What's new
External IP Address Auto-Retrieval
In IP Protection > IP List, you can now not only manually specify IP addresses to trust or block but also configure the system to automatically retrieve the IP list from an external HTTP/HTTPS server.
For more information, see IP Address Connector
Continuous learning in ML based API Protection
ML-based API protection now incorporates continuous adjustment of its API learning models to adapt to changes in the API schema. This includes scenarios such as the introduction of new APIs, modifications to existing parameters, etc.
For more information, see Configuring ML Based API Protection policy.
Automation
You can configure FortiWeb to automatically take actions (run CLI commands or send email notification) when certain event log occurs. Set the trigger and action in Security Fabric > Automation.
For more information, see Automation.
OWASP Top10 Compliance dashboard
We have introduced the OWASP Top10 Compliance monitor in Dashboard.
-
It measures your compliance rate against the OWASP Application Security Top10.
-
It analyzes the security configuration of every application and breaks down the Top10 categories to provide information on which requirements have been addressed and which haven’t.
-
It allows you to assess the effectiveness of your security policies and identify gaps.
For more information, see OWASP Top 10 Compliance.
FortiWeb Kubernetes Ingress Controller
FortiWeb Ingress Controller fulfills the Kubernetes Ingress resources and allows you to automatically update FortiWeb objects from Kubernetes.
For more information, see Ingress Controller.
gRPC protocol constraints
FortiWeb now provides enhanced security measures for gRPC API traffic, offering a range of protection controls, including signature scanning, rate limiting, and size limiting.
For more information, see gRPC protocol.
OICD authentication support
FortiWeb now supports the integration of OAuth authorization with OIDC (OpenID Connect) to facilitate user identity verification. This enhancement allows you to leverage OIDC for a more secure user authorization and authentication process.
For more information, see OAuth authorization & OIDC authentication.
Okta OAuth template
In User > OAuth Server, you can now find a pre-defined OAuth request template specifically designed for user authorization and authentication with Okta.
For more information, see OAuth authorization & OIDC authentication.
Bot Trait Checking
Bot Trait Checking is now introduced in Biometrics Based Detection. It implements an additional layer of detection to check whether the requests are generated by bots. It analyzes the traits of client events, for instance, the mouse movement including mouse position and time information, the keyboards timing information.
For more information, see"Bot Trait Checking" in Configuring biometrics based detection.
FortiView Log Analysis
A new FortiView monitor named Log Analysis is introduced. It assists in making decisions to add exception rules to avoid false positives. The Log Analysis feature summarizes the common characteristics of specific attack log categories. For instance, it displays the HTTP methods, request URLs, and locations of the SQL injections violations.
HTTP Protocol Constraints enhancement
-
The following HTTP Protocol Constraints checking points are now supported:
-
Present with Transfer Encoding
-
Inconsistent with Body Length
-
Missing Host
-
Range Overlapping
-
Multipart/form-data Bad Request
-
-
The default value of the HTTP/2 Frame constraints is set to Disable to mitigate false positives.
-
The Redundant HTTP Headers attack logs now record the context where the anomaly happened.
For more information, see HTTP/HTTPS protocol constraints.
More flexible rules for URL Rewriting
We have implemented the following enhancements in URL Rewriting.
For HTTP request:
-
Support rewriting HTTP Method in HTTP header
-
Support rewriting HTTP body
For HTTP response:
-
Support rewriting Status code
For both HTTP request and response:
-
Support removing all the matched headers
-
Support replacing existing header's name
For URL Rewriting condition, we now support matching "multipart/form-data" and "application/x-www-form-urlencoded" content types.
For more information, see Rewriting & redirecting.
X-Forwarded-For header enhancement
Now you have the ability to specify the location where the IP address will be added within the X-Forwarded-For
header. Additionally, you can delete or merge the previous X-Forwarded-Fo
r headers as needed.
For more information, see Defining your proxies, clients, & X-headers.
CAPTCHA Challenge enhancement
You can now configure to implement different levels "easy/medium/hard" of CAPTCHA challenge.
config system global
set captcha-challenge-difficulty {easy | medium | hard}
end
For more information, see config system global.
Host name protection enhancement
When defining protected host names, you now have the option to enable Override Headers. This allows host names to be identified even if they are overridden with certain headers.
For more information, see "Override Headers" in Defining your protected/allowed HTTP “Host:” header names.
Default Domain Prefix support for NTLM delegation method
When using NTLM delegation method, it's now allowed to specify the default domain prefix so that users can log in without entering domain name.
For more information, see Offloaded authentication and optional SSO configuration.
Multiple IP addresses and ranges in HTTP Content Routing rule
The Source IP field of the HTTP Content Routing rule now supports multiple IP addresses and ranges.
Cache mode in Parameter Validation
You now have the option to enable cache mode so that the Parameter Validation module will store the entire request in a cache before performing validation and forwarding. Run the following command:
config waf parameter-validation-rule
edit <input_rule_name>
set cache-mode enable
next
end
For more information, see config waf parameter-validation-rule.
Web cache exception based on HTTP return codes
You now have the option to utilize HTTP return codes as a factor to exclude pages from being cached.
For more information, see Caching.
Allow-listing Let's Encrypt challenge request
A predefined allow list for Let's Encrypt has been added to Global Allow List and Policy Based Allow List. If you are using Let's Encrypt to generate a certificate, it is recommended to enable this allow list, otherwise it may result in certificate retrieval failures if requests from Let's Encrypt are blocked.
Configuration restore from SFTP and FTP servers
You can now run execute restore config sftp/ftp
and execute restore cert-config sftp/ftp
to restore the configuration or certificate files from an SFTP or FTP server.
For more information, see restore cert-config and restore config.
Session based persistence
Persistence information will be checked by each transaction, rather than the connection itself. Transactions with distinct persistence information will be directed to different back-end servers to ensure optimal load balancing. This functionality is beneficial in scenario such as FortiWeb is deployed behind Cloudflare which forwards different customer’s traffic within the same connection.
Run the following command to enable it:
config server-policy policy
edit <server-policy_name>
set transaction-based-persistence enable
next
end
CRL validation enhancement
You now have the option to allow the use of previously retrieved Certificate Revocation Lists (CRLs) in situations where the current CRL distribution point retrievals fail, are pending, or if you want to manually upload a CRL file.
config system certificate verify
set crl-allow-expired enable
end
We highly recommend enabling it as a temporary solution only when the CRL has expired. Ideally, we strongly suggest using the most up-to-date CRL file at all times to ensure that the client with revoked certificates can be promptly blocked.
For more information on the CRL file, see Revoking certificates.
SSO login with FortiCloud accounts
It's now supported to use FortiCloud accounts to access FortiWeb.
When Allow administrative login using FortiCloud SSO in System > Admin > Settings is enabled, users will see the Sign in with FortiCloud button on FortiWeb's login page.
Remote Access in FortiCloud
You can now remotely access FortiWeb in FortiCloud.
For more information, see "FortiCloud Management" in Status dashboard.