New. You can now upload certificates and certificate revocation lists using the CLI.

New. You can now display a full list of signature IDs that includes names and descriptions.

 

Changed. You can now stop FortiWeb from logging SSL errors.

This setting is useful when you use high-level security settings, which generate a high volume of these types of errors.

 

Changed.

You can now configure the TCP SYN flood protection in each server policy, instead of configuring it globally for all connections.

In addition, FortiWeb now supports server-side SNI (Server Name Indication). You use this feature when end-to-end encryption is required and the back-end web server itself requires SNI support.

In reverse proxy mode, you enable server-side SNI in the appropriate server policy.

 

Changed.

FortiWeb now supports server-side SNI (Server Name Indication). You use this feature when end-to-end encryption is required and the back-end web server itself requires SNI support.

In true transparent proxy mode, you enable server-side SNI for the appropriate pool member.

Removed. You now enable the TCP SYN flood protection feature in each server policy, instead of configuring it globally for all connections

 

New. You can now increase the size of the TCP buffer. This is useful when amount of traffic between a server pool member and FortiWeb is significantly larger than traffic between FortiWeb and the client.

 

New. You can now configure FortiWeb to clear its cache memory every 45 minutes and generate an event log message for the action.

Changed.

V-zones no longer require IP addresses.

In addition, you can now configure a V-zone that switches traffic between VLANs with different VLAN ID values.

Changed. You can now transmit log information for storage on a FortiAnalyzer appliance using a secure connection.

 

New. You can now store log messages remotely on an ArcSight SIEM (security information and event management) server. FortiWeb sends log entries to ArcSight in CEF (Common Event Format).

 

New. You can now add connection settings for an ArcSight SIEM (security information and event management) server.

 

Changed. You can now add connection settings for an ArcSight SIEM server to a trigger policy.

 

 

Changed.

You can now configure health checks to test server responsiveness using more than one of the available protocols, and require the server to pass all the tests or just one of the tests.

For server health checks that use the HTTP or HTTPS protocol, you can now specify the HTTP method that the health check uses (HEAD, GET or POST).

 

Changed.

You can now automatically redirect all HTTP requests to equivalent URLs on a secure site.

If you have configured session persistence using a session cookie, a new CLI command allows you to track or insert a session cookie for each transaction, rather than for each session.

 

Changed.

You can now configure a server pool member to use a server health check configuration that is different than the health check assigned to the pool.

When FortiWeb is operating in true transparent proxy mode and performing SSL/TLS processing for a server pool member, you can now configure FortiWeb to include any X.509 personal certificates presented by clients during the SSL/TLS handshake with the traffic it forwards to the pool member.

 

New. You can now connect to the CLI using an SSH connection by providing a private key, instead of a username and password.

 

New. When ip-src-balance or ip6-src-balance is enabled, you can specify additional IP addresses for a network interface.

For more information, see config system network-option.

 

New. You can allow FortiWeb to connect to the back-end servers using more than one IPv4 or IPv6 address. FortiWeb uses a round-robin load-balancing algorithm to distribute the connections among the available IP addresses.

 

Changed. You can now specify the client source IP addresses to match by providing a domain. You can specify this domain using either a string or a regular expression.

New. You can now upload your FortiWeb-VM license using the command line interface. This option is useful if you want to automate FortiWeb-VM deployments

 

Removed. You now use config system replacemsg to customize the error page for all policies.

 

Changed.

The error page configuration settings have been removed. You now use config system replacemsg to customize the error page for all policies.

You can now use a URL-based client certificate group to specify whether a client is required to present a personal certificate or not.

 

Changed.

You can now use a URL-based client certificate group to specify whether a client is required to present a personal certificate or not.

New. You can now specify whether a client is required to present a personal certificate or not based on the requested URL.

 

New. FortiWeb now allows you to customize the web pages it uses for blocking, authentication, and unavailable servers.

 

New. Allows you to add images add images that the FortiWeb HTML web pages can use. These pages include the ones that FortiWeb uses for blocking, authentication, and unavailable servers.

 

 

Changed. You can now use a regular expression to specify the name attribute of the parameter’s input tag in an input rule.

Changed. A new setting allows you to assign an IPv4 IP address to one of the network interfaces using Dynamic Host Configuration Protocol (DHCP).

 

Changed. An email policy can now specify a SMTP server port and encrypt the connection to the mail server.

New. FortiWeb now allows you to direct traffic to a specific network interface/gateway combination based on a packet’s IP source and destination address.

