Fortinet black logo

Administration Guide

Home FortiWeb 7.4.0 Administration Guide
7.4.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.10
7.0.9
7.0.8
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.2
6.4.1
6.4.0
6.3.23
6.3.19
6.3.18
6.3.17
6.3.16
6.3.15
6.3.14
6.3.13
6.3.11
6.3.10
6.3.9
6.3.7
6.3.6
6.3.5
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.2
6.1.1
5.7.0
5.6.1
5.6.0
5.6.0

What's new

What's new

External IP Address Auto-Retrieval

In IP Protection > IP List, you can now not only manually specify IP addresses to trust or block but also configure the system to automatically retrieve the IP list from an external HTTP/HTTPS server.

For more information, see IP Address Connector

Continuous learning in ML based API Protection

ML-based API protection now incorporates continuous adjustment of its API learning models to adapt to changes in the API schema. This includes scenarios such as the introduction of new APIs, modifications to existing parameters, etc.

For more information, see Configuring ML Based API Protection policy.

Automation

You can configure FortiWeb to automatically take actions (run CLI commands or send email notification) when certain event log occurs. Set the trigger and action in Security Fabric > Automation.

For more information, see Automation.

OWASP Top10 Compliance dashboard

We have introduced the OWASP Top10 Compliance monitor in Dashboard.

  • It measures your compliance rate against the OWASP Application Security Top10.

  • It analyzes the security configuration of every application and breaks down the Top10 categories to provide information on which requirements have been addressed and which haven’t.

  • It allows you to assess the effectiveness of your security policies and identify gaps.

For more information, see OWASP Top 10 Compliance.

FortiWeb Kubernetes Ingress Controller

FortiWeb Ingress Controller fulfills the Kubernetes Ingress resources and allows you to automatically update FortiWeb objects from Kubernetes.

For more information, see Ingress Controller.

gRPC protocol constraints

FortiWeb now provides enhanced security measures for gRPC API traffic, offering a range of protection controls, including signature scanning, rate limiting, and size limiting.

For more information, see gRPC protocol.

OICD authentication support

FortiWeb now supports the integration of OAuth authorization with OIDC (OpenID Connect) to facilitate user identity verification. This enhancement allows you to leverage OIDC for a more secure user authorization and authentication process.

For more information, see OAuth authorization & OIDC authentication.

Okta OAuth template

In User > OAuth Server, you can now find a pre-defined OAuth request template specifically designed for user authorization and authentication with Okta.

For more information, see OAuth authorization & OIDC authentication.

Bot Trait Checking

Bot Trait Checking is now introduced in Biometrics Based Detection. It implements an additional layer of detection to check whether the requests are generated by bots. It analyzes the traits of client events, for instance, the mouse movement including mouse position and time information, the keyboards timing information.

For more information, see"Bot Trait Checking" in Configuring biometrics based detection.

FortiView Log Analysis

A new FortiView monitor named Log Analysis is introduced. It assists in making decisions to add exception rules to avoid false positives. The Log Analysis feature summarizes the common characteristics of specific attack log categories. For instance, it displays the HTTP methods, request URLs, and locations of the SQL injections violations.

HTTP Protocol Constraints enhancement

  • The following HTTP Protocol Constraints checking points are now supported:

    • Present with Transfer Encoding

    • Inconsistent with Body Length

    • Missing Host

    • Range Overlapping

    • Multipart/form-data Bad Request

  • The default value of the HTTP/2 Frame constraints is set to Disable to mitigate false positives.

  • The Redundant HTTP Headers attack logs now record the context where the anomaly happened.

For more information, see HTTP/HTTPS protocol constraints.

More flexible rules for URL Rewriting

We have implemented the following enhancements in URL Rewriting.

For HTTP request:

  • Support rewriting HTTP Method in HTTP header

  • Support rewriting HTTP body

For HTTP response:

  • Support rewriting Status code

For both HTTP request and response:

  • Support removing all the matched headers

  • Support replacing existing header's name

For URL Rewriting condition, we now support matching "multipart/form-data" and "application/x-www-form-urlencoded" content types.

For more information, see Rewriting & redirecting.

X-Forwarded-For header enhancement

Now you have the ability to specify the location where the IP address will be added within the X-Forwarded-For header. Additionally, you can delete or merge the previous X-Forwarded-For headers as needed.

For more information, see Defining your proxies, clients, & X-headers.

CAPTCHA Challenge enhancement

You can now configure to implement different levels "easy/medium/hard" of CAPTCHA challenge.

config system global

set captcha-challenge-difficulty {easy | medium | hard}

end

For more information, see config system global.

Host name protection enhancement

When defining protected host names, you now have the option to enable Override Headers. This allows host names to be identified even if they are overridden with certain headers.

For more information, see "Override Headers" in Defining your protected/allowed HTTP “Host:” header names.

Default Domain Prefix support for NTLM delegation method

When using NTLM delegation method, it's now allowed to specify the default domain prefix so that users can log in without entering domain name.

For more information, see Offloaded authentication and optional SSO configuration.

Multiple IP addresses and ranges in HTTP Content Routing rule

The Source IP field of the HTTP Content Routing rule now supports multiple IP addresses and ranges.

Cache mode in Parameter Validation

You now have the option to enable cache mode so that the Parameter Validation module will store the entire request in a cache before performing validation and forwarding. Run the following command:

config waf parameter-validation-rule

edit <input_rule_name>

set cache-mode enable

next

end

For more information, see config waf parameter-validation-rule.

Web cache exception based on HTTP return codes

You now have the option to utilize HTTP return codes as a factor to exclude pages from being cached.

For more information, see Caching.

Allow-listing Let's Encrypt challenge request

A predefined allow list for Let's Encrypt has been added to Global Allow List and Policy Based Allow List. If you are using Let's Encrypt to generate a certificate, it is recommended to enable this allow list, otherwise it may result in certificate retrieval failures if requests from Let's Encrypt are blocked.

Configuration restore from SFTP and FTP servers

You can now run execute restore config sftp/ftp and execute restore cert-config sftp/ftp to restore the configuration or certificate files from an SFTP or FTP server.

For more information, see restore cert-config and restore config.

Session based persistence

Persistence information will be checked by each transaction, rather than the connection itself. Transactions with distinct persistence information will be directed to different back-end servers to ensure optimal load balancing. This functionality is beneficial in scenario such as FortiWeb is deployed behind Cloudflare which forwards different customer’s traffic within the same connection.

Run the following command to enable it:

config server-policy policy

edit <server-policy_name>

set transaction-based-persistence enable

next

end

CRL validation enhancement

You now have the option to allow the use of previously retrieved Certificate Revocation Lists (CRLs) in situations where the current CRL distribution point retrievals fail, are pending, or if you want to manually upload a CRL file.

config system certificate verify

set crl-allow-expired enable

end

We highly recommend enabling it as a temporary solution only when the CRL has expired. Ideally, we strongly suggest using the most up-to-date CRL file at all times to ensure that the client with revoked certificates can be promptly blocked.

For more information on the CRL file, see Revoking certificates.

SSO login with FortiCloud accounts

It's now supported to use FortiCloud accounts to access FortiWeb.

When Allow administrative login using FortiCloud SSO in System > Admin > Settings is enabled, users will see the Sign in with FortiCloud button on FortiWeb's login page.

Remote Access in FortiCloud

You can now remotely access FortiWeb in FortiCloud.

For more information, see "FortiCloud Management" in Status dashboard.

Previous
Next

What's new

External IP Address Auto-Retrieval

In IP Protection > IP List, you can now not only manually specify IP addresses to trust or block but also configure the system to automatically retrieve the IP list from an external HTTP/HTTPS server.

For more information, see IP Address Connector

Continuous learning in ML based API Protection

ML-based API protection now incorporates continuous adjustment of its API learning models to adapt to changes in the API schema. This includes scenarios such as the introduction of new APIs, modifications to existing parameters, etc.

For more information, see Configuring ML Based API Protection policy.

Automation

You can configure FortiWeb to automatically take actions (run CLI commands or send email notification) when certain event log occurs. Set the trigger and action in Security Fabric > Automation.

For more information, see Automation.

OWASP Top10 Compliance dashboard

We have introduced the OWASP Top10 Compliance monitor in Dashboard.

  • It measures your compliance rate against the OWASP Application Security Top10.

  • It analyzes the security configuration of every application and breaks down the Top10 categories to provide information on which requirements have been addressed and which haven’t.

  • It allows you to assess the effectiveness of your security policies and identify gaps.

For more information, see OWASP Top 10 Compliance.

FortiWeb Kubernetes Ingress Controller

FortiWeb Ingress Controller fulfills the Kubernetes Ingress resources and allows you to automatically update FortiWeb objects from Kubernetes.

For more information, see Ingress Controller.

gRPC protocol constraints

FortiWeb now provides enhanced security measures for gRPC API traffic, offering a range of protection controls, including signature scanning, rate limiting, and size limiting.

For more information, see gRPC protocol.

OICD authentication support

FortiWeb now supports the integration of OAuth authorization with OIDC (OpenID Connect) to facilitate user identity verification. This enhancement allows you to leverage OIDC for a more secure user authorization and authentication process.

For more information, see OAuth authorization & OIDC authentication.

Okta OAuth template

In User > OAuth Server, you can now find a pre-defined OAuth request template specifically designed for user authorization and authentication with Okta.

For more information, see OAuth authorization & OIDC authentication.

Bot Trait Checking

Bot Trait Checking is now introduced in Biometrics Based Detection. It implements an additional layer of detection to check whether the requests are generated by bots. It analyzes the traits of client events, for instance, the mouse movement including mouse position and time information, the keyboards timing information.

