Release Notes

FortiWeb 7.6.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET COOKBOOK
https://cookbook.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

April 05, 2024

FortiWeb 7.6.0 Release Notes
1st Edition
 3

TABLE OF CONTENTS

Introduction 4
What's new 5
Product Integration and Support 9
Upgrade instructions 11
Image checksums 11
Upgrading from previous releases 11
Repartitioning the hard disk 17
To use the special firmware image to repartition the operating system's disk 18
To repartition the operating system's disk without the special firmware image 18
Upgrading an HA cluster 20
Downgrading to a previous release 20
FortiWeb-VM license validation after upgrade from pre-5.4 version 21
Resolved issues 22
Known issues 25

FortiWeb Release Notes Fortinet Technologies, Inc.

Introduction 4

Introduction

This document provides information about new and enhanced features, installation instructions, resolved issues, and
known issues for FortiWeb 7.6.0, build 0962.
FortiWeb is a web application firewall (WAF) that protects hosted web applications from attacks that target known and
unknown exploits. Using multi-layered and correlated detection methods, FortiWeb defends applications from known
vulnerabilities and zero-day threats. The Web Application Security Service from FortiGuard Labs uses information based
on the latest application vulnerabilities, bots, suspicious URL and data patterns, and specialized heuristic detection
engines to keep your applications safe.
FortiWeb also offers a machine-learning function that enables it to automatically detect malicious web traffic. In addition
to detecting known attacks, the feature can detect potential unknown zero-day attacks to provide real-time protection for
web servers.
FortiWeb allows you to configure these features:
l Vulnerability scanning and patching
l IP reputation, web application attack signatures, credential stuffing defense, anti-virus, and Fortinet Sandbox
powered by FortiGuard.
l Real-time attack insights and reporting with advanced visual analytics tools
l Integration with FortiGate and FortiSandbox for ATP detection
l Behavioral attack detection
l Advanced false positive and negative detection avoidance
FortiWeb hardware and virtual machine platforms are available for medium and large enterprises, as well as for service
providers.
For additional documentation, please visit the FortiWeb documentation:
http://docs.fortinet.com/fortiweb/

FortiWeb Release Notes Fortinet Technologies, Inc.

What's new 5

What's new

FortiWeb 7.6.0 offers the following new features and enhancements.

Starting from 7.6.0, we uses a "New Features Guide" to introduce more information on the new features.You can find all
related information about a feature within this guide itself, without constantly having to jump to FortiWeb Administration
Guide for more information.

HTTP3 Support
FortiWeb now supports the HTTP/3 protocol for the traffic between FortiWeb and the client in Reverse Proxy mode.
Threat Protection model update
We have introduced a major update to the Threat Protection model. The update is done after long research and testing
using large amounts of data for model training. The new update increases model accuracy and reduce false positives
and false negatives. We will continue to collect more data to further refine the model. Future updates will be published
along with the FDS updates.
Built-in allowed domains in MiTB protection
To simplify the configuration process, we have included a built-in list of well-known third-party external resources which
would be used through AJAX request. The suggested list is available in the Allowed External Domains for AJAX
Request table of Man in the Browser Protection module.
AJAX check for cross-site request forgery (CSRF) requests
Previously, we supported checking the CSRF attacks that exploit static links in the page, such as <a> and <form> tags.
Starting from version 7.6.0, we can also scan the CSRF requests using JavaScript XMLHttpRequests embedded in the
page, also known as AJAX requests.
DoS Protection Exception Policy
You can create an exception policy to omit DDoS attack scans when you know that some source IPs may trigger
positives during normal use. The exception policy can be applied in Dos Protection Policy, HTTP Access Limit, Malicious
IPs, HTTP Flood, and TCP Flood policy.
Obscuring sensitive data in the gRPC API responses
For gRPC API traffic, FortiWeb now supports obscuring sensitive data in server's response if it matches the Information
Disclosure and Personally Identifiable Information signatures.
Known Good Bots subcategories
Previously, Known Good Bots had only one category - "Known Search Engines". Starting from version 7.6.0, we have
added more good bots to the list and divided them into smaller groups for better management. You can now set different
actions for different Known Good Bots sub-categories.
URL Rewrite enhancements
We have implemented the following enhancements to the URL Rewrite module.
l Cookie removal from HTTP header based on cookie name.
l Cookie value insertion or replacement based on cookie name.

FortiWeb Release Notes Fortinet Technologies, Inc.

