Chapter 1: What’s NewThis chapter lists features and enhancements introduced in each of the FortiADC releases. Show
FortiADC 6.2.0Load BalanceOAuth 2.0 supportOpen Authorization (OAuth) 2.0 is an authorization framework that enables applications to obtain limited access to HTTP services on behalf of a user. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2.0 provides authorization flows for web and desktop applications, and mobile devices. FortiADC will only be supporting OAuth 2.0 which is the most widely used form of OAuth. There will be no backwards compatibility between OAuth 1.0 and OAuth 2.0 as their specifications are so different that they cannot be used together. CAMELLIA Encryption AlgorithmNew SSL ciphers have been added in the Client SSL profile and Server SSL profile:
A new set of Lua scripts have been added to manage WAF related events and actions. These scripts support functionalities that include enabling/disabling the WAF function, watching an event when the WAF scan starts or an attack is detected, and other custom actions. Health check monitoring with continuous modeThe health check monitoring functionality has been enhanced to allow more settings to monitor the check and to display more information for the check results. SecurityWAF enhancementThe following enhancements have been made for the WAF:
FortiADC now supports integrations with third-party vendor scanner reports, including FortiWeb, Acunetix, IBM Appscan ,Whitehat, HP Webinspect, QualysGuard, Telefonica FAAST, ImmuniWeb reports. Web Vulnerability Scanner auto policyYou can now generate WAF policies based on FortiADC scan reports or third-party integrated reports. Users can modify the policy as needed and submit it to the virtual server to apply directly. SystemNew platform 220F supportFortiADC6.2.0 now supports the FortiADC 220F platform. For more information, please refer to the latest FortiADC datasheet. Trust IP list to limit the access to management service for the interfaceCurrently, FortiADC supports allowaccess to allow/deny access to the interface management service. With the new Trust IP list feature, you will have more granular control over which IP addresses may be granted access to the interface management service. HA pair on Azure using ARM templatesFortiADC is introducing a solution for HA on Azure that can eliminate the issue caused by time-consuming IP transfers in the event of HA failovers. Please refer to the new Azure deployment guide for the new HA setup on Azure. Transfer files between HA devicesUse the new CLI command execute ha force transfer-file <file-name> <node-id> to sync files between HA devices. This could be used to get debug files on the backup device from the master when the backup device is not accessible in some situations. Pre-login banner support for WebUI, Console and SSH loginYou can now customized banner messages to show prior to login through WebUI, console and SSH. New VM subscription licenseTwo new SKUs for VM subscription license support has been added, including the Standard Bundle and Advanced Bundle license. VDOM link for inter-VDOM trafficFortiADC now supports inter-VDOM routing setups that allow the traffic to be sent between VDOMs without additional physical interfaces that was previously required for multiple VDOM setups. At this time, inter-VDOM routing is only available for these classic scenarios: static route, PBR, L4 SLB, L7 SLB and NAT. It is currently not supported in IPv6 related configurations. Factory reset command enhancement to keep VDOM, interface, and static route settingsCurrently, performing a factory reset would clear all settings on the devices entirely which may not be ideal for some users who need to keep basic networking settings. For this, FortiADC has added a new alternative factory reset command that will allow users to clear all configurations but keep the settings for VDOM, interface, and static route. Support -f option for grepping CLI outputYou can now filter for the string in CLI configurations. For example: # show full-configuration | grep –f 10.0.0.1 This will show all entries with the IP 10.0.0.1 GUIRedesign of the select checkbox for all tablesThe select checkbox column has been removed for all tables. Now you can make your selection by clicking the row, or press Ctrl+Shift to select multiple rows. FortiADC 6.1.1SAP HTTP/HTTPS filterFortiADC now supports HTTP/HTTPS filters for SAP system. New filters can be used with or without AS virtual host. In SAP Connector configuration, you can enter IP address and FQDN or hostname for the server. If hostname is used, DNS-suffix (DNS name of the SAP system) is required. Azure cloud-init custom dataCloud-init is supported by FortiADC on Azure Platform. License for BYOL type and FortiADC CLI commands can be specified in the custom data so that FortiADC-VM can be deployed with preset configurations. FortiADC 6.1.0SystemAutomationAutomation Stitches can be used to automate certain actions in response to certain triggers. This includes sending alert emails in response to specific events, and allows for far more granular log-based alerting that Alert Emails configured under Log & Report. Each Automation pairs an event trigger and one or more actions, which allows you to monitor your network and take appropriate action when the Security Fabric detects a threat. You can use Automation stitches to detect events from any source in the Security Fabric and apply actions to any destination. For example, you can create the following Automation stitches:
There are CLI changes relating to Automation. See "What's New" in FortiADC CLI Reference. Matched part displayed in WAF logsA matched part is added to WAF logs to indicate which part of the HTTP request/response has triggered the WAF event. This is helpful to identify the details for the attacks.
