What’s New
What’s New
This chapter summarizes the features introduced in recent firmware releases.
FortiADC 4.3.2
Server Load Balancing Persistence—Added a Match Across Servers option to the Source Address affinity method. This option is useful when the client session for an application has connections over multiple ports (and thus multiple virtual servers). This option ensures the client continues to access the same backend server through different virtual servers for the duration of a session. See “Configuring persistence rules”.
Server Load Balancing TCP Multiplexing— Added support for HTTPS connections. See “TCP multiplexing”.
Global Load Balancing DNS Server—The negative caching TTL in the SOA resource record is now configurable. See “Configuring DNS zones”.
FortiADC 4.3.1
Virtual domains—Increased the maximum number of VDOMs on the following platforms:
FortiADC 700D — 30
FortiADC 1500D — 45
FortiADC 2000D — 60
FortiADC 4000D — 90
Health checks—Added an HTTP Connect health check that is useful for testing the availability of web cache proxies, such as FortiCache. See “Configuring health checks”.
ISP address book—Added a province location setting to the ISP address book. The province setting is used in GLB deployments in China to enable location awareness that is province-specific. For example, based on location, the DNS server can direct a user to a datacenter in Beijing or Guangdong rather than the broader location China. Only a predefined set of Chinese provinces is supported. See “Managing the ISP address books”.
Advanced routing—Exception list for reverse path route caching. “Reverse path route caching”.
FortiADC 4.3.0
Authentication—Framework to offload authentication from backend servers. See “Configuring auth policies”.
Geo IP blocking—Policy that takes the action you specify when the virtual server receives requests from IP addresses in the blocked country’s IP address space. See “Using the Geo IP block list”.
Web application firewall—Protect against application layer attacks with policies such as signatures, HTTP protocol constraints, request URL and file extension patterns, and SQL/XSS injection detection. See “Using web application firewall policies”.
Scripts—Support for Lua scripts to perform actions that are not currently supported by the built-in feature set. See “Using scripts”.
SSL/TLS—Support for PFS ciphers. See “SSL Cipher Suites”.
Health check improvements—The SLB and LLB health check configuration has been combined and moved to System > Shared Resources. You can configure destination IP addresses for health checks. This enables you to test both the destination server and any related services that must be up for the server to be deemed available. Also added support for Layer 2 and SSH health checks. See “Configuring health checks”.
Port range—Support for virtual IP address with a large number of virtual ports. See “Configuring virtual servers”.
NAT46/64—Support for NAT46/64 by the SLB module. See “Using source pools”.
ISP address book—Framework for an ISP address book that simplifies the ISP route and LLB proximity route configuration. See “Managing the ISP address books”.
Proximity routes—Support for using ISP address book entries in the LLB proximity route table. See “Configuring proximity route settings”.
Backup pool member—Support for designating a link group or virtual tunnel group member as a “backup” that joins the pool when all of the main members are unavailable. See “Configuring a link group” and “Configuring a virtual tunnel group”.
Global load balancing—New framework that leverages the FortiGuard Geolocation database or the FortiADC predefined ISP address books to direct clients to the closest available FortiADC virtual servers. See “Global Load Balancing”.
Stateful firewall—If client-to-server traffic is allowed, the session is maintained in a state table, and the response traffic is allowed. See “Configuring a firewall policy”.
Virtual server traffic—Many of the firewall module features can be applied to virtual server traffic. Refer to “Security Features” and to the process flow in “Server load balancing configuration overview”.
ISP Routes—ISP routes are used for outbound traffic and link load balancing traffic. See “ISP Routes”.
HA upgrade—Simpler one-to-many upgrade from the primary node. See “Updating firmware for an HA cluster”.
HA status—HA status tab on the system dashboard.
HA remote login—You can use the execute ha manage command to connect to the command-line interface of a member node. See the CLI reference.
SNMPv3 support—See “Configuring SNMP”.
Statistics and log database to better support dashboard and report queries.
Improved dashboard—New time period options for the virtual server throughput graphs. See “Using the system dashboard”.
Improved reports—New report queries for SLB HTTP virtual server reports, including client IP address, client browser type, client OS, and destination URL. See “Using the Server Load Balance report”.
Backup & restore—Option to back up the entire configuration, including error page files, script files, and ISP address books. See “Backing up and restoring the configuration”.