What's new 6

l HTTP body replacement

The "deflate" compression type supported
FortiWeb now supports the "deflate" compression type. "Deflate" files can be uncompressed and scanned against the
security modules to ensure their legitimacy.
XFF trust IPs
For the Trusted X-Header Sources table in Server Objects > X-Forwarded-For, we have removed the previous
limitation of 256 IP address entries. Now, you can define IP ranges and IP groups within this table.
Customizing waiting room display page
Now you have the option to customize the message displayed to users when they are placed in the waiting room. This
feature allows you to tailor the text to better align with your brand or provide specific instructions to users during their
wait.
Quarantine IP settings moved to Security Fabric > Fabric Connectors
In previous versions, Quarantine IP was configured through System > Config > FortiGate Integration. To ease
configuration, this feature can now be configured through Security Fabric > Fabric Connectors.
500 error page enhancement
We have enhanced the 500 error page to provide detailed information explaining why requests are blocked when they
violate the HTTP Protocol Constraints (HPC) security rules.
Unified place to enable signature scan for API traffic
Previously, to apply signature scanning to API traffic, you needed to enable the Signature Detection option in the
corresponding API Protection policies, such as JSON or XML. Now, we have provided a Signature option in the Web
Protection Profile, allowing you to enable signature scanning for different traffic types in one place.
LUA script for content routing
We have introduced a LUA script for you to customize the content routing feature as you wish.
HTTP Content Routing table search function enhancements
The HTTP Content Routing table in Server Objects > Server > HTTP Content Routing has been enhanced to make
filtering search results easier.
Server inheriting health check from server pool in TTP mode
In TTP mode, the server's health check policy can only be inherited from its server pool. This ensures consistent server
health monitoring and simplifies configuration management.
Synchronizing health check status in HA mode
For FortiWeb appliances in Active-Passive and Active-Active-Standard modes, it is now supported to synchronize the
back-end servers' health check status from the primary to the secondary nodes. When an HA fail-over occurs, the new
primary appliance can immediately know the health status of the back-end servers, ensuring seamless traffic continuity
during fail-over.
Warning message upon port exhaustion
FortiWeb now supports generating port exhaustion logs. It's important to stay informed about the port exhaustion
situation so that you can take timely action to avoid CPU high usage.
Password changing when using PAP authentication scheme through RADIUS server

FortiWeb Release Notes Fortinet Technologies, Inc.

What's new 7

If FortiWeb is delegated to perform user authentication through a RADIUS server and you have implemented two-factor
authentication with the PAP authentication scheme, previously, users could not change their passwords through your
application.
Starting from version 7.6.0, this scenario is now supported. FortiWeb will display the corresponding messages to guide
users through the password changing process.
Admin user Single Sign-On with SAML
In this version, we have enhanced the support for remote SSO with SAML for Admin users using FortiGate and Azure
AD as the Identity Provider (IdP). We've streamlined the configuration process, added the Service Provider (SP)
metadata settings, and introduced a dedicated tab for managing IdP certificates. This update simplifies the setup and
maintenance of the SSO integration, making it more user-friendly and efficient.
Retrieving LDAP users attributes
FortiWeb now supports retrieving user attributes from the LDAP server and forwarding them to the back-end server. This
feature is useful for scenarios where the back-end server needs detailed user information to achieve granular user
management, such as rendering resources based on the user's role.
Automating the generation of SAML and OAuth login pages
FortiWeb can now extract information from the SAML and OAuth server configurations and automatically generate
SAML and OAuth login pages accordingly.
Viewing FortiWeb performance data in FortiGate
FortiWeb now generates system performance logs every 5 minutes. This data can be sent to the connected FortiGate.
Replacement message enhancements
Prior to version 7.6.0, only HTML format was supported for replacement message pages. Now, additional formats are
available, ensuring that the page displayed to your customers is consistent with the content type of their requests.
Release tags
To distinguish between bug fix releases and new feature releases, we have introduced the M and F tags in the image file
name to indicate the two types of releases.
Traffic log enhancements
l Traffic log priority: It's now possible to set the priority of traffic logs higher that of attack logs.
l Traffic packet payload size configurable: The maximum size of the traffic packet payload sent to log servers was a
fixed value. Now you can set this maximum size yourself.
SSL error logs
In addition to disabling or enabling SSL error logs at the global level through config log attack-log, you now have
the flexibility to set it for specific server policies.
FortiView Original Source
We have added a new FortiView monitor in this release — FortiView Original Sources. This monitor tracks the original
IP addresses of the clients.
FortiView Log Analysis enhancement
We now support using up to four conditions to filter log items in FortiView Log Analysis. The URL filter is mandatory.
The other three filters can be selected based on your needs.
Debug commands enhancements

FortiWeb Release Notes Fortinet Technologies, Inc.

