B&B Bezpieczeństwo w biznesie
  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Cyberbezpieczny Samorząd
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • Kontakt

Fortinet opublikował aktualizację oprogramowania dla FortiWeb. Nowa wersja 7.2.1 dostarcza kilkanaście nowych funkcjonalności bądź ulepszeń obecnych, między innymi: udoskonalenie reguł niestandardowych, ulepszenie ochrony JSON, ulepszenie autoryzacji OAuth, ulepszono algorytm równoważenia obciążenia o możliwość działania w oparciu o najmniejszy czas odpowiedzi, ulepszono synchronizację informacji o wynikach health check, oraz wiele innych. Ponadto FortiWeb 7.2.1 nie jest już podatny na CWE-Reference: CWE-79. oraz CWE-Reference: CWE-329. Więcej informacji w artykule!

Aktualnie wspierane modele:

  • FortiWeb 100D
  • FortiWeb 400C
  •  FortiWeb 400D
  •  FortiWeb 400
  • FortiWeb 600D
  • FortiWeb 600E
  • FortiWeb 1000D
  • FortiWeb 1000E
  • FortiWeb 2000E
  • FortiWeb 3000D/3000DFsx
  • FortiWeb 3000E
  • FortiWeb 3010E
  • FortiWeb 4000D
  • FortiWeb 4000E
  • FortiWeb 100E
  • FortiWeb 1000F
  • FortiWeb 2000F
  • FortiWeb 3000F
  • FortiWeb 4000F

Nowości w 7.2.1:

  • Custom rule enhancements

HTTP Methods scan is moved out of the HTTP headers filter to stand out as a separate filter. More HTTP method
types are supported including WEBDAV,RPC, and OTHERS.
l To target the inspection point more accurately in parameter filter, it’s now supported to scan the parameters located
only in URL or the HTTP body.

  • Reverse DNS lookup timeout setting in URL Access rules

To avoid the process hanging for a long time, you can now set a timeout value to limit the reverse DNS lookup time in
URL Access rule.

  • IP groups

You can now create IP groups in Server Objects > IP Groups then reference them in modules where it requires to
specify IP addresses or IP ranges. IP Groups is supported in IP Protection > IP List and will be introduced in other
modules in future releases.

  • LUA script update

A new predefined Lua script „SSL_COMMANDS” is added. The newly supported SSL commands can be used to
retrieve information about the SSL handshake such as SNI status, the SSL ciphers, certificate verification status, etc.

  • JSON Protection enhancements

l You can now choose the JSON schema version for the system to check if the uploaded JSON schema file is valid
against the specified version.
l Multiple JSON schemas can now be added in one group and be referenced in JSON Protection rules.

 

  • Support defining „format” for „string” type in OpenAPI file

In OpenAPI file, for the optional modifier property „format” of the „string” type, you can define it as „email” (rfc5322) or
„uuid” (rfc4122).

For example:
id:
type: string
format: uuid
work-email:
type: string
format: email

We accept „email”, „Email”, and „EMAIL”; „uuid” and „UUID”. They are case sensitive, so do not use strings other than
them. For example, UuID is not accepted.

 

  • HTTP header insertion in URL rewrite rule

It’s now supported to insert more than one HTTP headers when rewriting an URL. Configure it in Application Delivery >
URL Rewriting.

  • Host and peer verification in Fetch URL & Quarantine IP

Fetch URL & Quarantine IP can now establish HTTPS connection with FortiGuard or back-end servers and verify the
TLS certificates. Configure in System > Config > FortiGate Integration and Web Protection > Input Validation >
Hidden Fields.

  • Validating server certificate when connecting with FortiClient EMS

You can now configure FortiWeb to validate the server certificate when connecting with FortiClient EMS. Enable Server
Certificate for the FortiClient EMS fabric connector (System > Fabric Connector).

  • OAuth Authorization enhancement

It’s now supported to do strict TLS verification even with a custom CA certificate to check the TLS traffic between
FortiWeb and the third party OAuth authorization servers.

  • Least response time load balancing algorithm

The back-end server load balancing algorithm now supports Least Response Time and Probabilistic Weighted Least
Response Time. It can distribute the incoming traffic to the server with the shortest average response time and the
lowest number of connections, thus making the client connect to the most efficient back-end server.