 

 

New. Advanced SSL settings are available when you configure a server policy in reverse proxy mode. Includes options to disable specific SSL/TLS protocols, set the SSL/TLS encryption level, and enable perfect forward secrecy.

Options that disable client-initiated SSL renegotiation and prioritize the RC4 cipher suite have moved to server policy configuration from config system advanced.

 

New. Advanced SSL settings are available when you configure a server pool member in true transparent proxy mode. Includes options to enable SNI, disable specific SSL/TLS protocols, set the SSL/TLS encryption level, and enable perfect forward secrecy.

Options that disable client-initiated SSL renegotiation and prioritize the RC4 cipher suite have moved to server pool configuration from config system advanced.

Changed. The following settings have been removed:

These settings are replaced by the new advanced SSL/TLS settings in the server policy and server pool configuration.

Changed. The setting no-sslv3 has been removed.

 

Changed. A new setting allows you to assign an IPv4 IP address to one of the network interfaces using Dynamic Host Configuration Protocol (DHCP).

New. Allows you to specify a Kerberos Key Distribution Center (KDC) that FortiWeb can use to obtain a Kerberos service ticket for web applications on behalf of clients.

 

 

Changed. New options allow you to add a content type filter, and to configure the occurrence filter to match based on the rate of matches with other filter types expressed as a percentage of matches.

In addition, you can now add custom signatures to a signature violation filter by specifying either a custom signature rule group or individual rule.

 

New. You can now prevent clients from using SSL 3.0 to connect to server pool members.

 

New. You can now prevent connections to the web UI via SSL 3.0.

Changed. The allow-robot option for the packet-log setting is no longer available.

Changed. The threshold setting is no longer available.

 

Changed. HTTP content routing policies now forward traffic to one or more server pools that you select in the content routing policies.

New. You can now create a persistence configuration to apply to a server pool configuration can now include a persistence configuration.

After FortiWeb has forwarded the first packet from a client to a pool member, it forwards subsequent packets to the same back-end server using the specified persistence method.

 

 

Changed. You now apply policies to back-end servers using server pools only. (Pools can contain one or more physical or domain servers.) You apply HTTP content routing policies by adding them to policies along with the server pools that they route traffic to.

Also, you can now configure a message that FortiWeb sends to clients when none of the server pool members are available.

 

Changed. You now define physical and domain servers as members of a server pool, which can have a single member or multiple members with a load-balancing configuration.

 

 

Changed. Settings have moved from config system global.

New. Enables and configures Federal Information Processing Standards (FIPS) and Common Criteria (CC) compliant mode.

When the FIPS-CC certification process is complete, a separate document will provide detailed information about this command.

Changed. The no-ssl-renegotiation setting is no longer available. Instead, use the disable-client-side-ssl-negotiations {enable | disable} setting of the config system advanced command.

Removed.

New. For servers that present more than one certificate to clients, you can create a Server Name Indication (SNI) configuration that identifies the certificate to use by domain.

 

Changed. The ocsp setting is no longer available.

New. You can now specify the names of directories and files that you want to exclude from anti-defacement monitoring. Alternatively, you can specify the folders and files you want FortiWeb to monitor and it will exclude any others.

 

 

Changed. You can now specify a filter that either defines which files and folders FortiWeb does not scan when it looks for changes or the specific files and folders you want it to monitor.

 

Changed. You can now exempt clients that pass a web browser test from a custom access rule.

New. You can now specify a list of IP addresses or ranges of IP addresses that are exceptions to the list of client IP addresses that FortiWeb blocks based on their geographic location.

 

 

Changed. You can now specify a list of IP addresses or IP address ranges that are exempt from the list of client IP addresses that FortiWeb blocks based on their geographic location.

 

Changed. You can now specify when to start or stop logging.

New. Allows you to display the current status of FortiGuard subscription services files and the MD5 checksum for system and configuration files.

Changed. Displays additional information about the HA configuration of appliances in a cluster.

New. Allows you to view the status of the high availability (HA) synchronization process.

 

Changed. The options for which part of the configuration and/or FortiGuard service-related packages to synchronize have changed.

Changed. When ADOMs are enabled, you now perform certificate configuration under config vdom instead of config global. This allows each administrative domain to have its own certificates and certificate-related settings.

See “Administrative domains (ADOMs)”.

 

Changed. You can now configure administrative access for VLAN subinterfaces.

 

Changed. You can now specify either a single IP address or an IP address range.

 

Changed. You can now specify either a single IP address or an IP address range.

 

New. Additional filter types include: