Fortinet opublikował aktualizację oprogramowania dla FortiWeb. Nowa wersja 7.2.1 dostarcza kilkanaście nowych funkcjonalności bądź ulepszeń obecnych, między innymi: udoskonalenie reguł niestandardowych, ulepszenie ochrony JSON, ulepszenie autoryzacji OAuth, ulepszono algorytm równoważenia obciążenia o możliwość działania w oparciu o najmniejszy czas odpowiedzi, ulepszono synchronizację informacji o wynikach health check, oraz wiele innych. Ponadto FortiWeb 7.2.1 nie jest już podatny na CWE-Reference: CWE-79. oraz CWE-Reference: CWE-329. Więcej informacji w artykule!
Aktualnie wspierane modele:
- FortiWeb 100D
- FortiWeb 400C
- FortiWeb 400D
- FortiWeb 400
- FortiWeb 600D
- FortiWeb 600E
- FortiWeb 1000D
- FortiWeb 1000E
- FortiWeb 2000E
- FortiWeb 3000D/3000DFsx
- FortiWeb 3000E
- FortiWeb 3010E
- FortiWeb 4000D
- FortiWeb 4000E
- FortiWeb 100E
- FortiWeb 1000F
- FortiWeb 2000F
- FortiWeb 3000F
- FortiWeb 4000F
Nowości w 7.2.1:
- Custom rule enhancements
HTTP Methods scan is moved out of the HTTP headers filter to stand out as a separate filter. More HTTP method
types are supported including WEBDAV,RPC, and OTHERS.
l To target the inspection point more accurately in parameter filter, it’s now supported to scan the parameters located
only in URL or the HTTP body.
- Reverse DNS lookup timeout setting in URL Access rules
To avoid the process hanging for a long time, you can now set a timeout value to limit the reverse DNS lookup time in
URL Access rule.
- IP groups
You can now create IP groups in Server Objects > IP Groups then reference them in modules where it requires to
specify IP addresses or IP ranges. IP Groups is supported in IP Protection > IP List and will be introduced in other
modules in future releases.
- LUA script update
A new predefined Lua script „SSL_COMMANDS” is added. The newly supported SSL commands can be used to
retrieve information about the SSL handshake such as SNI status, the SSL ciphers, certificate verification status, etc.
- JSON Protection enhancements
l You can now choose the JSON schema version for the system to check if the uploaded JSON schema file is valid
against the specified version.
l Multiple JSON schemas can now be added in one group and be referenced in JSON Protection rules.
- Support defining „format” for „string” type in OpenAPI file
In OpenAPI file, for the optional modifier property „format” of the „string” type, you can define it as „email” (rfc5322) or
„uuid” (rfc4122).
For example:
id:
type: string
format: uuid
work-email:
type: string
format: email
We accept „email”, „Email”, and „EMAIL”; „uuid” and „UUID”. They are case sensitive, so do not use strings other than
them. For example, UuID is not accepted.
- HTTP header insertion in URL rewrite rule
It’s now supported to insert more than one HTTP headers when rewriting an URL. Configure it in Application Delivery >
URL Rewriting.
- Host and peer verification in Fetch URL & Quarantine IP
Fetch URL & Quarantine IP can now establish HTTPS connection with FortiGuard or back-end servers and verify the
TLS certificates. Configure in System > Config > FortiGate Integration and Web Protection > Input Validation >
Hidden Fields.
- Validating server certificate when connecting with FortiClient EMS
You can now configure FortiWeb to validate the server certificate when connecting with FortiClient EMS. Enable Server
Certificate for the FortiClient EMS fabric connector (System > Fabric Connector).
- OAuth Authorization enhancement
It’s now supported to do strict TLS verification even with a custom CA certificate to check the TLS traffic between
FortiWeb and the third party OAuth authorization servers.
- Least response time load balancing algorithm
The back-end server load balancing algorithm now supports Least Response Time and Probabilistic Weighted Least
Response Time. It can distribute the incoming traffic to the server with the shortest average response time and the
lowest number of connections, thus making the client connect to the most efficient back-end server.
- Request redirection
-
- Requests with a naked domain can now be redirected to “www” domain.
- The status code for redirecting HTTP to HTTPS is changed from 301 to 302.
- Health check result synchronization
In certain case when different server pools sharing the same IP address it’s unnecessary to perform health check to all the server pools.
Use the following command to share the health check result across multiple server pools.
config server-policy health
edit „”
set group-id <int>
set role {master | slave}
next
end
With this command, you can create several health checks with the same group-id, assigning master role to one of them while the slave role to the rest. Health check result is automatically pushed from the master to the slave.
- Shell access enhancements
-
- It’s now supported to view the history of commands executed in Shell. Run diagnose debug shell-access
history show. - To ensure the security of Shell access, you can now restrict the access only from trusted hosts.
