FortiProxy 7.4.3 Release Notes

Change log

Introduction

FortiProxy 7.4.3 supports upgrade from the following versions only:

• 7.2.5 or later
• 7.4.0 to 7.4.2

Refer to Deployment information on page 19 for detailed upgrade instructions.

All FortiProxy models include the following features out of the box:

Security modules

The unique FortiProxy architecture offers granular control over security, understanding user needs and enforcing Internet policy compliance with the following security modules:

• Web filtering: The web-filtering solution is designed to restrict or control the content a reader is authorized to access, delivered over the Internet using the web browser. The web rating override allows users to change the rating for a web site and control access to the site without affecting the rest of the sites in the original category.
• DNS filtering: Similar to the FortiGuard web filtering, DNS filtering allows, blocks, or monitors access to web content according to FortiGuard categories.
• Email filtering: The FortiGuard Antispam Service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools on Fortinet appliances and agents, to detect and block a wide range of spam messages. Updates to the IP reputation and spam signature databases are provided continuously by the FDN.
• CIFS filtering: CIFS UTM scanning, which includes antivirus file scanning and DLP file filtering.
• Application control: Application control technologies detect and take action against network traffic based on the application that generated the traffic.
• Inline CASB: The inline CASB security profile enables the FortiProxy to perform granular control over SaaS applications directly on policies.
• Data Leak Prevention (DLP): The FortiProxy DLP system allows you to prevent sensitive data from leaving your network.
• Antivirus: Antivirus uses a suite of integrated security technologies to protect against a variety of threats, including both known and unknown malicious codes (malware), plus Advanced Targeted Attacks (ATAs), also known as Advanced Persistent Threats (APTs).
• SSL/SSH inspection (MITM): SSL/SSH inspection helps to unlock encrypted sessions, see into encrypted packets, find threats, and block them.
• Intrusion Prevention System (IPS): IPS technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.
• Zero Trust Network Access (ZTNA): ZTNA is an access control method that uses client device identification, authentication, and Zero Trust tags to provide role-based application access. It gives administrators the flexibility to manage network access for users. Access to applications is granted only after device verification, authenticating the user's identity, authorizing the user, and then performing context based posture checks using Zero Trust tags.
• Content Analysis: Content Analysis allows you to detect adult content images in real time. This service is a real-time analysis of the content passing through the FortiProxy unit.
• Client-based native browser isolation (NBI): Client-based native browser isolation (NBI) uses a Windows Subsystem for Linux (WSL) distribution (distro) to isolate the browser from the rest of the computer in a container, which helps decrease the attack surface.

Caching and WAN optimization

All traffic between a client network and one or more web servers is intercepted by a web cache policy. This policy causes the FortiProxy unit to cache pages from the web servers on the FortiProxy unit and makes the cached pages available to users on the client network. Web caching can be configured for standard and reverse web caching.

FortiProxy supports WAN optimization to improve traffic performance and efficiency as it crosses the WAN. FortiProxy WAN optimization consists of a number of techniques that you can apply to improve the efficiency of communication across your WAN. These techniques include protocol optimization, byte caching, SSL offloading, and secure tunneling.

Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as well as general TCP traffic. Byte caching caches files and other data on FortiProxy units to reduce the amount of data transmitted across the WAN.

FortiProxy is intelligent enough to understand the differing caching formats of the major video services in order to maximize cache rates for one of the biggest contributors to bandwidth usage. FortiProxy will:

• Detect the same video ID when content comes from different CDN hosts.
• Support seek forward/backward in video.
• Detect and cache separately; advertisements automatically played before the actual videos.

