• Domain-based server health checks — You can now configure a server pool member to use a server health check configuration that is different than the health check assigned to the pool.

• Test using multiple protocols — You can now configure health checks to test using more than one of the available protocols, and require the server to pass all the tests or just one of the tests.

• HTTP method configuration in server health check — For server health checks that use the HTTP or HTTPS protocol, you can now specify the HTTP method that the health check uses (HEAD, GET or POST).

• Domain name in HOST header — When you specify a pool member by domain name, the health check HOST header now includes the member's domain name and not its IP address.

• Client Certificate Forwarding in true transparent proxy mode — When FortiWeb is operating in true transparent proxy mode and performing SSL/TLS processing for a server pool member, you can now configure FortiWeb to include any X.509 personal certificates presented by clients during the SSL/TLS handshake with the traffic it forwards to the pool member.

• CLI command to enforce session cookie per transaction — If you have configured session persistence using a session cookie (Persistent Cookie, Insert Cookie), a new CLI command allows you to track or insert a session cookie for each transaction, rather than for each session.

• URL Access List source filtering using a domain — In a URL access rule, you can now specify the client source IP addresses to match by providing a domain. You can specify this domain using either a string or a regular expression.

• Redirect HTTP-to-HTTPS — A new server policy option allows you to automatically redirect all HTTP requests to equivalent URLs on a secure site. To use this option, the HTTPS server for the policy must use port 443 (the default). This option can replace redirection functionality that you create using URL rewriting rules.

• Additional comment fields — New Comment fields in the web UI allow you to add notes to protection profiles, server pools, and signature policies.

• Predefined, optimized protection profile for WordPress — Use this new profile as-is or clone it to create a custom profile.

• Upload a FortiWeb-VM license using the CLI — New CLI commands allow you to upload your FortiWeb-VM license using the command line interface. This option is useful if you want to automate FortiWeb-VM deployments.

• Log in to FortiWeb using SSH and private key — You can now connect to the CLI using an SSH connection by providing a private key, instead of a username and password.

• Integration with ArcSight SIEM (security information and event management) — You can now store log messages remotely on an ArcSight SIEM (security information and event management) server. FortiWeb sends log entries to ArcSight in CEF (Common Event Format).

• Send logs to FortiAnalyzer via SSL — You can now transmit log information for storage on a FortiAnalyzer appliance using a secure connection.

• FortiWeb 100D appliance — A new compact, cost-effective model that is ideal for small business.

• Federal Information Processing Standards (FIPS) and Common Criteria (CC) compliance — FIPS-CC compliant mode has been added and Fortinet has started the product certification process.

• Regular expression support in Parameter Validation Rules parameter names — You can now specify the name attribute of the parameter’s input tag in a Parameter Validation Rule using a regular expression. This is useful for web pages that dynamically generate the parameters.

• Predefined, optimized protection profiles for Microsoft Exchange and SharePoint — Use these new profiles as-is or clone them to create a custom profile.

• Two-factor authentication for SMS and email — FortiWeb’s two-factor RADIUS authentication feature can now authenticate users who log in using SMS or email. (The steps for configuring two-factor RADIUS authentication have not changed.)

• Customize error and authentication pages — Go to System > Config > Replacement Message to customize the following FortiWeb HTML pages using interactive tools:

• Pages that FortiWeb presents when the client authentication method in a site publishing configuration is HTML Form Authentication.

• The error page FortiWeb uses to respond to a HTTP request that violates a policy and the configured action is Alert & Deny or Period Block.

• The "Server Unavailable!" page that FortiWeb returns to the client when none of the server pool members are available either because their status is Disable or Maintenance or they have failed the configured health check.

• IPv6 support for more features — The following features now work with IPv6 addresses:

• X-Forwarded-For

• HTTP Access Limit

• TCP Flood Prevention

• HTTP Authentication

• Brute Force

• Start Pages

• URL Rewriting

• Geo IP

• Data Analytics

• URL-based client certificate verification — You can now determine whether clients are required to present a client certificate based on the URL of the HTTP request.

• Additional network adapter ports for FortiWeb-VM installations — When you run FortiWeb-VM on VMware vSphere ESXi, the number of available network interfaces can be 4 or 10. There are specific limitations on how you can create the 10-port configuration. New installations use 10 network interfaces by default. For details, see the FortiWeb-VM Install Guide.

• Advanced SSL settings for server policies and server pool members — New options are available when you configure a server policy in reverse proxy mode or configure a server pool member in true transparent proxy mode.

• Enable SNI for true transparent proxy mode — The SNI feature that allows FortiWeb to present multiple server certificates is now also available as part of server pool member configuration when the operating mode is true transparent proxy.

• Select SSL protocols — To increase security, you can now select which versions of SSL and TLS the policy or pool member allows.

• SSL/TLS encryption level — Specifies whether FortiWeb uses a medium or high-level security set of cipher suites.

• Prioritize RC4 Cipher Suite — Adds protection against a BEAST attack for configurations that support TLS 1.0. (Moved from System > Config > Advanced.)

• Enable Perfect Forward Secrecy — Perfect forward secrecy improves security by ensuring that the key pair for a current session is unrelated to the key for any future sessions.

• Disable Client-Initiated SSL Renegotiation — Specifies whether FortiWeb ignores requests from clients to renegotiate TLS or SSL. (Moved from System > Config > Advanced.)

• Two-factor authentication — By default, FortiWeb supports RADIUS authentication that requires users to provide a secondary password, PIN, or token code in addition to a username and password (two-factor authentication).

• RSA SecurID authentication — FortiWeb’s default two-factor authentication feature supports RADIUS authentication that uses RSA SecurID, or you can allow users to authenticate using their username and RSA SecurID token code only.

• Kerberos authentication delegation — FortiWeb can now give clients it has authenticated access to web applications via the Kerberos protocol. To support this feature, you can now add a Kerberos Key Distribution Centre configuration and, if needed, a keytab file that allows FortiWeb to log in to Kerberos.

• Web scraping protection — Web scraping is an automated process for collecting information from web servers, often with the intention of re-using the content without authorization.

• Auto-learning custom web scraping rule — The auto-learning feature now collects source IP address and content type information for HTTP file requests. It uses this information to automatically generate a custom rule that can detect web scraping activity. To support this feature, custom rules now can include a content type filter and the occurrence filter allows you to specify the number of hits to match as a percentage.

• Predefined web scraping rule — The predefined advanced protection rules that defend against popular attacks now includes a rule that detects web scraping activity.

• Custom signatures in advanced protection custom rule — Add any custom signatures that you create to a signature violation filter in a custom rule by specifying either a custom signature rule group or individual rule.

• Policy Route — FortiWeb now allows you to direct traffic to a specific network interface/gateway combination based on a packet’s IP source and destination address.

• Assign a network interface IP address using DHCP — You can now assign an IPv4 IP address to one of the network interfaces using Dynamic Host Configuration Protocol (DHCP).

• Set alert email SMTP port and connection security — Your email policy can now specify a SMTP server port and encrypt the connection to the mail server.

• Filter report information by HTTP host — When you configure a report profile, you can use HTTP host(s) as one of the criteria for log messages to include.

• Disable SSL 3.0 for server polices, server pools, and web UI — To protect against a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, you can now prevent access to FortiWeb and the servers it protects via SSL 3.0.

• No design changes. Bug fixes only.

• New load balancing configuration — You now define your back-end web servers within a server pool, which you configure as either single server or server balance. A server balance pool includes a load balancing configuration: server health checks, load balancing algorithm, and persistence.

• Combine HTTP header-based routing and load balancing in a single server policy — Server pool configuration now includes a load balancing configuration. You can assign pools to a server policy that applies one or more HTTP content routing policies. See “Configuring a server policy”.

• Error message when all pool members are down — In addition to the configurable or custom attack blocking message, a server policy now specifies the message that FortiWeb sends to clients when none of the server pool members are available. See “Configuring a protection profile for inline topologies”.

• Server pool persistence configuration — A server pool configuration can now include a persistence configuration. After FortiWeb has forwarded the first packet from a client to a pool member, it forwards subsequent packets to the same back-end server using the selected persistence method. See “Configuring session persistence”.