FortiADC1200F, 2200F, and 4200F are introduced in 6.1.1. For more infomation, see FortiADC datasheets. Server Load BalanceNext-hop routing for health check on L4 VS Direct Route modeIn L4 VS Direct Route deployment, you can set the VS IP on the loopback interface of real servers and publish the service on this IP. In this mode, the service state on the real server (loopback interface IP) can't be detected. It is supported to forward the health check request to the real server as next hop, with the destination IP of VS IP. The real server will reply the request via routing just as it responses to the client's request. Persisting new sessions to real servers in maintain modeNormally when the real server is set to maintain mode, all new sessions will be routed to other active real servers, which may cause re-authentication in some deployment. To solve this issue, an option is added to source address persistence. It allows new sessions to be persisted to the real server even when it is set to maintain mode. L7 TCP/UDP VS Lua scriptLua script now supports for other L7 VS than HTTP VS, so that the actions that are not currently supported by built-in features can be performed. For example, you can use this script to manipulate request/response for Radius, ISO8583, etc.
For more information, see FortiADC Script Reference Guide. GUI enhancementThe following enhancements are made in GUI:
FortiADC 6.0.1Server Load Balance
Interface GUI enhancement
Sensitive language modifications
FortiADC 6.0.0Server Load Balance
Security
System
GUI
FortiADC 5.4.0Server Load Balance
Security
SSL
System
GUI enhancement
FortiADC 5.3.0SecurityIntrusion Prevention System (IPS) protection (Powered by FortiGuard)IPS service will allow you to protect your virtual servers from the latest network intrusions by actively detecting and blocking external threats before they can reach potentially vulnerable devices. The combination of real-time threat intelligence updates and thousands of existing intrusion prevention rules delivers the industry’s best IPS protection. Application and Networking DDoS ProtectionA distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. FortiADC support 2 layers DDoS protection: 1. Networking DoS protection
2. Application DoS protection
FortiADC web application firewalls provide advanced features that defend web applications from known and zero-day threats. FortiADC offers a complete security coverage for your web-based applications from the OWASP Top 10 and many other threats. 1. Signature DB enhancement Enhances WAF engine to more efficiently scan for packets, also significantly increasing the detection rate. 2. New WAF signature wizard on GUI Helps customer configure the WAF signature profile. 3. WAF Action enhancement Besides deny and pass, supports 2 more actions for all WAF modules: Redirect and Block period. 4. CSRF protection A cross-site request forgery (CSRF) is an attack that exploits the trust that a site has in a user's browser to transmit unauthorized commands. To protect back-end servers from CSRF attacks, FortiADC has two lists:
5. Input validation FortiADC provides advanced validation of input fields, including parameter validation, hidden field validation and file security. This function will verify the user input from scan points like URL parameter, HTML form, hidden fields, upload file. If the format isn't correct or other attacks exist, the request will be blocked. 6. Brute force detection FortiADC can prevent brute force login attacks. Brute force attackers attempt to penetrate systems by the sheer number of clients, attempts, or computational power, rather than by intelligent insight or advance knowledge of application logic or data. 7. Data loss protection The data loss prevention (DLP) feature allows FortiADC to prevent information leaks, damages and loss. It provides desensitization and warning measures for sensitive information leaks on websites (SSN numbers, and credit card information) and the leakage of sensitive keywords. 8. Cookie Security HTTP cookie is a small piece of data sent from a website and stored in the client’s computer. In some cases, it will store some sensitive date inside, e.g. password. If the client sends out the request that Fortiadc doesn’t recognize, it will take corresponding action (alert/ deny/ period-block/ remove-cookie). 9. Page anti-defacement The anti-defacement features monitor your websites for defacement attacks. If it detects a change, it can automatically reverse the damage. This feature monitors the modification of customer's specified page; once the modification is consider as abnormal, the specified action will be triggered, such as "restore changed page," "send email," "acknowledge changed page," or "just record log." 10. Web scraping detection FortiADC provides an advanced access control for customers who want to have agility within web application (specific IP, files, connections). FortiADC checks the http header content-type and the response code; if it matches the occurrence limit and is over the match percentage, it will detect it as web scraping. 11. Web vulnerability scanner enhancement