What's new

The following sections describe new features, enhancements, and changes in FortiProxy 7.4.3:

• IPv6 support for explicit FTP and web proxy forwarding server on page 7
• Protocol detection of tunneled traffic over SOCKS server on page 7
• Reorder server URL by dragging and dropping on page 7
• Require password to access encrypted archive files on page 8
• FortiAnalyzer or Cloud logging is now optional for license sharing on page 8
• GUI support for URL category parameter for policy matching on page 8
• Global external resource size limit on page 9
• AWS ARM64 support on page 9
• CLI changes on page 9
• FortiNBI new features and changes on page 14

IPv6 support for explicit FTP and web proxy forwarding server

FortiProxy 7.4.3 adds IPv6 support for explicit FTP and web proxy forwarding server.

• To allow incoming explicit FTP traffic from an IPv6 address, use the new ipv6-status option under config ftp-proxy explicit. You can then set the incoming IPv6 address using the new set incoming-ip6 option.
• To configure the IPv6 address of a web proxy forwarding server, use the new set addr-type option under config web-proxy forward-server. You can then set the IPv6 address using the new set ipv6 option.
• The set srcaddr6 and set dstaddr6 options under config firewall policy can now be used to configure source and destination IPv6 addresses for explicit FTP policies.

Protocol detection of tunneled traffic over SOCKS server

FortiProxy 7.4.3 automatically determines the protocol of tunneled traffic over SOCKS server when the destination port does not match any protocol ports.

Reorder server URL by dragging and dropping

Under Proxy Settings > Server URL, you can now drag and drop the items to quickly reorder them as needed.

Require password to access encrypted archive files

You can now configure FortiProxy to require a password for access to encrypted archive files using the new encrypted-file-log option under config firewall profile-protocol-options. The default is disable. When enabled, an HTTP(S) replacement message is displayed to request a password to decrypt and scan the encrypted file. Files failed to decrypt will be blocked.

config firewall profile-protocol-options
 edit "decrypt"
 config http
 end
 next
 set encrypted-file inspect {This option must be set to inspect.}
 set encrypted-file-log enable
end

FortiAnalyzer or Cloud logging is now optional for license sharing

FortiProxy 7.4.3 no longer requires FortiAnalyzer or Cloud Logging to be enabled for security fabric groups for license sharing purposes only. However, you still need to enable FortiAnalyzer or Cloud Logging in order to use any security fabric functionality.

GUI support for URL category parameter for policy matching

FortiProxy now supports policy matching using the URL category parameter when you create or edit a policy in GUI.

Global external resource size limit

FortiProxy 7.4.3 changes the external resource size limit from a per feed limit to a global limit. The limits (listed below) now apply to the total size or total number of lines of all external resources of a given type.

AWS ARM64 support

You can now deploy the FortiProxy on the AWS ARM64 platform.

CLI changes

FortiProxy 7.4.3 includes the following CLI changes:

• config dlp exact-data-match—Use this new command to configure exact-data-match template used by DLP scan.
• config ips sensor—Use the new last-modified option to filter by signatures' last modified date (default = before 00/00/00).

The date format is yyyy/mm/dd. The year range is 2001 - 2050.

• config web-proxy forward-server—You can now set an IPv6 address type using the set addr-type option. You can then set the IPv6 address using the new set ipv6 option.
• config ftp-proxy explicit—You can now configure FortiProxy to allow incoming explicit FTP traffic from an IPv6 address using the new ipv6-status option. You can then set the incoming IPv6 address using the new set incoming-ip6 option.
• config firewall policy—The set srcaddr6 and set dstaddr6 options can now be used to configure source and destination IPv6 addresses for explicit FTP policies.
• diag wad stats—Use the new clear option to reset all WAD data. This option clears all history data but not the current run-time data.
• diagnose wad memory track—New map information in the mmap_stats section.
• diagnose wad tcp-connection list <worker-index>/all—Use this new command to show the information of the top 10 dynamic TCP connections, which is helpful for troubleshooting.

Example output:

diagnose wad tcp-connection list all
===type=worker index=0 pid=1387===
Group by src_ip(only show top 10):
10.5.2.39 count=3160
Group by dst_ip:port(only show top 10):
74.6.160.107:443 count=904
142.251.33.67:80 count=834
Group by dst port(only show top 10):
443 count=1738
===type=worker index=1 pid=1389===
Group by src_ip(only show top 10):
10.5.2.39 count=3160
Group by dst_ip:port(only show top 10):
74.6.160.107:443 count=904
142.251.33.67:80 count=834
Group by dst port(only show top 10):
443 count=1738

WAD authentication and HTTP engine data is consolidated into shared memory. As a result, the following commands are changed:

• dia wad stats worker.http_engine—You can now use this command to dump HTTP engine data.
• dia wad stats worker.auth—This command now includes WAD authentication data.

Example output:

# dia wad stats worker.http_engine
http_lway_svr.total_req 0
http_1way_svr.served_req 0
http_1way_svr.total_server 0
http_1way_svr.active_server 0
http.total_req 0
http.total_sessions 0
webcache.total_req 0
webcache.concurrent_req 0
web_proxy.total_req 0
web_proxy.total_sessions 0
web_proxy.concurrent_req 0

web_proxy.concurrent_sessions 0

n_http_reqs 0

n_long_http_reqs 0

n_vary_reqs 0

n_connect_reqs 0

n_ftp_reqs 0

n_req_invalid_url 0

n_req_invalid_header 0

n_req_unexpect_body 0

n_req_child_uci_complex 0

n_req_child_uci_fail 0

n_req_fwd 0

n_req_rspd 0

n_req_errors 0

n_req_error_sp 0

n_req_error_hs 0

n_req_error_act 0

n_req_error_es 0

n_req_add_hdr_error 0

n_req_bad_request 0

n_req_dns_failed 0

n_req_bad_http_ver 0

n_nontp_reqs 0

n_nontp_connect_ok 0

n_connect_req_error 0

n_req_cancel 0

n_http_rsps 0

n_rsp_errors 0

n_rsp_error_info 0

n_rsp_error_1_0 0

n_rsp_error_proc 0

n_rsp_1xx 0

n_connect rsp 0

n_rsp_from_cache 0

n_rsp miss 504 0

n_rsp_neg 0

n_rsp_invalidate 0

n_rsp_add_hdr_error 0

n rsp invalid header 0

n_rsp_407_from_fwd_svr 0

n_rsp_malformed_cors_preflight 0

n_warn wait dns 0

n warn wait auth 0

n_warn_wait_videofilter 0

n warn wait urlfilter 0

n_warn_wait_msg_proc 0

n warn wait scan 0

n_warn_proc_resp 0

n_warn_wait_antiphish 0

n_icap_req_start 0

n_icap_req_end 0

n_icap_resp_start 0

n_icap_resp_end 0

n_icap_unchanged 0

n_icap_error client 0

n_icap_error_server 0

n_icap_block 0

n_icap_unblock 0

n_suspend_svr_read 0

n_resume_svr_read 0

n_cvrt_tun_by_non_http_resp_ok 0

n_cvrt_tun_by_non_http_resp_fail0

n_off_ssl_ctx 0

n_unexpected resp 0

n_rsp_cache_errors 0

n_ce_evading 0

n_ce_utm_skip 0

n_ce_utm block 0

n_ce_utm_bypass 0

n_ce_utm_inspect 0

n_conserve_drop 0

_conserve_bypass 0

n_scan_errors 0

n_comfort_unique_req 0

n_total comfort fires 0

n_ignoed_reqs_cannot conn 0

n_unexpected_h2_conn 0

n_ia_bypass 0

n_ia_scan 0

dns_protect.n_total 0

dns_protect.n_valid 0

dns_protect.n_ip 0

dns_protect.n_failure 0

dns_protect.n_now 0

dns_protect.n_max 0

# dia wad stats worker.?

worker.http_engine Show http_engine statistics.

worker.auth Show auth statistics.

worker.auth.saml Show auth saml statistics.

worker.auth.basic Show auth basic statistics.

worker.auth.cert Show auth cert statistics.

worker.auth.cookie Show auth cookie statistics.

worker.auth.digest Show auth_digest statistics.

worker.auth.fsae Show auth fsae statistics.

worker.auth.krb Show auth krb statistics.

worker.auth.mix Show auth mix statistics.

worker.auth.ntlm Show auth ntlm statistics.

worker.auth.pkey Show auth_pkey statistics.

worker.auth.rsso Show auth rsso statistics.

worker.auth.user_query Show auth_user_query statistics.

# dia wad stats worker.auth

saml.n_saml_req 0

saml.n saml resp 0

saml.n saml auth success 0

saml.n saml auth fail 0

saml.n saml num assertion attr 0

saml.n saml num max attr 0

saml.n_saml_relay_max_len 0

saml.n_saml_relay_encode fail 0

saml.n_saml_relay_decode_fail 0

saml.n_saml relay over limit 0

saml.n_grpsid_query_sent 0

saml.n_grpsid_query_fail 0

saml.n_grp_fnbamd_fail 0

saml.n_grp_fail 0

saml.n_dc_query_sent 0

saml.n_dc_cached_hit 0

saml.n_err_queue_ses 0

saml.n_err_clk_skew 0

saml.n_err_assertion_coin 0

saml.n_err_assertion_invl 0

saml.n_err_assertion_audience 0

saml.n_err_assertion_attr 0

saml.n_err_provider 0

saml.n_err_signature 0

saml.n_err_signing_algo 0

saml.n_err_internal 0

saml.n_err_invalid_req 0

saml.n_err_lasso 0

basic.n_basic_req now 0 max 0 total 0

basic.n_basic_auth_success 0

basic.n_basic_auth_fail 0

cert.n_cert_req now 0 max 0 total 0

cert.n_cert_auth_success 0

cert.n_cert_auth_fail 0

cookie.n_cookie_req now 0 max 0 total 0

cookie.n_cookie_auth_succes 0

cookie.n_cookie_auth_fail 0

digest.n_digest_req now 0 max 0 total 0

digest.n_digest_auth_success 0

digest.n_digest_auth_fail 0

digest.n_auth_staled 0

digest.n_active_digest_nounce 0

digest.n_digest_nounce 0

fsae.n_fsae_req now 0 max 0 total 0

fsae.n fsae auth success 0

fsae.n_fsae_auth_fail 0

krb.n_krb_req now 0 max 0 total 0

krb.n_krb_auth_success 0

krb.n krb auth fail 0

mix.n_mix_req now 0 max 0 total 0

mix.n mix auth success 0

mix.n_mix_auth_fail 0

ntlm.n_ntlm req now 0 max 0 total 0

ntlm.n_ntlm auth success 0

ntlm.n_ntlm_auth_fail 0

pkey.n_pkey_req now 0 max 0 total 0

pkey.n_pkey_auth_success 0

pkey.n_pkey_auth_fail 0

rsso.n_rsso req now 0 max 0 total 0

rsso.n_rsso_auth_success 0

rsso.n rsso auth fail 0

user_query.n_user_query_req now 0 max 0 total 0

user_query.n_user_query_auth_success 0

user_query.n_user_query_auth_fail 0

FortiNBI new features and changes

The following sections describe new features, enhancements, and changes in FortiNBI.

Refer to the FortiNBI Deployment Guide for general information about deploying and using FortiNBI.

