Command | Change |
config server-policy error-page | Removed. You now use config system replacemsg to customize the error page for all policies. |
edit <policy_name> set error-page <page_name> set error-page-code <status-code_int> set error-msg <message_str> ... set urlcert-hlen | Changed. The error page configuration settings have been removed. You now use config system replacemsg to customize the error page for all policies. You can now use a URL-based client certificate group to specify whether a client is required to present a personal certificate or not. |
edit <server-pool_name> config pserver-list edit <entry_index> set urlcert-hlen | Changed. You can now use a URL-based client certificate group to specify whether a client is required to present a personal certificate or not. |
New. You can now specify whether a client is required to present a personal certificate or not based on the requested URL. | |
config list edit <entry_index> set url <url_str> | |
New. FortiWeb now allows you to customize the web pages it uses for blocking, authentication, and unavailable servers. | |
set code <code_int> | |
New. Allows you to add images add images that the FortiWeb HTML web pages can use. These pages include the ones that FortiWeb uses for blocking, authentication, and unavailable servers. | |
edit <image_name> | |
edit <input-rule_name> config rule-list edit <entry_index> | Changed. You can now use a regular expression to specify the name attribute of the parameter’s input tag in an input rule. |
edit <interface_name> | Changed. A new setting allows you to assign an IPv4 IP address to one of the network interfaces using Dynamic Host Configuration Protocol (DHCP). |
Command | Change |
config log email-policy edit <email-policy_name> | Changed. An email policy can now specify a SMTP server port and encrypt the connection to the mail server. |
New. FortiWeb now allows you to direct traffic to a specific network interface/gateway combination based on a packet’s IP source and destination address. | |
edit <policy_index> set iif <incoming_interface_name> set src <source_ip> set oif <outgoing_interface_name> | |
edit <policy_name> | New. Advanced SSL settings are available when you configure a server policy in reverse proxy mode. Includes options to disable specific SSL/TLS protocols, set the SSL/TLS encryption level, and enable perfect forward secrecy. Options that disable client-initiated SSL renegotiation and prioritize the RC4 cipher suite have moved to server policy configuration from config system advanced. |
edit <server-pool_name> config pserver-list edit <entry_index> | New. Advanced SSL settings are available when you configure a server pool member in true transparent proxy mode. Includes options to enable SNI, disable specific SSL/TLS protocols, set the SSL/TLS encryption level, and enable perfect forward secrecy. Options that disable client-initiated SSL renegotiation and prioritize the RC4 cipher suite have moved to server pool configuration from config system advanced. |
Changed. The following settings have been removed: • disable-client-side-ssl- negociations • no-sslv3 • prioritize-rc4-cipher-suite • ssl-md5 • weak_enc These settings are replaced by the new advanced SSL/TLS settings in the server policy and server pool configuration. | |
Changed. The setting no-sslv3 has been removed. | |
edit <interface_name> | Changed. A new setting allows you to assign an IPv4 IP address to one of the network interfaces using Dynamic Host Configuration Protocol (DHCP). |
New. Allows you to specify a Kerberos Key Distribution Center (KDC) that FortiWeb can use to obtain a Kerberos service ticket for web applications on behalf of clients. | |
edit <kdc_name> | |
edit <custom-access_name> config content-type edit <entry_index> set content-type-set {text/html text/plain text/xml application/xml application/soap+xml application/json} end config custom-signature edit <entry_index> set custom-signature-type {custom-signature-group | custom-signature} set custom-signature-name <custom-signature-name_str> end config occurrence edit <entry_index> set occurrence-num <occurrence_int> set within <within_int> set <percentage_int> end | Changed. New options allow you to add a content type filter, and to configure the occurrence filter to match based on the rate of matches with other filter types expressed as a percentage of matches. In addition, you can now add custom signatures to a signature violation filter by specifying either a custom signature rule group or individual rule. |
Command | Change |
set no-sslv3 {enable | disable] | New. You can now prevent clients from using SSL 3.0 to connect to server pool members. |
set no-sslv3 {enable | disable} | New. You can now prevent connections to the web UI via SSL 3.0. |
Command | Change |
Changed. The allow-robot option for the packet-log setting is no longer available. | |
Changed. The threshold setting is no longer available. | |
config content-routing-match-list edit <entry_index> | Changed. HTTP content routing policies now forward traffic to one or more server pools that you select in the content routing policies. |
New. You can now create a persistence configuration to apply to a server pool configuration can now include a persistence configuration. After FortiWeb has forwarded the first packet from a client to a pool member, it forwards subsequent packets to the same back-end server using the specified persistence method. | |
edit <policy_name> | Changed. You now apply policies to back-end servers using server pools only. (Pools can contain one or more physical or domain servers.) You apply HTTP content routing policies by adding them to policies along with the server pools that they route traffic to. Also, you can now configure a message that FortiWeb sends to clients when none of the server pool members are available. |
set error-page <page_name> set error-page-code <status-code_int> set error-msg <message_str> config http-content-routing-list edit <entry_index> | |
Changed. You now define physical and domain servers as members of a server pool, which can have a single member or multiple members with a load-balancing configuration. | |
edit <server-pool_name> set type {offline-protection | reverse-proxy | transparent-servers-for-ti | transparent-servers-for-tp} config pserver-list edit <entry_index> set port <port_int> | |
set ssl-md5 {enable | disable} set weak_enc {enable | disable} | Changed. Settings have moved from config system global. |
New. Allows you to enable integrity checks of firmware updates and the configuration, kernel.img, and rootfs.img files. | |
Changed. The no-ssl-renegotiation setting is no longer available. Instead, use the disable-client-side-ssl-negotiations {enable | disable} setting of the config system advanced command. | |
config system certificate remote | Removed. |
New. For servers that present more than one certificate to clients, you can create a Server Name Indication (SNI) configuration that identifies the certificate to use by domain. | |
edit <sni_name> config members edit <entry_index> | |
Changed. The ocsp setting is no longer available. | |
New. You can now specify the names of directories and files that you want to exclude from anti-defacement monitoring. Alternatively, you can specify the folders and files you want FortiWeb to monitor and it will exclude any others. | |
edit <entry_index> | |
edit <entry_index> | Changed. You can now specify a filter that either defines which files and folders FortiWeb does not scan when it looks for changes or the specific files and folders you want it to monitor. |
edit <custom-access_name> | Changed. You can now exempt clients that pass a web browser test from a custom access rule. |
New. You can now specify a list of IP addresses or ranges of IP addresses that are exceptions to the list of client IP addresses that FortiWeb blocks based on their geographic location. | |
edit <geo-ip-except_name> edit <entry_index> | |
config waf geo-block-list | Changed. You can now specify a list of IP addresses or IP address ranges that are exempt from the list of client IP addresses that FortiWeb blocks based on their geographic location. |
Changed. You can now specify when to start or stop logging. | |
New. Allows you to display the current status of FortiGuard subscription services files and the MD5 checksum for system and configuration files. | |
Changed. Displays additional information about the HA configuration of appliances in a cluster. | |
New. Allows you to view the status of the high availability (HA) synchronization process. | |
execute ha sychronize {all | avupd | cli | geodb | sys} | Changed. The options for which part of the configuration and/or FortiGuard service-related packages to synchronize have changed. |
Command | Change |
config system certificate remote | Changed. When ADOMs are enabled, you now perform certificate configuration under config vdom instead of config global. This allows each administrative domain to have its own certificates and certificate-related settings. |
edit <interface_name> | Changed. You can now configure administrative access for VLAN subinterfaces. |
config match condition edit <entry_index> | Changed. You can now specify either a single IP address or an IP address range. |
edit <ip-list_name> config members edit <entry_index> set ip <client_ip> | Changed. You can now specify either a single IP address or an IP address range. |
edit <custom-access_name> config http-transaction edit <entry_index> config response-code edit <entry_index> set response-code-min <response-code_int> set response-code-max <response-code_int> config packet-interval config signature-class config occurrence edit <entry_index> set occurrence-num <occurrence_int> set within <within_int> set traced-by {Source-IP | User} | New. Additional filter types include: • Transaction and packet interval timeout • HTTP response code • URL • Attack signature violation |