Run the following commands to set the history size and specify trusted hosts.config system global
set shell-access enable
set shell-history-size <int>
set shell-trusthostv4 <IPv4_address_range>
set shell-trusthostv6 <IPv6_address_range>
end
- It’s now supported to view the history of commands executed in Shell. Run diagnose debug shell-access
- Replacement Message enhancement
%%USERNAME%% and %%RAWNAME%% are introduced in the Replacement Message so that you can configure FortiWeb
to display different format of usernames such as „username@abc.com” or „username”.
- RFC-9719 Comply
RFC-9719 TLS security can now be applied to both inbound or outbound HTTPS connections with FortiWeb. Configure
in Server Pool and Server Policy.
For more information, see Defining your web servers and Configuring an HTTP server policy.
- Up to 4096 bits key size supported for Let’s Encrypt certificates
RSA algorithm with different key length can be implemented and accepted by the Let’s Encrypt Server. Those key sizes
are 2048, 3072, and 4096 bits. Please note that larger keys consume more computing resources, however, achieve
better security.
- Support forwarding logs to ELK
Attack and traffic packet logs can now be sent to syslog servers in JSON format through TCP or TLS protocol. Configure
it in Log&Report > Log Policy > Syslog Policy.
- RBE attack log enhancement
The HTTP host and URL are now revealed in the RBE (including RBE, CAPTCHA, and reCAPTCHA) attack logs to
better help with troubleshooting.
- Support updating the URL of Google reCAPTCHA service
It’s now supported to edit the URL of Google reCAPTCHA service so that you can update it in time when Google
changes it.
- Restrict ADOM admin permissions to VIPs
Global administrators can create, edit, and delete VIPs, while ADOM administrators can now only view the VIPs
assigned to their ADOM.
Rozwiązane problemy:
| Bug ID | Description |
|---|---|
| 0889174 | Non-standard location in XML WSDL file causes High CPU issue. |
| 0885080 | FortiWeb cannot connect with FortiWeb Cloud on Hardware platforms for Threat Analytics. |
| 0880314 | The interface name contains illegal characters, which causes the interface name modification to fail, and the previously created VLAN interface is not deleted successfully. |
| 0872030 | Should implement debug enhancement to avoid traffic outage. |
| 0868363 | The SCEP type in CRL cannot work properly. |
| 0867454 | If there are multiple wildcard admins and the first one can’t match ldap, accessing the RESTful API will get 401 unauthorized error |
| 0834665 | When there is a delay between sending the request header and body, the raw body cannot be displayed in the package log. |
| 0886420/0883069/ 0883889/0880771/ 0883446 |
Proxyd crashes when there are multiple GEO IP Exception Rules |
| 0886039 | proxyd crashes when processing early data traffic. |
| 0883939 | Wrong memory calculation method results in a problem with the number of VDOMs. |
| 0883734/0871074 | License are not valid when upgrading to 7.2.0 due to anycast FDN server connection is not stable. |
| 0881709 | In Transparent Inspection mode, attacks are detected but not blocked (no RST sent). |
| 0876993 | When the length of the request and response is greater than 1024 and the response is chunked and gzipped, the page cannot be loaded correctly. |
| 0875424 | The process confd_sync leads to high memory usage. |
| 0871054 | There is a semaphore leak in httpsd. FortiWeb’s GUI can’t be accessed when httpsd daemon has restarted several times. |
| 0870313 | FortiWeb does not show new logs on GUI until the process logd is killed. |
| 0865939 | FortiView Server Policies page does not show destination sessions. |
| 0853027 | If there are spaces before the Content-Disposition field, the attack detection about Apache Struts2 S2-046 can be bypassed. |
| 0846605 | ADOM-Admin can see/edit other ADOMS VIPs. |
| 0830926 | OpenAPI schema cannot detect format UUID and email type. |
| 0880088 | When a wildcard user log in to FortiWeb then access the page “HA Topology”, it causes the user’s session to be logged out. |
| 0871156 | Microsoft Software Installer(.msi) can’t be recognized in File Security. |
| 0869393 | In Signature Management page, the signature description is cut off in Firefox. |
| 0868779 | Under certain conditions, FortiWeb treats the internal JS request as an ordinary traffic, resulting in CSRF not working properly. |
| 0843810 | Client „End to End Timing” displays incorrect RTT value under Dashboard > Policy Status. |
| 0858695 | FortiWeb 7.2.1 is no longer vulnerable to the following CWE-Reference: CWE-79. |
| 0745694 | FortiWeb 7.2.1 is no longer vulnerable to the following CWE-Reference: CWE329. |
Znane problemy:
| Bug ID | Description |
|---|---|
| 0839559 | Persistence works only for 30 seconds when traffic is routed through the CloudFlare DDOS solution. |
| 0858695 | FortiWeb is vulnerable to Cross-site Scripting (XSS) attack due to an improper neutralization of input during the HTML report generation. |
Notatki producenta: FortiWeb 7.2.1
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie