb from previous version to 7.2.0, the hash will keep the same as before, but if administrator user changes its password or there is new admin users added, the password hash will be sha256.

If you downgrade from 7.2.0 to earlier releases, you may need to convert password hash or recreate the lost accounts depending on which version you are downgrading to. Notification message will display if the system detects that you need to take an action on the administrator accounts. Please follow the instructions accordingly.

For more information, see "Downgrading to a previous release > Admin user password hash change" in FortiWeb Release Notes.

Support disabling config-sync port

To improve security, you can now disable port 995 if you don't need config sync. This option is added in System > Admin > Settings.

It will be switched to disabled state if you upgrade from versions earlier than 7.2.0, so remember to enable it when you need to execute config sync.

Global menu not available to ADOM users

The Global menu in GUI and the global commands in CLI will no longer be available to ADOM Users.

New platform support

FortiWeb 1000F is introduced in this release.

Flex-VM license importing through Cloud-init

For FortiWeb deployed on AWS, you can now import the Flex-VM license through Cloud-init.

What's new

FortiWeb 7.2.0 offers the following new features and enhancements.

API Gateway enhancements

  • User rate limit setting is added in API Protection > API Gateway to rate limit API requests by users. When enabled, if a user sends too many API requests, subsequent requests from the same user will be blocked.

  • X-RateLimit-* headers can be added in the response packet if the user exceeds the rate limit. The following information can be displayed to users: the request limit, the remaining requests, and the minimum time to wait before the user is allowed to send the next request.

  • More ways to secure the API key. It's now possible to refresh the standard API key. Dynamic key and 3rd party key such as JWT are also supported.

For more information, see API gateway.

Parameter Validation enhancements

It's now supported to configure the following options in Parameter Validation:

  • Whether the parameters to be scanned are in URL or the request body;

  • Limit the maximum number of parameters in a request;

  • Whether to check the parameters in JSON or not.

For more information, see Validating parameters (“input rules”)

Client Management enhancements

  • You can now configure multiple Threat Score profiles in an ADOM.

  • In addition to Block Period by IP or Client ID, you can also set the action to Alert or Alert&Deny for suspicious and malicious clients.

  • You can limit Threat Score threshold calculation to signature violations only thus only using this feature for signature violations. When enabled, Action will only be taken based on the calculated threshold rather than the signature category action configuration.

  • Multiple history threats are now recorded in Client Management attack logs.

For more information, see Client management.

Sensitivity level for signatures available in GUI

You can now set the sensitivity level for signatures in GUI as well as in CLI.

Added to CLI only in version 7.0.2, this feature lets you choose from four categories of attack signatures (L1 to L4) based on their sensitivity to false positives and their requirement for a higher security level. Every level adds additional signatures thus increasing security but also the possibility of blocking legitimate traffic

FortiToken mobile notification

If you are using FAC Radius server to authenticate clients, it's now supported to send FortiToken mobile notification automatically to clients for extra token authentication.

Run the following command to enable it:

config user radius-user

edit "fac-radius"

set fac-push enable

next

end

Server policy tags

Administrators can now use tags for server policy. This helps in labeling server policy for future usage such as sorting, filtering and acknowledging policies.

For more information, see Configuring a server policy

Certificate verification for LDAP server

LDAP authentication now supports certificate and hostname verification for TLS connections. Both commercial and private certificates are supported.

TLS-ALPN-01 and DNS challenges from Let's Encrypt

To avoid using port 80 on FortiWeb when Let's Encrypt validates your ownership of the domain names, the following two challenge methods are now supported:

  • TLS-ALPN-01: This method allows Let's Encrypt to send HTTPS requests to FortiWeb for validation. It requires HTTPS service to be enabled on FortiWeb.

  • DNS-01: This method allows Let's Encrypt to do validation through your DNS provider. FortiWeb will generate a TXT record, then you need to add this TXT record to the DNS record.

For more information, see Let's Encrypt certificates.

Tracking users with JSON format login

It's now supported to track users with JSON format login credentials such as the token based API login.

Lua script update

A new predefined Lua script "HTTP_REWRITE_BODY" is added. It can be used to find, remove, and replace data in the body of an HTTP request. For example, during Site Publishing authentication you can use it to parse and modify the Username field located in the HTTP Request Body before it's sent to the back-end server.

For more information, see "Data Collect" and "Body Rewrite" in Script Reference.

Global resource

Global Resources page is added under System to display the current usage and maximum configuration values of the FortiWeb appliance.

HA debug enhancement

HA debug commands are enhanced to be more user friendly.

For more information, see debug asan.

Debug file download for the secondary appliances

The debug file for the secondary FortiWeb can now be downloaded in System > High Availability > Topology of the primary node in an HA group.

Real time packet capture

Packet captures and flow debug logs can now be recorded in real-time and viewed in Network > Packet Capture.

TCP buffer size increase

The TCP buffer size can now be set to at most 3992 KB. Run:

config system network-option

set tcp-buffer ultra

end

ASAN executable integrated into debug symbol file

To enhance the deployment of ASAN (Address Sanitization), the ASAN bin files are now bundled as part of the debug symbol file "image.out.debug.zip", which can be loaded onto FortiWeb through Maintenance > Debug > Upload Debug Symbol File.

For more information, see debug asan.

Event log on JSON Schema file upload failure

The error message of the JSON Schema file upload failure now reveals more details on the possible causes, and an event log will also be recorded.

Administrator password hash change

The administrator user password hash is changed from sha1 to sha256 in this release.

If you upgrade FortiWeb from previous version to 7.2.0, the hash will keep the same as before, but if administrator user changes its password or there is new admin users added, the password hash will be sha256.

If you downgrade from 7.2.0 to earlier releases, you may need to convert password hash or recreate the lost accounts depending on which version you are downgrading to. Notification message will display if the system detects that you need to take an action on the administrator accounts. Please follow the instructions accordingly.

For more information, see "Downgrading to a previous release > Admin user password hash change" in FortiWeb Release Notes.

Support disabling config-sync port

To improve security, you can now disable port 995 if you don't need config sync. This option is added in System > Admin > Settings.

It will be switched to disabled state if you upgrade from versions earlier than 7.2.0, so remember to enable it when you need to execute config sync.

Global menu not available to ADOM users

The Global menu in GUI and the global commands in CLI will no longer be available to ADOM Users.

New platform support

FortiWeb 1000F is introduced in this release.

Flex-VM license importing through Cloud-init

For FortiWeb deployed on AWS, you can now import the Flex-VM license through Cloud-init.