Fortinet 20 FortiWeb 5.0 Patch 6 Administration Guide
FortiWeb returns to clients when blocking violation traffic. See Error Page Return Code in
“Configuring a server policy” on page 483.
•Seamless FortiWeb-VM vCPU license upgrades— Now you can increase the capacity of
FortiWeb-VM to 2, 4, or 8 vCPUs without first invalidating the license. Previously, a new
license could be uploaded only while the current license was invalid, thereby temporarily
interrupting service. See the FortiWeb-VM Install Guide.
•Maximum physical servers increased — FortiWeb now supports up to 255 physical
servers. Previously only 128 were possible. See “Defining your web server by its IP address”
on page 251.
•Maximum input validation rules increased — FortiWeb now supports up to 1,024
parameters in the URL validation rule. See “Validating parameters (“input rules”)” on
page 421.
•Erasure without alerts — A very high volume of attack logs, alert email, and that can be
generated while blocking information disclosure when many protected web servers are
misconfigured. To prevent this and allow you to focus on severe attacks, you can now
choose to erase server information such as X-Powered-By: without generating any log
messages. See Action in “Blocking known attacks & data leaks” on page 387.
•Support for subnets in URL access rules & manual blacklists/white lists— When
specifying which source IP addresses are allowed to access your web apps, you can now
specify multiple IP addresses by entering a subnet, rather than creating many individual
rules. See “Restricting access to specific URLs” on page 321 and “Blacklisting & whitelisting
clients individually by source IP” on page 335.
•RADIUS realm support— RADIUS accounts on servers that require the realm (e.g.
admin@example.com or user@example.com) are now supported. No change to the
FortiWeb configuration is required for end-user accounts. For administrators, modify the
Administrator setting to include the realm name (e.g. @example.com).
•Fail-to-wire during reboot/shutdown— Previously, fail-to-wire only engaged during
unexpected power loss, without a graceful shutdown. See “Fail-to-wire for power
loss/reboots” on page 520.
•Threshold for shared IPs configurable — Previously, shared IP analysis was not
configurable. See “Shared IP” on page 522.
•Reports like FortiGate 5.0 — Reports have been updated, and now reflect the same styles
also found in FortiGate 5.0 firewalls. See “Reports” on page 586.
•Debugging commands on HA standby — You can now use the active FortiWeb HA
appliance’s CLI to send diagnose debug commands through the HA link to the standby.
Previously, you could only connect to standby appliances through the local console, or by
triggering a failover so that the standby became active — network connectivity was only
possible with the active appliance. See the FortiWeb CLI Reference.
•XML protection profiles removed — For protection against XML-related attacks,
customers should now use the Illegal XML Format setting (see “Configuring a protection
profile for inline topologies” on page 468 or “Configuring a protection profile for an
out-of-band topology or asynchronous mode of operation” on page 477). Legacy
configuration data related to XML protection profiles from FortiWeb 4.0 MR4 Patch 6 or
previous versions of the firmware will be deleted during upgrade.
If your back-end web servers require extensive protection for a vulnerable XML parser, you
should add 3rd-party XML protection to your security architecture. Unlike XML protection
profiles in previous versions of FortiWeb, Illegal XML Format does not scan for conformity
with the document object model (DOM)/DTD/W3C Schema, recursive payloads, Schema
poisoning, or other advanced XML attacks. Failure to provide adequate XML protection
could allow attackers to penetrate your network.