Firewall policy support address bookFortiADC firewall now supports address book in the policy. Server Load BalancingTwo Factor Authentication (with FortiToken and Google Authenticator)Two-factor authentication is a type of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors. FortiADC can use script to do 2-step verification with FortiToken and Google Authenticator. Health Check EnhancementAdds more detailed report for each health check failure log, so the customer can quickly grasp why the health check failed and what happened on the real server. Supports CLI “diagnose debug slb_hc_status” to show the health check status for all the SLB pool. Cloud and AutomationCloud platform (AWS/Azure/OCI)The BYOL FortiADC images are listed on the AWS/Azure/OCI cloud marketplace now, and the customer can deploy them through these cloud marketplaces. Ansible supportAnsible is an automation platform that makes your applications and systems easy to deploy. FortiADC modules allow the customer to automatically initiate the configuration or manage the configuration on any kind of FortiADC devices, including physical devices, VM in hypervisor or cloud. SystemExport local generated unencrypted certificateBoth encrypted and unencrypted private key are allowed to be exported; it is necessary for the customer to move FortiADC hosted HTTPS services. Supports TLS1.3 in SSL profiles Supports TCP/TCP-SSL syslog serverBesides UDP-based syslog server, FortiADC supports TCP/TCP-SSL based remote syslog servers in case the customer needs more confidential security for the logs. Allows global syslog server to be shared by all vdomsIn some multiple vdom deployments, some non-root vdom administrators may need to send logs to global syslog server in case of networking issues in their vdom. This feature allows the global syslog server to be shared among all non-root vdoms. Support logical topology for LLB and GSLBShows all the LLB group/member status, and GSLB host status, by a topology graph on FortiView. SSL Updated to OpenSSL version 1.1.1HardwareFortiADC support 2 new hardware models: • FortiADC 300F • FortiADC 400F For more info on new hardware, please review the FortiADC Datasheet. FortiADC 5.2.3Add a “response-half-closed-request” option to HTTP/HTTPS/TCPS/RDP load-balance profileThis option will allow the FortiADC to serve the request and send back the response even if the client closes the output channel. In some cases, the client may close the output channel even after sending out the request; but at the same time the client will be waiting for a response. If this option is disabled, the FortiADC will abort, and will not serve the request anymore once it receives notice that the client has closed the channel. This may cause clients tocomplain of failures. Forward SNI to RS under ssl-forward-proxy modeIn SSL forward deployment, the second ADC (HTTP->HTTPS) may not forward any SNI to backend Real Server, causing failure for some servers. In this feature, if “SNI forward flag” in server SSL is enabled, it will forward host in HTTP header as SNI to Real Server by default. If there is no host in HTTP header, it will forward the ssl-sni settings as SNI to Real Server. FortiADC 5.2.2Remove Memory Restriction on Cloud platformMemory Restriction has been removed for all BYOL VM on AWS/GCP/Azure/OCI/Aliyun cloud platforms. PROXY protocolSupport PROXY protocol for HTTP/HTTPS virtual server, to pass original client information, such as the client IP address, to the backend proxies or servers. See the PROXY protocol reference. FortiADC 5.2.1SecurityFortinet Security Fabric supportThe Fortinet Security Fabric delivers broad protection and visibility to every network segment, device, and appliance, whether virtual, in the cloud, or on-premises. After adding FortiADC to Security Fabric, it will show the real-time visibility of FortiADC, including Virtual Server status, and various statistics. Web Cache Communication Protocol (WCCP) supportThe Web Cache Communication Protocol (WCCP) allows the server to be enabled for transparent redirection to discover, verify, and advertise connectivity to one or more web-caches. You can configure FortiADC as a WCCP server to redirect HTTP/HTTPS VS traffic to 3rd party device for caching or more security inspection. Global Load BalanceDNS notification and zone transferAllows FortiADC DNS service to send zone notification to secondary servers, and also receive and process incoming zone transfer message from secondary servers. Public/private IP support for SLB server behind NATCustomer can provide a public IP address for the GLB discovered virtual server address, which is necessary for the deployment which whose server is behind NAT. Allow multiple PTR DNS Resource Records with the same IP addressService Load BalanceRadius Change of Authorization (CoA) message supportThe Radius Change of Authorization (CoA), defined in RFC5176, provides a mechanism to dynamically change the attributes of an AAA session after the user or device is authenticated. By this feature, FortiADC can process CoA messages from external Radius server and send the traffic to the right dynamic authorization server through persistence. SystemCRLDP authentication protocol (RFC5280) supportCertificate Revocation List Distribution Point (CRLDP) defines how to get a CRL file from a distribution point, which is LDAP URI or HTTP/HTTPS URL, to verify client certificate. Download CRL file from LDAP serverSupport multiple CRL files for a single certificate verification objectLog reporting enhancement for more virtual server statisticsCollect statistics like RPS, CPS, transaction latency, session duration, throughput per virtual server/real server, and generate reports including these metrics. Traffic log browser GUI redesignUsually if you enable traffic log, there will be a huge volume of traffic logs. In this situation, to browse or filter traffic log is much too slow; with this feature, we redesign the traffic log browser page to show and locate logs quickly. FortiADC 5.2.0Server Load BalanceL2 TCP/UDP/IP VS support content routingSupports specific routing (schedule pool, persistence, method) by source address L7 FTP VS with FULLNAT/DNAT/Transparent mode support Oracle DB health check support on VM platforms Dynamic Load method enhancementPrior to 5.2.0, all connections are cleared if RS is detected to be exceeding the threshold; now, however, when RS exceeds the threshold, the old connection is kept while not dispatching new connections Fully ADFS proxy replacementThe ADFS Proxy is a service that brokers a connection between external users and internal ADFS servers, also called a Web Applicaition Proxy (WAP). More and more ADFS require the proxy to support MS-ADFSPIP (ADFS Proxy Integration Protocol) which involves client certificate authentication between proxy and ADFS, trust establishment, header injection, and more. FADC from 5.2.0 has support for MS-ADFSPIP. SIP VS enhancement:
Global Load BalanceNew dispatch method by server CPU/Memory usageThe "Server-Performance" method dynamically dispatches the DNS request to the server with the lowest CPU/Memory usage. SecurityWeb Vulnerable Scanner report enhancementJSON schema validation supportJSON Schema provides a contract for what JSON data is required for a given application and how to interact with it. This feature supports the user uploading a JSON schema to validate JSON data, just like the XML validation that we had before. IP Reputation block list supportNow possible to upload a list of IPs or CIDRs to the IP reputation block list, then blocking them by enabling "IP reputation" in Application Profile for VS. Antivirus quarantine monitor page on GUINew function to show/delete quarantined files on FortiADC by GUI (Network Security -> Quarantine Monitor) All the certificate private key file on the ADC are encrypted now for more securityDynamic TLS record sizing support to improve SSL latency and throughputGEO support more accurate provinceSystemAWS/GCP/Azure/Aliyun BYOL VM supportNow supports uploading and deploying VM images on these public cloud platforms; you can easily extend existing FortiADC services to the cloud. HA failover enhancement to avoid unnecessary switch after secondary(former primary) return backIn HA AP scenarios, the secondary device will become primary if the primary device is down, but after the former primary comes back, there will be a new switchover (the former primary takes the primary role, and the current primary, the former secondary, switches back to secondary). This switchover is unnecessary and may impact traffic, so the enhancement here is to avoid doing the switchover after the former primary comes back. Debug enhancement, support collect all debug information and download by GUIBefore, in order to submit information to Help Support, the customer needed to gather