  • Request redirection
    1. Requests with a naked domain can now be redirected to “www” domain.
    2. The status code for redirecting HTTP to HTTPS is changed from 301 to 302.
  • Health check result synchronization

In certain case  when different server pools sharing the same IP address it’s unnecessary to perform health check to all the server pools.

Use the following command to share the health check result across multiple server pools.

config server-policy health

edit „”

set group-id <int>

set role {master | slave}

next

end

With this command, you can create several health checks with the same group-id, assigning master role to one of them while the slave role to the rest. Health check result is automatically pushed from the master to the slave.

  • Shell access enhancements
    1. It’s now supported to view the history of commands executed in Shell. Run diagnose debug shell-access
      history show.
    2. To ensure the security of Shell access, you can now restrict the access only from trusted hosts.
      Run the following commands to set the history size and specify trusted hosts.config system global
      set shell-access enable
      set shell-history-size <int>
      set shell-trusthostv4 <IPv4_address_range>
      set shell-trusthostv6 <IPv6_address_range>
      end

 

  • Replacement Message enhancement

%%USERNAME%% and %%RAWNAME%% are introduced in the Replacement Message so that you can configure FortiWeb
to display different format of usernames such as „username@abc.com” or „username”.

  • RFC-9719 Comply

RFC-9719 TLS security can now be applied to both inbound or outbound HTTPS connections with FortiWeb. Configure
in Server Pool and Server Policy.
For more information, see Defining your web servers and Configuring an HTTP server policy.

  • Up to 4096 bits key size supported for Let’s Encrypt certificates

RSA algorithm with different key length can be implemented and accepted by the Let’s Encrypt Server. Those key sizes
are 2048, 3072, and 4096 bits. Please note that larger keys consume more computing resources, however, achieve
better security.

  • Support forwarding logs to ELK

Attack and traffic packet logs can now be sent to syslog servers in JSON format through TCP or TLS protocol. Configure
it in Log&Report > Log Policy > Syslog Policy.

  • RBE attack log enhancement

The HTTP host and URL are now revealed in the RBE (including RBE, CAPTCHA, and reCAPTCHA) attack logs to
better help with troubleshooting.

  • Support updating the URL of Google reCAPTCHA service

It’s now supported to edit the URL of Google reCAPTCHA service so that you can update it in time when Google
changes it.

  • Restrict ADOM admin permissions to VIPs

Global administrators can create, edit, and delete VIPs, while ADOM administrators can now only view the VIPs
assigned to their ADOM.

 

Rozwiązane problemy:

 

 

Bug ID Description
0889174 Non-standard location in XML WSDL file causes High CPU issue.
0885080 FortiWeb cannot connect with FortiWeb Cloud on Hardware platforms for Threat
Analytics.
0880314 The interface name contains illegal characters, which causes the interface name
modification to fail, and the previously created VLAN interface is not deleted
successfully.
0872030 Should implement debug enhancement to avoid traffic outage.
0868363 The SCEP type in CRL cannot work properly.
0867454 If there are multiple wildcard admins and the first one can’t match ldap, accessing
the RESTful API will get 401 unauthorized error
0834665 When there is a delay between sending the request header and body, the raw
body cannot be displayed in the package log.
0886420/0883069/
0883889/0880771/
0883446
Proxyd crashes when there are multiple GEO IP Exception Rules
0886039 proxyd crashes when processing early data traffic.
0883939 Wrong memory calculation method results in a problem with the number of
VDOMs.
0883734/0871074 License are not valid when upgrading to 7.2.0 due to anycast FDN server
connection is not stable.
0881709 In Transparent Inspection mode, attacks are detected but not blocked (no RST
sent).
0876993 When the length of the request and response is greater than 1024 and the
response is chunked and gzipped, the page cannot be loaded correctly.
0875424 The process confd_sync leads to high memory usage.
0871054 There is a semaphore leak in httpsd. FortiWeb’s GUI can’t be accessed when
httpsd daemon has restarted several times.
0870313 FortiWeb does not show new logs on GUI until the process logd is killed.
0865939 FortiView Server Policies page does not show destination sessions.
0853027 If there are spaces before the Content-Disposition field, the attack detection about Apache Struts2 S2-046 can be bypassed.
0846605 ADOM-Admin can see/edit other ADOMS VIPs.
0830926 OpenAPI schema cannot detect format UUID and email type.
0880088 When a wildcard user log in to FortiWeb then access the page “HA Topology”, it
causes the user’s session to be logged out.
0871156 Microsoft Software Installer(.msi) can’t be recognized in File Security.
0869393 In Signature Management page, the signature description is cut off in Firefox.
0868779 Under certain conditions, FortiWeb treats the internal JS request as an ordinary
traffic, resulting in CSRF not working properly.
0843810 Client „End to End Timing” displays incorrect RTT value under Dashboard >
Policy Status.
0858695 FortiWeb 7.2.1 is no longer vulnerable to the following CWE-Reference: CWE-79.
0745694 FortiWeb 7.2.1 is no longer vulnerable to the following CWE-Reference: CWE329.

 

Znane problemy:

Bug ID Description
0839559 Persistence works only for 30 seconds when traffic is routed through the
CloudFlare DDOS solution.
0858695 FortiWeb is vulnerable to Cross-site Scripting (XSS) attack due to an improper
neutralization of input during the HTML report generation.

 

Notatki producenta: FortiWeb 7.2.1

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

Post Views: 855

Fortinet FortiWeb

Poprzedni artykułESET Server Security for Microsoft Windows Server 10.0Następny artykuł FortiAuthenticator 6.5.1

Najnowsze

FortiAnalyzer 7.6.38 maja 2025
FortiManager 7.6.330 kwietnia 2025
FortiMail 7.6.322 kwietnia 2025

Kategorie

  • Acronis
  • Aktualności
  • Bez kategorii
  • ESET
  • F-Secure
  • FortiAnalyzer
  • FortiAP
  • FortiAuthenticator
  • FortiClient
  • FortiDeceptor
  • FORTIGATE
  • FORTIMAIL
  • FortiManager
  • FortiNAC
  • FortiSIEM
  • FORTISWITCH
  • FortiWeb
  • NAKIVO
  • Proget
  • Qnap
  • Stormshield
  • Szkolenia
  • Veeam
  • VMware
  • WithSecure

Tagi

6.0.6 6.2.2 6.2.7 6.4.0 6.4.4 6.4.5 6.4.8 7.0.0 7.0.2 7.0.5 7.2.0 7.2.2 ems Eset eset endpoint antivirus eset endpoint security ESET Inspect ESET Protect ESET Protect Cloud F-Secure FMG FortiAnalyzer forti analyzer FortiAP fortiap-w2 FortiAuthenticator FortiClient FortiClientEMS forticlient ems FortiGate FortiMail FortiManager FortiNAC Fortinet FortiOS FortiSIEM FortiSwitch FortiWeb vCenter vCenter Server VMware VMware ESXi vmware esxi 8.0 vmware vcenter VMware vCenter Server

MENU

  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Cyberbezpieczny Samorząd
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • Kontakt

BLOG TECHNICZNY

FortiAnalyzer 7.6.38 maja 2025
FortiManager 7.6.330 kwietnia 2025
FortiMail 7.6.322 kwietnia 2025

KONTAKT

biuro@b-and-b.plhttps://www.b-and-b.pl
8:00-16:00
RODO | POLITYKA PRYWATNOŚCI
OGÓLNE WARUNKI REKLAMACJI

BEZPIECZEŃSTWO W BIZNESIE 2025 - wszystkie prawa zastrzeżone

MENU

  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Cyberbezpieczny Samorząd
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • Kontakt

BLOG TECHNICZNY

FortiAnalyzer 7.6.38 maja 2025
FortiManager 7.6.330 kwietnia 2025
FortiMail 7.6.322 kwietnia 2025

Kontakt

+48 500-413-313
biuro@b-and-b.pl
8:00-16:00
Add new entry logo

Korzystamy z plików cookies lub podobnych technologii, by lepiej dopasować treści na stronie do Twoich potrzeb. W każdej chwili możesz zmienić ustawienia cookies. Polityka prywatności

Akceptuję Odmów
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
  • Always Active
    Necessary
    Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

  • Marketing
    Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

  • Analytics
    Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

  • Preferences
    Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

  • Unclassified
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.