Upgrade FortiNBI independently without upgrading FortiProxy

You can now upgrade your FortiNBI version independently without upgrading your FortiProxy version by uploading a FortiNBI installer to FortiProxy using the following command: execute upload fortinbi-installer tftp <filename> <tftp-ip>. See example output below:

FPXVULTM23000034 # exe upload fortinbi-installer tftp fortinbi-installer.exe.21.tar.gz 10.100.1.205
Preparing file import 'fortinbi-installer.exe.21.tar.gz' from tftp server '10.100.1.205'
Importing file 'fortinbi-installer.exe.21.tar.gz' from tftp server '10.100.1.205'
#####
########
FortiNBI installer (version: 1.0.6.21) upload and verification succeeds.
A restart of WAD is required for the installer to be ready.
Do you want to continue? (y/n)y
Restart WAD... done
A restart of WAD daemon is required for the new FortiNBI installer to take effect. You can check the current FortiNBI version in the About tab of the FortiNBI application.

Support for Windows built-in Linux graphics

(Windows 10 21H2, 22H2) The isolator module adds support for Windows built-in Linux graphics with sound support and performance improvement. To configure the FortiNBI isolator module to use the Windows built-in Linux graphics, run the wsl --update command and install the software. Alternatively, configure Windows Update in one of the following ways:

• Enable Receive updates for other Microsoft products when you update Windows under Windows Update > Advanced options
• Use Group Policy
• Use Windows registry

Use the following toggle in the Settings tab to switch the graphics mode. When off, the old graphic engine is used.

FortiNBI

New Start and Stop buttons

FortiNBI 1.0.6 adds the Start and Stop buttons for you to manually start or stop a specific service.

FortiNBI

Improvements to collecting debug logs

FortiNBI 1.0.6 collects debug logs into a single archive file accessible via the new Collect user logs and Collect all logs buttons in the About tab. The Collect user logs button collects logs for the user while the Collect all logs button collects the user's logs AND service logs. Privilege is required to access service logs to protect other users' data on the machine.

FortiNBI

More informative error messages

The error messages now include more context information to help with troubleshooting.

Error

The isolator failed to start:

• Could not determine the address of the captive portal.
• Because of rating server connection error.
• Because of ssl certificate error

Close

Isolator restarts on unexpected error

The isolator now automatically restarts on unexpected error. If the error persists, the isolator attempts to restart again after 10 minutes.

Product integration and support

The following table lists product integration and support information for FortiProxy 7.4.3 build 587:

Deployment information

You can deploy the FortiProxy on a FortiProxy unit or VM. You can also upgrade or downgrade an existing FortiProxy deployment. Refer to Product integration and support on page 17 for a list of supported FortiProxy units and VM platforms.

Downloading the firmware file

1. Go to https://support.fortinet.com.
2. Click Login and log in to the Fortinet Support website.
3. From the Support > Downloads menu, select Firmware Download.
4. In the Select Product dropdown menu, select FortiProxy.
5. On the Download tab, navigate to the FortiProxy firmware file for your FortiProxy model or VM platform in the Image Folders/Files section. .out files are for upgrade or downgrade. .zip and .gz files are for new deployments.
6. Click HTTPS to download the firmware that meets your needs.

Deploying a new FortiProxy appliance

Refer to the FortiProxy QuickStart Guide for detailed instructions of deploying a FortiProxy appliance. Refer to Product integration and support on page 17 for a list of supported FortiProxy units.

Deploying a new FortiProxy VM

Refer to the FortiProxy Public Cloud or FortiProxy Private Cloud deployment guides for more information about how to deploy the FortiProxy VM on different public and private cloud platforms. Refer to Product integration and support on page 17 for a list of supported VM platforms.

Upgrading the FortiProxy

FortiProxy 7.4.3 supports upgrade from the following versions only:

• 7.2.5 or later
• 7.4.0 to 7.4.2

To upgrade FortiProxy units or VMs from 7.2.5 or later to 7.4.3:

1. In the GUI, go to System > Fabric Management.
2. Select the device you want to upgrade in the table and click Upgrade.
3. Click Browse in the File Upload tab.
4. Select the file on your PC and click Open.
5. Click Confirm and Backup Config.
6. Click Continue.

The configuration file is automatically saved and the system will reboot.