For more information, see"Bot Trait Checking" in Configuring biometrics based detection.

FortiView Log Analysis

A new FortiView monitor named Log Analysis is introduced. It assists in making decisions to add exception rules to avoid false positives. The Log Analysis feature summarizes the common characteristics of specific attack log categories. For instance, it displays the HTTP methods, request URLs, and locations of the SQL injections violations.

HTTP Protocol Constraints enhancement

  • The following HTTP Protocol Constraints checking points are now supported:

    • Present with Transfer Encoding

    • Inconsistent with Body Length

    • Missing Host

    • Range Overlapping

    • Multipart/form-data Bad Request

  • The default value of the HTTP/2 Frame constraints is set to Disable to mitigate false positives.

  • The Redundant HTTP Headers attack logs now record the context where the anomaly happened.

For more information, see HTTP/HTTPS protocol constraints.

More flexible rules for URL Rewriting

We have implemented the following enhancements in URL Rewriting.

For HTTP request:

  • Support rewriting HTTP Method in HTTP header

  • Support rewriting HTTP body

For HTTP response:

  • Support rewriting Status code

For both HTTP request and response:

  • Support removing all the matched headers

  • Support replacing existing header's name

For URL Rewriting condition, we now support matching "multipart/form-data" and "application/x-www-form-urlencoded" content types.

For more information, see Rewriting & redirecting.

X-Forwarded-For header enhancement

Now you have the ability to specify the location where the IP address will be added within the X-Forwarded-For header. Additionally, you can delete or merge the previous X-Forwarded-For headers as needed.

For more information, see Defining your proxies, clients, & X-headers.

CAPTCHA Challenge enhancement

You can now configure to implement different levels "easy/medium/hard" of CAPTCHA challenge.

config system global

set captcha-challenge-difficulty {easy | medium | hard}

end

For more information, see config system global.

Host name protection enhancement

When defining protected host names, you now have the option to enable Override Headers. This allows host names to be identified even if they are overridden with certain headers.

For more information, see "Override Headers" in Defining your protected/allowed HTTP “Host:” header names.

Default Domain Prefix support for NTLM delegation method

When using NTLM delegation method, it's now allowed to specify the default domain prefix so that users can log in without entering domain name.

For more information, see Offloaded authentication and optional SSO configuration.

Multiple IP addresses and ranges in HTTP Content Routing rule

The Source IP field of the HTTP Content Routing rule now supports multiple IP addresses and ranges.

Cache mode in Parameter Validation

You now have the option to enable cache mode so that the Parameter Validation module will store the entire request in a cache before performing validation and forwarding. Run the following command:

config waf parameter-validation-rule

edit <input_rule_name>

set cache-mode enable

next

end

For more information, see config waf parameter-validation-rule.

Web cache exception based on HTTP return codes

You now have the option to utilize HTTP return codes as a factor to exclude pages from being cached.

For more information, see Caching.

Allow-listing Let's Encrypt challenge request

A predefined allow list for Let's Encrypt has been added to Global Allow List and Policy Based Allow List. If you are using Let's Encrypt to generate a certificate, it is recommended to enable this allow list, otherwise it may result in certificate retrieval failures if requests from Let's Encrypt are blocked.

Configuration restore from SFTP and FTP servers

You can now run execute restore config sftp/ftp and execute restore cert-config sftp/ftp to restore the configuration or certificate files from an SFTP or FTP server.

For more information, see restore cert-config and restore config.

Session based persistence

Persistence information will be checked by each transaction, rather than the connection itself. Transactions with distinct persistence information will be directed to different back-end servers to ensure optimal load balancing. This functionality is beneficial in scenario such as FortiWeb is deployed behind Cloudflare which forwards different customer’s traffic within the same connection.

Run the following command to enable it:

config server-policy policy

edit <server-policy_name>

set transaction-based-persistence enable

next

end

CRL validation enhancement

You now have the option to allow the use of previously retrieved Certificate Revocation Lists (CRLs) in situations where the current CRL distribution point retrievals fail, are pending, or if you want to manually upload a CRL file.

config system certificate verify

set crl-allow-expired enable

end

We highly recommend enabling it as a temporary solution only when the CRL has expired. Ideally, we strongly suggest using the most up-to-date CRL file at all times to ensure that the client with revoked certificates can be promptly blocked.

For more information on the CRL file, see Revoking certificates.

SSO login with FortiCloud accounts

It's now supported to use FortiCloud accounts to access FortiWeb.

When Allow administrative login using FortiCloud SSO in System > Admin > Settings is enabled, users will see the Sign in with FortiCloud button on FortiWeb's login page.

Remote Access in FortiCloud

You can now remotely access FortiWeb in FortiCloud.

For more information, see "FortiCloud Management" in Status dashboard.

Previous
Next