• Health check options in server pools — You now create server health check configurations using the Server Objects > Server menu. And you now add server up/down checks to a server pool configuration, instead of adding them to server policies. See “Configuring server up/down checks”.

• Multiple certificates per IP address — The new SNI (Server Name Indicator) configuration allows FortiWeb to present a different certificate depending on the domain that the client requests. See “Allowing FortiWeb to support multiple server certificates”.

• Real browser enforcement in custom rule — You can now add real browser enforcement to Advanced Protection custom rules as well as DoS protection features. See “Combination access control & rate limiting”.

• IP Reputation exceptions by geolocation — You can now specify exceptions to IP addresses that FortiWeb blocks based on country or region of origin. See “Blacklisting & whitelisting countries & regions”.

• Exclude directories and files from anti-defacement monitoring — The Anti Defacement File Filter option allows you specify the names of directories and files that you want to exclude from monitoring. Alternatively, you can specify the folders and files you want FortiWeb to monitor and it will exclude any others. See “Specifying files that anti-defacement does not monitor”.

• The attack log message that FortiWeb generates when it detects cookie poisoning now shows the expected cookie value and actual value. In addition, it provides the cookie path and domain information.

• The attack log message that FortiWeb generates when traffic violates a HTTP protocol constraint now provides more information about the violation, including the name of the protection profile that applies the constraint, the specific constraint, and details such as the allowed and detected values.

• Traffic and attack log messages now identify both any HTTP content routing policy FortiWeb applied to the traffic and the server pool FortiWeb routed the traffic to.

• Integrity checks — Use the new config system fips CLI command to perform integrity checks of firmware updates, system configuration, and kernel.img, and rootfs.img files. For details, see the FortiWeb CLI Reference.

• High Availability (HA) enhancements — FortiWeb now includes the FortiGuard Antivirus signatures when it synchronizes between active and standby appliances. In addition, the synchronization process is now faster. See “HA heartbeat & synchronization”.

• Signature updates status — When a scheduled or manual update of FortiGuard services is underway, FortiWeb now displays the following items:

• The status of the update.

• A Refresh button.

• If FortiWeb is downloading an anti-virus package, a Stop Download button.

• FortiWeb-VM on demand on Amazon Web Services (AWS) — In addition to running FortiWeb-VM on AWS using a license you own, you can use Amazon’s EC2 console to deploy FortiWeb-VM on an hourly basis.

• Default password for FortiWeb-VM on AWS — When you deploy FortiWeb on AWS, the admin administrator has a default password, which is the AWS instance ID.

• FortiWeb-VM01— This new FortiWeb-VM version supports 1 virtual CPU.

• FortiWeb-VM support for Microsoft Hyper-V — You can now deploy FortiWeb-VM as a Hyper-V virtual machine.

• New Advanced Protection custom rule filter types — The new filter types provide more sophisticated detection of complicated attacks. In addition, new predefined rules such as crawler, scanning, and slow attacks based on these new capabilities have been added. See “Combination access control & rate limiting”.

• Administrative access for VLANs — You can now allow administrative access to virtual local area network (VLAN) subinterfaces. See “Adding VLAN subinterfaces”.

• ADOM certificate management — When you create administrative domains (ADOMs), certificate configuration options are now located in the menu for each administrative domain, instead of the Global menu. This allows each administrative domain to have its own certificates and certificate-related settings. See “Administrative domains (ADOMs)”.

• Specify IP ranges for URL Access Rule and IP List — When you configure access control by URL or a blacklist or whitelist, in addition to specifying a single IP address, you can now also specify a range of IP addresses. See “Restricting access to specific URLs” and “Blacklisting & whitelisting clients using a source IP or source IP range”.

• Attack logs now contain Source Country, Signature ID, and Signature Subclass Type fields. Traffic logs now contain a Source Country field. See “Viewing log messages”.

• When you view the attack and traffic log messages in the web UI, in the Source column, a flag icon beside the IP address indicates the country associated with the address. See “Viewing log messages”.

• FortiWeb now has new report types that capture traffic and attack activity by source country and attack signature. See “Choosing the type & format of a report profile”.