7. Click Reset All Dashboards in the GUI to avoid any issues with FortiView.

If you are currently using FortiProxy 2.0.x or 7.0.x, Fortinet recommends that you perform the upgrade procedure for each major version in between from low to high before attempting to upgrade to 7.4.3. For example, to upgrade from 2.0.12 to 7.4.3, upgrade to 7.0.11 or later first, and then 7.2.5 or later (reboot before upgrading to 7.2.x), and then 7.4.3.

Upgrading a FortiProxy 2.0.5 VM to 7.0.x requires a different upgrade process with additional backup and configuration as FortiProxy 2.0.6 introduced a new FortiProxy VM license file that cannot be used by earlier versions of the FortiProxy VM.

To upgrade a FortiProxy 2.0.5 VM to 7.0.x:

1. Back up the configuration from the GUI or CLI. Make sure the VM license file is stored on the PC or FTP or TFTP server.
2. Shut down the original VM.
3. Deploy the new VM. Make sure that there is at least 4 GB of memory to allocate to the VM.
4. From the VM console, configure the interface, routing, and DNS for GUI or CLI access to the new VM and its access to FortiGuard.
5. Upload the VM license file using the GUI or CLI.
6. Restore the configuration using the CLI or GUI.
7. Click Reset All Dashboards in the GUI to avoid any issues with FortiView.

Downgrading the FortiProxy

Downgrading FortiProxy 7.4.3 to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

• operation mode
• interface IP/management IP
• static route table
• DNS settings
• admin user account
• session helpers
• system access profiles

You can downgrade FortiProxy units or VMs from 7.4.3 to 7.2.x by following the steps below:

1. In the GUI, go to System > Fabric Management.
2. Select the device you want to upgrade in the table and click Upgrade.
3. Click Browse in the File Upload tab.
4. Select the file on your PC and click Open.
5. Click Confirm and Backup Config.
6. Click Continue.

The configuration file is automatically saved and the system will reboot.

7. Click Reset All Dashboards in the GUI to avoid any issues with FortiView.

To downgrade from FortiProxy 7.4.3 to 7.0.x or 2.0.x, Fortinet recommends that you perform the downgrade procedure for each major version in between from high to low before attempting to downgrade to the target version. For example, to downgrade from 7.4.3 to 2.0.12, downgrade to 7.2.5 or later first, and then 7.0.11 or later, and then 2.0.12.

Downgrading a FortiProxy 7.0.x VM to 2.0.5 or earlier requires a different downgrade process with additional backup and configuration as FortiProxy 2.0.6 introduced a new FortiProxy VM license file that cannot be used by earlier versions of the FortiProxy VM.

To downgrade a FortiProxy 7.0.x VM to FortiProxy 2.0.5 or earlier:

1. Back up the configuration from the GUI or CLI. Make sure the VM license file is stored on the PC or FTP or TFTP server.
2. Shut down the original VM.
3. Deploy the new VM. Make sure that there is at least 2 GB of memory to allocate to the VM.
4. From the VM console, configure the interface, routing, and DNS for GUI or CLI access to the new VM and its access to FortiGuard.
5. Upload the VM license file using the GUI or CLI.
6. Restore the configuration using the CLI or GUI.
7. Click Reset All Dashboards in the GUI to avoid any issues with FortiView.

Resolved issues

The following issues have been fixed in FortiProxy 7.4.3. For inquiries about a particular bug, please contact Customer Service & Support.

FortiNBI

The following issues have been fixed in FortiNBI. For inquiries about a particular bug, please contact Customer Service & Support.

Common vulnerabilities and exposures

FortiProxy 7.4.3 is no longer vulnerable to the following CVE references. Visit https://fortiguard.com/psirt for more information.

Known issues

FortiProxy 7.4.3 includes the known issues listed in this section. For inquiries about a particular bug, please contact Customer Service & Support.

FortiNBI

The following issues have been identified in FortiNBI. For inquiries about a particular bug, please contact Customer Service & Support.