New CLI commands to facilitate troubleshooting:
diagnose debug config-error-log—Use this command to see debug errors that might be generated after an upgrade or major configuration change.
diagnose debug crashlog—Use this command to manage crashlog files. Typically, you use these commands to gather information for Fortinet Services & Support.
execute statistics-db—Use this command to reset or restore traffic statistics.
config system setting—Use this command to configure log database behavior (overwrite or stop writing) when disk utilization reaches its capacity.
For details, see the CLI reference.
FortiADC 4.2.3
HTTPS and TCPS Profiles—Support for SHA-256 ciphers suites. See “SSL Cipher Suites” for a table of supported SSL ciphers.
FortiADC 4.2.2
Content rewriting—Support for PCRE capture and back reference to write the Location URL in redirect rules. See “Using content rewriting rules”.
Web UI—You can clone configuration objects to quickly create similar configuration objects. If a configuration object can be cloned, the copy icon appears in the tools column for its summary configuration page.
Web UI—You can sort many of the configuration summary tables by column values. If a configuration summary table can be sorted, it includes sort arrows in the column headings. For example, the Server Load Balance > Virtual Server configuration summary page can be sorted by Availability, Status, Real Server pool, and so on. You can also sort the Dashboard > Virtual Server > Real Server list by column values-for example, by Availability, Status, Total Sessions, or throughput bytes.
FortiADC 4.2.1
Bug fixes only. See the release notes.
FortiADC 4.2.0
New web UI—An improved web UI.
New log subtypes—See “Logging and Reporting”.
New dashboard and report features—See “Logging and Reporting”.
Additional load balancing methods—Support for new methods based on a hash of a full URI, domain name, hostname, or destination IP address. See “Configuring methods”.
Predefined health checks—Helps you get started with your deployment. See “Configuring pools of real servers”.
Predefined persistence rules—Helps you get started with your deployment. See “Configuring persistence rules”.
HTTP Turbo profile—Improves the performance of HTTP applications that do not require our optional profile features. See “Configuring profiles”.
Layer 2 load balancing—Support for TCP profiles. See “Server load balancing”.
SNI support—Require clients to use the TLS extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client. You can also configure content routes based on SNI hostname values. See “Configuring profiles” and “Configuring content routes”.
Granular SSL configuration—Specify the SSL/TLS versions and encryption algorithms per profile. See “Configuring profiles”.
Connection rate limiting—Set a connection rate limit per real server or per virtual server. See “Configuring pools of real servers” and “Configuring virtual servers”.
HTTP transaction rate limiting—Set a rate limit on HTTP transactions per virtual server. See “Configuring virtual servers”.
Additional link load balancing methods—Support for new methods in link groups, including spillover and hash of the source IP address. See “Configuring a link group”.
Global load balancing—A new implementation of our DNS-based solution that enables you to deploy redundant resources around the globe that you can leverage to keep your business online when a local area deployment experiences unexpected spikes or downtime. See “Global Load Balancing”.
HA active-active clustering—Support for active-active clusters. See “High Availability Deployments”.
Administrator authentication enhancements—Support for authenticating users against LDAP and RADIUS servers. See “Using a RADIUS authentication server” and “Using an LDAP authentication server”.
Multinetting—You can configure a secondary IP address for a network interface when necessary to support deployments with backend servers that belong to different subnets. See “Configuring network interfaces”.
High speed logging—Supports deployments that require a high volume of logging activity. See “Configuring high speed logging”.
Packet Capture—Support for tcpdump. See the FortiADC CLI Reference.
FortiADC 4.1
No design changes. Bug fixes only.
FortiADC 4.0 Patch 2
No design changes. Bug fixes only.
FortiADC 4.0 Patch 1
No design changes. Bug fixes only.
FortiADC 4.0
VDOMs—Virtual domains (VDOMs) allow you to divide a FortiADC into two or more virtual units that are configured and function independently. The administrator for each virtual domain can view and manage the configuration for his or her domain. The admin administrator has access to all virtual domain configurations.
Caching – A RAM cache is a cache of HTTP objects stored in FortiADC's system RAM that are reused by subsequent HTTP transactions to reduce the amount of load on the backend servers.
IP Reputation—You can now block source IP addresses that have a poor reputation using data from the FortiGuard IP Reputation Service.
Layer 2 server load balancing – FortiADC can now load balance Layer 3 routers, gateways or firewalls. This feature is useful when the request’s destination IP is unknown and you need to load balance connections between multiple next-hop gateways. Supports HTTP, HTTPS and TCPS client-side connection profiles only.
Open Shortest Path First (OSPF) support—The new OSPF feature allows FortiADC to learn dynamic routes from or redistribute routes to neighboring routers.
HTTPS profile type for virtual servers—The HTTPS profile type provides a standalone HTTPS client-side connection profile.
Consistent Hash IP – The persistence policy type Hash IP has changed to Consistent Hash IP. Consistent hashing allows FortiADC to achieve session persistence more efficiently than traditional hashing.
Enhanced logs
FortiADC now supports a third type of log – attack log.
You can now download log messages using the FortiADC web UI.
The format of logs has changed. Because of this format change, if you upgrade from FortiADC 3.x, use the execute log-rebuild command to rebuild the log database.
FortiADC now exports log reports in HTML or PDF format only. RTF and plain text reports are no longer supported.
FortiADC 3.2.0
Link routing policiesYou can now specify how FortiADC routes traffic for each available ISP link, including by source or destination address and port.
Virtual tunnelsYou can now use tunneling between two FortiADC appliances to balance traffic across multiple links to each appliance. A typical scenario is a VPN between a branch office and headquarters for application-specific access.
Persistent routingYou can now configure connections that persist regardless of the FortiADC link load balancing activity. You can configure persistence based on source IP, destination IP, and subnet.
Proximity-based routingMaximize WAN efficiency by using link proximity to determine latency between FortiADC and remote WAN sites so that FortiADC can choose the best route for traffic.
Scheduled link load balancing—You can now apply a link load balancing policy during a specific time period.
One-to-one (1-to-1) NATYou can now fully define how each individual source and destination IP address will be translated. This feature is useful when you require a different NAT range for each ISP.
PPPoE interface supportTo support DSL connectivity, you can now configure interfaces to use PPPoE (Point-to-Point Protocol over Ethernet) to automatically retrieve its IP address configuration.
FortiADC 3.1.0
Custom error pageYou can now upload a custom error page to FortiADC that it can use to respond to clients when HTTP service is unavailable.
Full NAT for Layer 3/4 load balancingLayer 3/4 load balancing now supports full NAT (translation of both source and destination IP addresses). FortiADC can now round robin among a pool of source IP addresses for its connections to backend servers.
Standby serverYou can now configure FortiADC to forward traffic to a hot standby (called a Backup Server) when all other servers in the pool are unavailable.
Log cache memoryTo avoid hard disk wear and tear, FortiADC can cache logs in memory and then periodically write them to disk in bulk. Previously, FortiADC always wrote each log message to disk instantaneously.
HA sync for health check status with IPv6For high availability FortiADC clusters, the Layer 4 health check status of IPv6-enabled virtual servers is now synchronized.
FortiADC 3.0.0
Link load balancing—FortiADC now supports load balancing among its links, in addition to distributing among local and globally distributed servers. Depending on if the traffic is inbound or outbound, different mechanisms are available: outbound can use weighted round robin; inbound can use DNS-based round robin or weighted round robin.
HTTP response compression—FortiADC now can compress responses from your backend servers, allowing you to off load compression from your backend servers for performance tuning that delivers faster replies to clients.
Quality of service (QoS)—FortiADC now can guarantee bandwidth and queue based upon source/destination address, direction, and network service.
Source NAT (SNAT)—When applying NAT, FortiADC can now apply either static or dynamic source NAT, depending on your preference.
Session persistence by source IP segment—FortiADC now can apply session persistence for entire segments of source IPs such as Previously, session persistence applied to a single source IP.
Health check enhancements—FortiADC now supports additional health check types for servers that respond to these protocols: email (SMTP, POP3, IMAP), TCPS, TCP SYN (half-open connection), SNMP, and UDP.
HA enhancements—FortiADC HA now synchronizes Layer 3/4 and Layer 7 sessions and connections for session persistence and uninterrupted connections when the standby assumes control of traffic.
FortiADC 2.1.0
Support for FortiADC 200D and FortiADC VM— FortiADC software has been released to support these new platforms.