What's new 8

We have introduced two debug commands in this release: diagnose debug nowaf and diagnose debug flow
filter module-bypass-info.
Displaying configuration in its context
It's now possible to append grep -f <keyword> to the show or show full-configuration command to display
configurations related to the search keywords. This command will not only show the lines containing the keywords but
also the entire upper-level command structure associated with them. This enhancement provides a more
comprehensive view of the configurations, making it easier to understand the context in which the keywords appear.
Security Fabric: Automation
The Automation feature has been enhanced to provide more comprehensive monitoring and response capabilities.
l Notifications can now be sent to Teams, Slack, Jira, based on additional triggers, such as high CPU usage, expired
certificates or licenses, FDS DB updates, and detected attacks.
l Malicious source IP addresses can be automatically added to the FortiGate IP Ban list.
l CLI scripts can be executed automatically to address the trigger issues, further automating the process and
reducing manual intervention.
FortiWeb Hyper-V HA Cluster with Unicast Heartbeat
It's now supported to deploy FortiWeb AP and AAH HA clusters with unicast heartbeat in Hyper-V environment.
In virtual machine (VM) and cloud environments that do not support heartbeat communication with Layer-2 Ethernet
frames (see HA heartbeat interface), you can set up a Layer-3 unicast HA heartbeat when configuring HA.
The heartbeat interfaces must be connected to the same network, and the IP addresses must be added to these
interfaces. The operation mode must be Reverse Proxy.
Ingress Controller enhancement
FortiWeb Ingress Controller 2.0 now supports ingress to expose services with the ClusterIP type by using Flannel with
VXLAN backend as the Kubernetes network model CNI plugin.
Since the ClusterIP type Service can only be accessed within the cluster, an overlay-tunnel is required to connect the
FortiWeb to the Kubernetes cluster network.
By using the VXLAN tunnel, FortiWeb can forward HTTP/HTTPS requests to the Kubernetes ClusterIP type services.
Toleration is added in the FortiWeb Ingress Controller Helm deployment template. You can now customize the toleration
time to specify how long a pod can remain bound to a node before being evicted. The default toleration time is 30
seconds.

FortiWeb Release Notes Fortinet Technologies, Inc.

Product Integration and Support 9

Product Integration and Support

Supported Hardware:
l FortiWeb 100E
l FortiWeb 100F
l FortiWeb 400C
l FortiWeb 400D
l FortiWeb 400E
l FortiWeb 400F
l FortiWeb 600D
l FortiWeb 600E
l FortiWeb 600F
l FortiWeb 1000D
l FortiWeb 1000E
l FortiWeb 2000E
l FortiWeb 3000D/3000DFsx
l FortiWeb 3000E
l FortiWeb 3010E
l FortiWeb 4000D
l FortiWeb 4000E
l FortiWeb 1000F
l FortiWeb 2000F
l FortiWeb 3000F
l FortiWeb 4000F
Supported hypervisor versions:
l VMware vSphere Hypervisor ESX/ESXi 4.0/4.1/5.0/5.1/5.5/6.0/6.5/6.7/7.0/8.0.2
l Citrix XenServer 6.2/6.5/7.1
l Open source Xen Project (Hypervisor) 4.9 and higher versions
l Microsoft Hyper-V (version 6.2 or higher, running on Windows 8 or higher, or Windows Server
2012/2016/2019/2022)
l KVM (Linux kernel 2.6, 3.0, or 3.1)
l OpenStack Wallaby
l Docker Engine CE 18.09.1 or higher versions, and the equivalent Docker Engine EE versions; Ubuntu18.04.1 LTS
or higher versions
l Nutanix AHV
FortiWeb is tested and proved to function well on the hypervisor versions listed above. Later hypervisor releases may
work but have not been tested yet.
To ensure high performance, it's recommended to deploy FortiWeb-VM on the machine types with minimum 2 vCPUs,
and memory size larger than 8 GB.
Supported cloud platforms:

FortiWeb Release Notes Fortinet Technologies, Inc.

Product Integration and Support 10

l AWS (Amazon Web Services)

l Microsoft Azure
l Google Cloud
l OCI (Oracle Cloud Infrastructure)
l Alibaba Cloud
Supported web browsers:
l Microsoft Edge 41
l Mozilla Firefox version 59
l Google Chrome version 65
Other web browsers may function correctly, but are not supported by Fortinet.
Build-in AV engine version: 6.00290

FortiWeb Release Notes Fortinet Technologies, Inc.

Upgrade instructions 11

Upgrade instructions

Image checksums

To verify the integrity of the firmware file, use a checksum tool to compute the firmware file’s MD5 checksum. Compare it
with the checksum indicated by Fortinet. If the checksums match, the file is intact.
MD5 checksums for software releases are available from Fortinet Customer Service & Support:
https://support.fortinet.com
VM Image integrity is also verified when the FortiWeb is booting up. the running OS will generate signatures and
compare them with the signatures attached to the image. If the signatures do not match, the running OS will be
shutdown.

To download the Customer Service & Support image checksum tool

After logging in to the website, in the menus at the top of the page, click Download, and then click Firmware Image
Checksums.
Alternatively, near the bottom of the page, click the Firmware Image Checksums button. This button appears only if
one or more of your devices has a current support contract. In the File Name field, enter the firmware image file name
including its extension, then click Get Checksum Code.

Upgrading from previous releases

If you are using the FortiWeb 100D model, it's important to bypass versions 7.4.0, 7.4.1, and
7.4.2, and directly upgrade to version 7.4.3.

VLAN Interfaces/Interfaces with overlapping IP addresses and the VIP/Server Policy bound to
them cannot be imported (while loading the config file) after upgrading to 7.2.3 and later
because we have implemented IP overlap check in this release.
Workaround: Downgrade to an earlier version through booting from the alternate partition
(See "Booting from the alternate partition". The old configuration can be restored through this
way) , edit IP addresses to eliminate overlapping, then upgrade to VERSION 7.4.3.

If you have configured 16 or more ADOMs, it is not advisable to upgrade to versions 7.4.0 and
7.2.1-7.2.5, as there is a risk of losing your Virtual IPs after the upgrade.
Workaround: If you do intend to proceed with the upgrade, please first consider reducing the
number of ADOMs to fewer than 16 (root ADOM counted in) before initiating the upgrade.

FortiWeb Release Notes Fortinet Technologies, Inc.

Upgrade instructions 12

l For FortiWeb-VM with a license purchased earlier than February 2019, you must upgrade
to 6.3.4 or higher. Do not use a lower patch.
l The VLAN, 802.3ad Aggregate, and Redundant interfaces are not supported anymore on
FortiWeb-VMs deployed on public cloud platforms since 6.3.6. If you upgrade from
versions earlier than that, these configurations will be removed.

We don't provide maintenance for 6.4.x releases unless major errors, so we recommend you
to upgrade 6.4.x to later versions.

In several hours or days (depends on number of existing logs) after upgrading from earlier
versions, there might be delay (30-60 mins) to display new logs on GUI. This is caused by log
version upgrade in 6.4.x & 7.0. It takes time to scan and process all existing logs.

The admin user password hash is changed from sha1 to sha256 since 7.2.0.
If you upgrade FortiWeb from versions earlier than 7.2.0, the hash will keep the same as before,
but if admin user changes its password or there is new admin users added, the password hash
will be sha256.

Port 995 will be switched to disabled state if you upgrade from versions earlier than 7.2.0.
Remember to enable it (in System > Admin > Settings) if you need to use it for config sync.

When upgrading from releases prior to version 6.0, the "Retain Packet Payload" settings in
Log&Report > Log Config > Other Log Settings will be reset to new defaults. This means
that the following features—JSON Protection, Syntax-Based Detection, Malicious Bots,
Known Good Bots, Mobile API Protection, and API Management—will be changed to a
disabled state. If you had these options enabled prior to the upgrade, please remember to re-
enable them if they are still required.

To upgrade from FortiWeb 7.4.x

Upgrade directly.

To upgrade from FortiWeb 7.2.x

Upgrade directly.

If you had enabled Threat Analytics in previous releases but did not have a valid license, the
14-day eval license will be automatically applied after upgrading to version 7.2.2 and later.
In this case, if you don't want to start the 14-day eval immediately after upgrade, it's
recommended to disable the Threat Analytics first, then execute upgrade.

FortiWeb Release Notes Fortinet Technologies, Inc.

Upgrade instructions 13

To upgrade from FortiWeb 7.0.x

Upgrade directly.

To upgrade from FortiWeb 6.4.x

Upgrade directly.

To upgrade from FortiWeb 6.3.x

Upgrade directly.

The "Bad Robot" and "SQL Injection (Syntax Based Detection)" signatures had been
integrated into WAF modules "Bot Mitigation > Known Bots" and "SQL/XSS Syntax Based
Detection" since 6.3.3. If you upgrade from a version earlier than 6.3.3, all settings of these
two signatures will be merged to corresponding modules except the exception list.
Make sure to add the exception list manually after the upgrade, otherwise certain traffic will
be blocked unexpectedly because of the missing of the exception list.

To upgrade from FortiWeb 6.1.x and 6.2.x

Upgrade directly.
The machine learning data will be lost after the upgrade as the database format is enhanced in 6.3.0. Machine Learning
will automatically start collecting data again after the upgrade.

For FortiWeb-VM on docker platform, it's not supported to upgrade to 7.6.0 from versions
earlier than 6.3.0. You need to install FortiWeb-VM 7.6.0 instead of upgrading to 7.6.0. For
how to install, see FortiWeb-VM on docker.

The "Bad Robot" and "SQL Injection (Syntax Based Detection)" signatures had been
integrated into WAF modules "Bot Mitigation > Known Bots" and "SQL/XSS Syntax Based
Detection" since 6.3.3. If you upgrade from a version earlier than 6.3.3, all settings of these
two signatures will be merged to corresponding modules except the exception list.
Make sure to add the exception list manually after the upgrade, otherwise certain traffic will
be blocked unexpectedly because of the missing of the exception list.

To upgrade from FortiWeb 6.0 or 6.0.x

Upgrade directly.
After the upgrade:
l If you upgrade from 6.0, there might be database compatibility issue after the upgrade, because the MarisDB
database version is upgraded to 10.3.8 since FortiWeb 6.0.2.

FortiWeb Release Notes Fortinet Technologies, Inc.

Upgrade instructions 14

l Run get system status to check the Database Status.

l If it shows Available, it means the database works well. If it shows Not Available, you need to run
execute db rebuild to solve the database compatibility issue. Please note in HA mode running execute
db rebuild on primary appliance will take effect on all secondary appliances simultaneously.
l If you upgrade from 6.0.1, it's not necessary to run execute db rebuild because the database format has
already been enhanced in 6.0.1, so that it's compatible with the new database.

The machine learning data will be lost after the upgrade as the database format is
enhanced in 6.3.0. Machine Learning will automatically start collecting data again
after the upgrade.

