Producent oprogramowania Fortinet udostępnił najnowszą aktualizację dla produktu FortiWeb o numerze wersji 7.4.0. Zgodnie z najnowszymi wytycznymi OWASP (The Open Web Application Security Project), FortiWeb 7.4.0 dostarcza jeszcze bardziej zaawansowaną ochronę przed dziesięcioma najczęstszymi zagrożeniami dla aplikacji internetowych. Wśród nich znajdują się m.in. ataki SQL Injection, Cross-Site Scripting (XSS) czy Cross-Site Request Forgery (CSRF). Ponadto, producent dodaje nową funkcjonalność dotycząca przywracania konfiguracji bądź certyfikatów z serwera SFTP lub FTP. Więcej informacji można znaleźć w poniższym artykule.
Aktualnie wspierane modele:
- FortiWeb 100D
- FortiWeb 400C
- FortiWeb 400D
- FortiWeb 400E
- FortiWeb 600D
- FortiWeb 600E
- FortiWeb 1000D
- FortiWeb 1000E
- FortiWeb 2000E
- FortiWeb 3000D/3000DFsx
- FortiWeb 3000E
- FortiWeb 3010E
- FortiWeb 4000D
- FortiWeb 4000E
- FortiWeb 1000F
- FortiWeb 2000F
- FortiWeb 3000F
- FortiWeb 4000F
- VMware vSphere Hypervisor ESX/ESXi 4.0/4.1/5.0/5.1/5.5/6.0/6.5/6.7/7.0
- Citrix XenServer 6.2/6.5/7.1
- Open source Xen Project (Hypervisor) 4.9 and higher versions
- Microsoft Hyper-V (version 6.2 or higher, running on Windows 8 or higher, or Windows Server
2012/2016/2019/2022) - KVM (Linux kernel 2.6, 3.0, or 3.1)
- OpenStack Wallaby
- Docker Engine CE 18.09.1 or higher versions, and the equivalent Docker Engine EE versions; Ubuntu18.04.1 LTS
or higher versions - Nutanix AHV
Co nowego w 7.4.0?
- Continuous learning in ML based API Protection
ML-based API protection now incorporates continuous adjustment of its API learning models to adapt to changes in the
API schema. This includes scenarios such as the introduction of new APIs, modifications to existing parameters, etc. - Automation
You can configure FortiWeb to automatically take actions (run CLI commands or send email notification) when certain
event log occurs. Set the trigger and action in Security Fabric > Automation.
- OWASP Top10 Compliance dashboard
We have introduced the OWASP Top10 Compliance monitor in Dashboard.
l It measures your compliance rate against the OWASP Application Security Top10.
l It analyzes the security configuration of every application and breaks down the Top10 categories to provide
information on which requirements have been addressed and which haven’t.
l It allows you to assess the effectiveness of your security policies and identify gaps
- FortiWeb Kubernetes Ingress Controller
FortiWeb Ingress Controller fulfills the Kubernetes Ingress resources and allows you to automatically update FortiWeb
objects from Kubernetes.
- gRPC protocol constraints
FortiWeb now provides enhanced security measures for gRPC API traffic, offering a range of protection controls,
including signature scanning, rate limiting, and size limiting.
- OICD authentication support
FortiWeb now supports the integration of OAuth authorization with OIDC (OpenID Connect) to facilitate user identity
verification. This enhancement allows you to leverage OIDC for a more secure user authorization and authentication
process.
- FortiView Log Analysis
A new FortiView monitor named Log Analysis is introduced. It assists in making decisions to add exception rules to
avoid false positives. The Log Analysis feature summarizes the common characteristics of specific attack log categories.
For instance, it displays the HTTP methods, request URLs, and locations of the SQL injections violations.
- X-Forwarded-For header enhancement
Now you have the ability to specify the location where the IP address will be added within the X-Forwarded-For
header. Additionally, you can delete or merge the previous X-Forwarded-For headers as needed.
- Default Domain Prefix support for NTLM delegation method
When using NTLM delegation method, it’s now allowed to specify the default domain prefix so that users can log in
without entering domain name.
- CRL validation enhancement
You now have the option to allow the use of previously retrieved Certificate Revocation Lists (CRLs) in situations where
the current CRL distribution point retrievals fail, are pending, or if you want to manually upload a CRL file.
config system certificate verify
set crl-allow-expired enable
end
We highly recommend enabling it as a temporary solution only when the CRL has expired. Ideally, we strongly suggest
using the most up-to-date CRL file at all times to ensure that the client with revoked certificates can be promptly blocked.
- SSO login with FortiCloud accounts
It’s now supported to use FortiCloud accounts to access FortiWeb.
When Allow administrative login using FortiCloud SSO in System > Admin > Settings is enabled, users will see
the Sign in with FortiCloud button on FortiWeb’s login page.
Rozwiązane problemy:
| Bug ID | Description |
|---|---|
| 0929539 | Lua Scripting for HTTP response code doesn’t work as expected. Runtime error occurs for response codes that are not defined in the Lua scripts. |
| 0927751 | The configuration file is quite large in size. |
| 0926793 | Trouble communicating with VIP on firmware version 7.2.3. |
| 0925110 | Unable to view HA Statistics. |
| 0924264 | MiTB username and password fields are not being obfuscated or encrypted. |
| 0923395 | Configuration discrepencies observed during upgrade testing after upgrading the firmware from 6.3.18 to version 7.0.6. |
| 0921257 | FortiWeb cannot block command injection attacks in multiform/multipart requests |
| 0920806 | Only 3 logs/second are sent to syslog server |
| 0919486 | Attack log’s raw body related to web socket displays the body data masked. |
| 0919051 | FortiWeb cannot block some chunk-encoded attacks. |
| 0916421 | The mlapi_daemon keeps crashing. |
| 0914297 | The LACP interface selected in 'monitor’ HA option is not precessing traffic after failover |
| 0913936 | Changes in custom policy Simple String option detection from version 6.3.9 to version 7.0.6. |
| 0912149 | The reCaptcha fails for Bot Mitigation Policy. |
| 0910676 | Radius Admin cannot access config global via CLI v7.2.2 |
| 0910629 | Read-Write permissions for machine learning configuration doesn’t apply. |
| 0909901 | No return code in traffic logs. |
| 0907843 | Proxyd crashes unexpected. |
| 0905844 | Proxyd crashes due to unknown memory overwrite – File upload issue. |
| 0904830 | Unexpectedly Eicar file is not detected. |
| 0891711 | Customer requires add ’.tsv’ file to an exempt. |
| 0889598 | The Captcha enforcement challenge code behavior is not right. |
| 0886380 | Unable to import configuration and Redis error on VM’s console |
| 0883423 | Should be able to deploy FortiWeb KVM with 2 disks 'boot.qcow’ and 'log.qcow’. |
| 0880067 | The proxyd crashes on /fwdev2//lib/libc.so.6. |
| 0873426 | The monitor interval of the root directory should be equal to or less than the monitor interval of the others. If the monitor interval of the root directory is larger than the monitor interval of the others, these two configurations will be reset to default values after FortiWeb is upgraded to 7.4.0. |
| 0867733 | Abuse JSON-Based SQL to bypass FortiWeb. |
| 0839559 | Persistence works only for 30 seconds when traffic is routed through the Cloudflare DDOS solution. |
| 0834045 | FortiWeb allows configuration of overlapping IP addresses on more than one interface when different subnet mask is used. |
| 0826542 | Observing „Cookie Signed Verification Failed” error when client presents the valid cookie. |
| 0812881 | The SQL/XSS Syntax Based attack Pattern is not encountered in attack log. |
| 0758541 | Static initialization vectors occurs in file encryption. |
| 0739647 | Parameter Validation does not block the Request as expected |
Notatki producenta: FortiWeb 7.4.0
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