files from different places; now, this debug enhancement automatically collects all necessary debug information into one file, so it's easier to submit to Help Support. Support to upload/download a file to/from FADC by GUISupport FortiADCManagerFortiADCManager is a central management tool to manage all your FortiADC devices in your network, providing visibility and the ability to create/edit server load balance configurations for all FortiADC devices. Upgrade kernel to latest versionSupport “| grep <fileter-string>” to filter the output on CLIFortiADC 5.1.0Integration with Oracle Cloud Infrastructure (OCI)Oracle Cloud Infrastructure Compute provides bare metal compute capacity that delivers performance, flexibility, and control without compromise. It is powered by Oracle’s next generation, internet-scale infrastructure designed to help you develop and run your most demanding applications and workloads in the cloud. This release comes with the FortiADC image (BYOL) on Oracle OCI, which provides FortiADC's complete feature set, including but are not limited to the following:
See the deployment guide for more information. FortiADC Connector for Cisco ACIFortiADC Connector for Cisco ACI (Application Centric Infrastructure) is the Fortinet solution to provide seamless integration between Fortinet Application Delivery Controllers (FortiADC) deployments and the Cisco APIC (Application Policy Infrastructure Controller). This integration allows customers to perform single point of FortiADC configuration and Management operation through Cisco APIC. See the release notes for more information. Amazon Elastic Compute CloudAmazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. See the deployment guide for more information. Application Load BalancingHealth check script
FortiADC now provides a UDP stateless mode, allowing you to perform load balance without attempting to match the packet to a pre-existing connection in the connection table. This feature is especially useful when loadbalancing syslog servers (FortiAnalyzer). LDAP/RADIUS connectivity checkProvides authentication validation option, to verify if the configured credentials are correct and authentication is successful. LLB traffic log supportGlobal Load BalancingAuto Sync GLBSupport for auto sync when new virtual servers are added. New predefined objects to GLB Configuration
FortiADC now provides a wizard (three-step procedure) to create GLB configurations. GLB Data AnalyticNetworkingNo-NAT configurationSupport for no-NAT option (usually when using LLB/FWLB feature). GUI enhancementsFortiView enhancement
FortiADC introduces a new WebUI theme, enhancements to FortiView, including new logs. New Web UI ThemeNew Dashboard templateNew design and improvements
SecurityWeb Vulnerability ScannerThe Web Application Vulnerability Scanner is a automated tool which performs black box test on web applications to look for security vulnerabilities, such as cross-site scripting, SQL injection, command injection, source code disclosure, and insecure server configuration. FortiADC now supports a variety of web frameworks and mixed-technology sites, such as
FortiADC AV now supports HTTP/HTTPS and SMTP scanning protection. WAF HTTP/HTML DecoderFortiADC now supports several basic decoders to parse HTTP body for Web Application Firewall. They include, but are not limited to the following:
SystemSSL Update to OpenSSL version 1.1.0OCSP stapling tunneling to an HTTP proxy serverSupport HA for BGP/OSPF route injectionSupport add/delete interface inside VDOM directlyFortiADC 5.0.2FortiADC 5.0.2 offers the following new features and enhancements:
FortiADC 5.0.1FortiADC 5.0.1 offers the following new features and enhancements:
FortiADC 5.0.0FortiADC 5.0.0 offers the following new features and enhancements: Security Fabric
Management, GUI, and Logs
Predefined scriptsScripts
Web Application Firewall (WAF)
SSL
System
Note: Below are the maximum number of files per minute that can be uploaded to (Undefined variable: FortinetVariables.ProductName20) Cloud by FortiADCplatform:
FortiADC 4.8.4FortiADC 4.8.4 is mainly a patch release, with the following feature enhancements:
FortiADC 4.8.3FortiADC 4.8.3 is a patch release only; no new feature or enhancement has been implemented in this release. FortiADC 4.8.2FortiADC 4.8.2 is a patch release only; no new feature or enhancement has been implemented in this release. FortiADC 4.8.1Management FortiView—provides a real-time and historical traffic data from log devices by source, domain, destination, threat map, RTT, and application health check. You can filter the data by a variety of attributes, as well as by device and time period.
Server load-balancing (SLB)
Global load-balancing (GLB)
System
New hardware platform
FortiADC 4.8.0Management
Server Load Balance (SLB)
Web Application Firewall (WAF)
Global Load Balance (GLB)
System
New Hardware Platform
FortiADC 4.7.3FortiADC 4.7.3 is a patch release only; no new feature or enhancement has been implemented in this release. FortiADC 4.7.2FortiADC 4.7.2 offers the following new features or enhancements: HSM support
Support for new hardware models
FortiADC 4.7.1FortiADC 4.7.1 is a patch release which has fixed some known issues discovered in previous releases. No new features or enhancements have been implemented in this release. For more information, refer to FortiADC 4.7.1 Release Notes. FortiADC 4.7.0Management
Server load balance (SLB)
User authentication
High availability (HA)
System
FortiADC 4.6.2This is a patch release; no new features or enhancements are implemented. Refer to the Release Notes for detail. FortiADC 4.6.1OpenSSL Library Upgrade The Software OpenSSL Library has been upgraded to OpenSSL-1.0.2 on FortiADC appliances shipped with the Cavium SSL card, which include the following hardware models:
StartTLS
Script
FortiADC 4.6.0Monitoring and Logs
DNS load-balancing, security, and caching
Dynamic Load-balancing algorithm
Client certificate forwarding
Script validation
Kerberos Authentication Relay
SSL/HTTP visibility (mirroring)
Virtual server port enchantment
Security Assertion Markup Language (SAML) 2.0
Enhanced Global Load Balancing (GLB) proximity methodology
HTTP/S health check
Password policy
VDOM enhancement
SNMP MIBs
FortiADC 4.5.3OpenSSL Library Upgrade Software OpenSSL library has been upgraded to OpenSSL-1.0.2 on FortiADC appliances shipped with the Cavium SSL card, which include the following hardware models:
FortiADC 4.5.2Software OpenSSL library upgrade
Enhanced certificate validation
"Description" field for child records in Geo IP Allowlist
US-Government (USG) mode
FortiADC 4.5.1Acceleration
Server Load Balancing
High Availability (HA)
Global Load Balancing
Miscellaneous
FortiADC 4.5.0SSL offloading
Server Load Balancing
Global Load Balancing
Security
Monitoring and Logs
System
Platform
FortiADC 4.4.0Server Load Balancing
Link Load Balancing
Global Load Balancing
Security
Monitoring and Logs
System
API
FortiADC 4.3.1
FortiADC 4.3.1
FortiADC 4.3.0
New CLI commands to facilitate troubleshooting:
For details, see the CLI reference. FortiADC 4.2.3
FortiADC 4.2.1Bug fixes only. FortiADC 4.2.0
FortiADC 4.1No design changes. Bug fixes only. FortiADC 4.0 Patch 2No design changes. Bug fixes only. FortiADC 4.0 Patch 1No design changes. Bug fixes only. FortiADC 4.0
FortiADC 3.2.0
FortiADC 3.1.0
FortiADC 3.0.0
FortiADC 2.1.0Support for FortiADC 200D and FortiADC VM—FortiADC software has been released to support these new platforms. What action can be taken to determine if a host is compromised and causing a network traffic flood?Which action could be used to determine if a host is compromised and flooding traffic onto the network? Disconnect the host from the network.
Which type of security threat uses email that appears to be from a legitimate sender and asks the email recipient to visit a website to enter confidential information?Which type of security threat uses email that appears to be from a legitimate sender and asks the email recipient to visit a website to enter confidential information? Explanation: Phishing attacks use social engineering to obtain user personal information.
When a support technician is troubleshooting a security issue on a system which action should the technician take just before documenting?1. When a support technician is troubleshooting a security issue on a system, which action should the technician take just before documenting the findings and closing the ticket? Ensure that all applications are working.
Which is an example of social engineering ite?Which is an example of social engineering? Explanation: A social engineer attempts to gain the confidence of an employee and convince that person to divulge confidential and sensitive information, such as usernames and passwords.
|