For FortiWeb-VM on docker platform, it's not supported to upgrade to 7.6.0 from versions
earlier than 6.3.0. You need to install FortiWeb-VM 7.6.0 instead of upgrading to 7.6.0. For
how to install, see FortiWeb-VM on docker.

The "Bad Robot" and "SQL Injection (Syntax Based Detection)" signatures had been
integrated into WAF modules "Bot Mitigation > Known Bots" and "SQL/XSS Syntax Based
Detection" since 6.3.3. If you upgrade from a version earlier than 6.3.3, all settings of these
two signatures will be merged to corresponding modules except the exception list.
Make sure to add the exception list manually after the upgrade, otherwise certain traffic will
be blocked unexpectedly because of the missing of the exception list.

To upgrade from FortiWeb 5.5.x, 5.6.x, 5.7.x, 5.8.x, or 5.9.x

Before the upgrade:

l If you upgrade from a version of FortiWeb previous to 5.9.0 on Azure platform, first change the addressing mode to
DHCP in Network > Interface, then upgrade to FortiWeb 6.1.1, because FortiWeb on Azure platform has enforced
the DHCP addressing mode since release 5.9.0.
After the upgrade:
l There might be database compatibility issue after the upgrade, because the MarisDB database version is upgraded
to 10.3.8 since FortiWeb 6.0.2.
l Run get system status to check the Database Status.
l If it shows Available, it means the database works well. If it shows Not Available, you need to run
execute db rebuild to solve the database compatibility issue. Please note in HA mode, running execute
db rebuild on primary appliance will take effect on all secondary appliances simultaneously.

If you upgrade from a version of FortiWeb previous to 5.5.4, the upgrade process
deletes any HTTP content routing policies that match X509 certificate content. You
can re-create these policies using the new, enhanced X509 certificate settings.

FortiWeb Release Notes Fortinet Technologies, Inc.

Upgrade instructions 15

The "Bad Robot" and "SQL Injection (Syntax Based Detection)" signatures had been
integrated into WAF modules "Bot Mitigation > Known Bots" and "SQL/XSS Syntax Based
Detection" since 6.3.3. If you upgrade from a version earlier than 6.3.3, all settings of these
two signatures will be merged to corresponding modules except the exception list.
Make sure to add the exception list manually after the upgrade, otherwise certain traffic will
be blocked unexpectedly because of the missing of the exception list.

To upgrade from FortiWeb 5.4.x

Before the upgrade:

l Resize your FortiWeb hard disk partitions. See Repartitioning the hard disk.
After the upgrade:
l There might be database compatibility issue after the upgrade, because the MarisDB database version is upgraded
to 10.3.8 since FortiWeb 6.0.2.
l Run get system status to check the Database Status.
l If it shows Available, it means the database works well. If it shows Not Available, you need to run
execute db rebuild to solve the database compatibility issue. Please note in HA mode, running execute
db rebuild on primary appliance will take effect on all secondary appliances simultaneously.

The upgrade process deletes any HTTP content routing policies that match X509 certificate
content. You can re-create these policies using the new, enhanced X509 certificate settings.

The "Bad Robot" and "SQL Injection (Syntax Based Detection)" signatures had been
integrated into WAF modules "Bot Mitigation > Known Bots" and "SQL/XSS Syntax Based
Detection" since 6.3.3. If you upgrade from a version earlier than 6.3.3, all settings of these
two signatures will be merged to corresponding modules except the exception list.
Make sure to add the exception list manually after the upgrade, otherwise certain traffic will
be blocked unexpectedly because of the missing of the exception list.

To upgrade from FortiWeb 5.3.x

Before the upgrade:

l Resize your FortiWeb hard disk partitions. See Repartitioning the hard disk.
After the upgrade:
l There might be database compatibility issue after the upgrade, because the MarisDB database version is upgraded
to 10.3.8 since FortiWeb 6.0.2.
l Run get system status to check the Database Status.
l If it shows Available, it means the database works well. If it shows Not Available, you need to run
execute db rebuild to solve the database compatibility issue. Please note in HA mode, running execute
db rebuild on primary appliance will take effect on all secondary appliances simultaneously.

FortiWeb Release Notes Fortinet Technologies, Inc.

Upgrade instructions 16

l If you are upgrading FortiWeb-VM on a hypervisor other than VMware vSphere, see
FortiWeb-VM license validation after upgrade from pre-5.4 version.
l The upgrade process deletes any HTTP content routing policies that match X509
certificate content. You can re-create these policies using the new, enhanced X509
certificate settings.
l If you upgrade from a version of FortiWeb previous to 5.3.4 and your server policy
configuration includes settings that customize an attack blocking or server unavailable
error page, the upgrade deletes these server-based settings. The functionality is replaced
by the global, default FortiWeb pages.
l If you upgrade from a version of FortiWeb previous to 5.3.6, the upgrade process deletes
any V-zone IP addresses, which are no longer required. This operation has no impact on
routing or connectivity after the upgrade.

The "Bad Robot" and "SQL Injection (Syntax Based Detection)" signatures had been
integrated into WAF modules "Bot Mitigation > Known Bots" and "SQL/XSS Syntax Based
Detection" since 6.3.3. If you upgrade from a version earlier than 6.3.3, all settings of these
two signatures will be merged to corresponding modules except the exception list.
Make sure to add the exception list manually after the upgrade, otherwise certain traffic will
be blocked unexpectedly because of the missing of the exception list.

To upgrade from a version previous to FortiWeb 5.3

FortiWeb5.3.exe is a Microsoft Windows executable script that automatically migrates your FortiWeb 5.2.x configuration
settings to a 5.3.x configuration.
1. If your version is 5.0.x or 5.1.x, upgrade to FortiWeb 5.2.x.
2. Use System > Maintenance > Backup & Restore to back up your FortiWeb configuration. Fortinet recommends
that you use the Backup entire configuration option.
Note: If you forget to back up the configuration before you upgrade to FortiWeb 5.3, you can use the Boot into
alternate firmware option to downgrade to the previous version, and then backup its configuration. For details, see
the FortiWeb Administration Guide:
http://docs.fortinet.com/fortiweb/admin-guides
3. To obtain the upgrade script, log in to the Fortinet Customer Service & Support website:
https://support.fortinet.com
In the menus at the top of the page, click Download, and then click Firmware Images.
4. For product, select FortiWeb. Then, on the Download tab, navigate to the following folder:
/FortiWeb/v5.00/5.3/Upgrade_script/
5. Download the .zip compressed archive (for example, FortiWeb5.3Upgrade_v1.9.zip) to a location you can
access from your Windows PC.
6. In Windows, extract the .zip archive's contents, and then use a command line interface to execute the upgrade
script.
For example, in the directory where the file FortiWeb5.3Upgrade.exe and your backup configuration file are
located, execute the following command:
FortiWeb5.3Upgrade.exe -i YOUR_CONFIG_NAME.conf –o 5.3_new.conf

FortiWeb Release Notes Fortinet Technologies, Inc.

Upgrade instructions 17

The script removes the Domain Server, Physical Server, Server Farm, Content Routing policy configurations and
generates a new configuration file named 5.3_new.conf.
7. Resize your FortiWeb hard disk partitions. See Repartitioning the hard disk.
8. Upgrade to 6.3.9 first, then upgrade to 7.6.0.
9. Use System > Maintenance > Backup & Restore to restore the configuration file you created using the script (for
example, 5.3_new.conf).
10. There might be database compatibility issue after the upgrade, because the MarisDB database version is upgraded
to 10.3.8 since FortiWeb 6.0.2:
l Run get system status to check the Database Status.

l If it shows Available, it means the database works well. If it shows Not Available, you need to run execute

db rebuild to solve the database compatibility issue. Please note in HA mode, running execute db rebuild
on primary appliance will take effect on all secondary appliances simultaneously.

l If you are upgrading FortiWeb-VM on a hypervisor other than VMware vSphere, see
FortiWeb-VM license validation after upgrade from pre-5.4 version.
l The upgrade process deletes any HTTP content routing policies that match X509
certificate content. You can re-create these policies using the new, enhanced X509
certificate settings.
l If your server policy configuration includes settings that customize an attack blocking or
server unavailable error page, the upgrade deletes these server-based settings. The
functionality is replaced by the global, default FortiWeb pages.
l The upgrade process deletes any V-zone IP addresses, which are no longer required. This
operation has no impact on routing or connectivity after the upgrade.

The "Bad Robot" and "SQL Injection (Syntax Based Detection)" signatures had been
integrated into WAF modules "Bot Mitigation > Known Bots" and "SQL/XSS Syntax Based
Detection" since 6.3.3. If you upgrade from a version earlier than 6.3.3, all settings of these
two signatures will be merged to corresponding modules except the exception list.
Make sure to add the exception list manually after the upgrade, otherwise certain traffic will
be blocked unexpectedly because of the missing of the exception list.

Note: To upgrade from 4.0 MR4, Patch x or earlier, please contact Fortinet Technical Support.

Repartitioning the hard disk

To upgrade from a version of FortiWeb previous to 5.5, you must first resize your FortiWeb operating system's disk.
In most cases, you'll have to install a special firmware image to repartition the disk. For details, see To use the special
firmware image to repartition the operating system's disk on page 18.
For the following FortiWeb-VM tools, you cannot install the special firmware image to repartition the hard disk:
l Citrix XenServer
l Open-source Xen Project

FortiWeb Release Notes Fortinet Technologies, Inc.

 Upgrade instructions 18

l Microsoft Hyper-V
l KVM
For these platforms, to repartition the disk you must deploy a new virtual machine and restore the configuration and log
data you backed up earlier. See To repartition the operating system's disk without the special firmware image on page
18.

Repartitioning affects the operating system’s disk (USB/flash disk), not the hard disk.
Existing data such as reports and event, traffic, and attack logs, which are on the
hard disk, are not affected.

You can use this image to upgrade an HA cluster by following the same procedure
you use for a regular firmware upgrade. For details, see "Updating firmware on an
HA pair" in the FortiWeb Administration Guide:
http://docs.fortinet.com/fortiweb/admin-guides

To use the special firmware image to repartition the operating system's disk

1. Perform a complete backup of your FortiWeb configuration.

Although the repartitioning firmware image automatically saves your FortiWeb configuration, Fortinet recommends
that you also manually back it up. For details, see the FortiWeb Administration Guide:
http://docs.fortinet.com/fortiweb/admin-guides
2. Contact Fortinet Technical Support to obtain the special repartitioning firmware image: special build 5.4.1, build
6066.
3. Follow one of the same procedures that you use to install or upgrade firmware using a standard image:
l In the Web UI, go to System > Status > Status. Locate the System Information widget. Beside Firmware

Version, click [Update].

l In the Web UI, go to System > Maintenance > Backup & Restore. Select the Restore option in System

Configuration.
l In the CLI, enter the execute restore config command.

FortiWeb backs up the current configuration, resizes the hard drive partitions, and boots the system.
Continue with the instructions in Upgrading from previous releases on page 11.

To repartition the operating system's disk without the special firmware image

1. Perform a complete backup of your FortiWeb configuration. For details, see the FortiWeb Administration Guide:
http://docs.fortinet.com/fortiweb/admin-guides
2. Use the instructions for your hypervisor platform to detach the log disk from the VM:
l To detach the log disk from a Citrix XenServer VM on page 19

l To detach the log disk from a Microsoft Hyper-V VM on page 19

l To detach the log disk from a KVM VM on page 19

3. Deploy a new FortiWeb 5.5 or later virtual machine on the same platform.
4. Use the instructions for your hypervisor platform to attach the log disk you detached earlier to the new VM:
l To attach the log disk to a Citrix XenServer VM on page 19

l To attach the log disk to a Microsoft Hyper-V VM on page 19

FortiWeb Release Notes Fortinet Technologies, Inc.

Upgrade instructions 19

l To attach the log disk to a KVM VM on page 19

5. Restore the configuration you backed up earlier to the new VM.

6. When you are sure that the new VM is working properly with the required configuration and log data, delete the old
VM.

To detach the log disk from a Citrix XenServer VM

1. In Citrix XenCenter, connect to the VM.

2. In the settings for the VM, on the Storage tab, select Hard disk 2, and then click Properties.
3. For Description, enter a new description, and then click OK.
4. Select Hard disk 2 again, and then click Detach.
5. Click Yes to confirm the detach task.

To detach the log disk from a Microsoft Hyper-V VM

1. In the Hyper-V Manager, select the FortiWeb-VM in the list of machines, and then, under Actions, click Settings.
2. Select Hard Drive (data.vhd), and then click Remove.
3. Click Apply.

To detach the log disk from a KVM VM

1. In Virtual Machine Manager, double-click the FortiWeb-VM in the list of machines.

2. Click Show virtual hardware details (the "i" button).
3. Click VirtIO Disk 2, and then click Remove.

To attach the log disk to a Citrix XenServer VM

1. In Citrix XenCenter, connect to the VM.

2. In the settings for the new, FortiWeb 5.5 or later VM, on the Storage tab, select Hard disk 2, and then click Delete.
3. Click Yes to confirm the deletion.
4. On the Storage tab, click Attach Disk.
5. Navigate to the hard disk you detached from the old VM to attach it.
6. Start your new virtual machine.

To attach the log disk to a Microsoft Hyper-V VM

1. In the Hyper-V Manager, select the new, FortiWeb 5.5 or later virtual machine in the list of machines, and then,
under Actions, click Settings.
2. Select Hard Drive (log.vhd), and then click Browse.
3. Browse to the hard drive you detached from the old virtual machine to select it.
4. Click Apply.
5. Start the new virtual machine.

To attach the log disk to a KVM VM

For KVM deployments, you remove an existing virtual disk from the new VM before you attach the disk detached from
the original VM.

FortiWeb Release Notes Fortinet Technologies, Inc.

Upgrade instructions 20

1. In Virtual Machine Manager, double-click the new, FortiWeb 5.5 or later VM in the list of machines.
2. Click Show virtual hardware details (the "i" button).
3. Click VirtIO Disk 2, and then click Remove.
4. Click Add Hardware.
5. Click Storage, select Select managed or other existing storage, and then click Browse.
6. Click Browse Local.
7. Navigate to the log disk file for the original machine to select it, and then click Open.
8. For Device type, select Virtio disk, for Storage format, select qcow2, and then click Finish.
9. Start the new virtual machine.

Upgrading an HA cluster

If the HA cluster is running FortiWeb 4.0 MR4 or later, the HA cluster upgrade is streamlined. When you upgrade the
active appliance, it automatically upgrades any standby appliance(s), too; no manual intervention is required to upgrade
the other appliance(s). This includes upgrading using the special hard disk repartitioning firmware image for upgrading to
5.5 or later from earlier releases.
If the HA cluster is running FortiWeb 4.0 MR3 Patch x or earlier, contact Fortinet Technical Support for assistance.

Downgrading to a previous release

We don't recommend performing a downgrade because unexpected results may occur. If you
insist on a downgrade, please first contact FortiWeb Technical Support team.

ML based modules data loss

The machine learning data will be lost if you downgrade to versions lower than 6.2.0. It cannot be recovered because the
database architecture is changed since 6.2.0.
Log compatibility issue
There might be log compatibility issue between different FortiWeb versions. If logs are not available on GUI after
downgrading to an earlier version, please run execute database rebuild.
Basic configuration preserved if downgrading to 5.1 or 5.0
When you downgrade to version 5.1 or 5.0, the basic configuration for your appliance's connections to the network (e.g.,
IP address and route configuration) is preserved.
Admin user password hash change
The admin user password hash is changed from sha1 to sha256 since 7.2.0. System > Admin > Administrators

FortiWeb Release Notes Fortinet Technologies, Inc.

Upgrade instructions 21

If you downgrade to 7.0.x and 7.1.x, you may need to convert password hash otherwise the admin users can't log in with
their credentials. The following message will prompt after downgrading:

If you downgrade to versions earlier than 7.0, you need to recreate the lost accounts System > Admin >
Administrators. The following message will prompt after downgrading:

FortiWeb-VM license validation after upgrade from pre-5.4 version

On some virtual machine deployments, upgrading FortiWeb-VM from a version previous to 5.4 changes the virtual
machine's universal unique identifier (UUID). Because of this change, the first time you upload your existing FortiWeb-
VM license, the FortiGuard Distribution Network (FDN) server reports that it is invalid.
To solve this problem, after you have uploaded the license, wait 90 minutes, and then upload the license again.
This issue does not affect FortiWeb-VM deployed on a VMware vSphere hypervisor.

FortiWeb Release Notes Fortinet Technologies, Inc.

Resolved issues 22

Resolved issues

This section lists issues that have been fixed in version 7.6.0. For inquires about a particular bug, please contact Fortinet
Customer Service & Support: https://support.fortinet.com

Bug ID Description

1040690 Traffic logs in JSON format miss the original_src field.

1037874 FortiWeb does not recognize the new format serial numbers beginning with
"FEMSPR" and "FEMSPO".

1035549 Cookie Security module does not process encrypted cookie as expected.

1028875 New scripts are not synchronized to the secondary node after reboot or power
cycle.

1027903 Known Bot DB causes high CPU usage issue because it is applied at the server
policy level instead of the global level.

1026959 Traffic logs sent in JSON format to SIEM contain the same TCP port for the
source and destination port.

1026591 Config backup fails and even logs aren't being forwarded to Qradar.

1025602 HA synchronization issue occurs and the system displays an error message
stating that the required config for server pool and content routing were missing.

1025527 The printout of get waf signature-rule command cannot get the
description of the sub-category 'HTTP Illegal Header' infomation..

1023676 Proxyd Crash because the SERVERSSL_CLIENTHELLO_SEND event is

triggered at wrong step/location.

1022178 Uploading a file via curl is blocked due to HPC/Multiform Data Violation.

1020769 Traffic is interrupted and re-established again randomly.

1019495 The XFF header is not inserted for some traffic as expected.

1017896 OpenAPI file upload fails with error 'undefined'.

1017813 Custom Rule does not apply configured Action correctly.

1016981 HTTP Status reason can't be modified in replacement message.

1011300 'ImagesiftBot' is not recognized by known bots.

1010113 Radius administration accounts can't log in.

1009227 Saved log filter is not visible.

1008387 The event log doesn't record the logout time correctly if users close the browser
instead of logging out from the account.

FortiWeb Release Notes Fortinet Technologies, Inc.

Resolved issues 23

Bug ID Description

1006233 Attack log filter does not recognize Feb. 29.

1004537 Input validation is triggered by empty fields.

1004201 Secondary device in HA resets the configuration.

1003878 The following log message shows even though HCDB is not included in the
license:
'FortiWeb HCDB is unauthorized'

1003226 FortiWeb bypasses the cross site scripted payload if the content type is modified
to application/json.

1001209 Log message fields indicate time in seconds instead of milliseconds.

0999807 Misspelled log entry.

0999644 Let's Encrypt TLS-ALPN renewals issue.

0994811 The maximum length allowed for API keys should be increased.

0992074 HTTP Header Security can't configure multiple rules with the same URL and
Security Header Type.

0991889 FortiWeb-VM on Google Cloud - FortiWeb randomly stops generating logs.

0991247 FortiWeb does not forward full packet detail log to FortiAnalyzer.

0989441 "ERR_HTTP2_SERVER_REFUSED_STREAM" error displayed when accessing

application on a Mac device.

0988560 New device fails to join HA cluster.

0985543 FortiWeb 100D v7.2.5 unexpectedly reboots.

0984485 FortiWeb does not forward headers as expected during NTLM authentication.

0982517 The monitor and auto-restore remain taking actions even thought they are
disabled.

0972280 Date out of sync which leads to FortiWeb not accessible.

0955694 When applying a saved filter in the Attack Log, the table display does not
immediately show all the matched rows.

0947327 HTTP/2 issue occurs on client side due to the flow control window error.

0924691 When adding date/time filter in attack log, the focus goes to wrong field.

0752956 MITB Protection password encryption causes password auto-fill issue.

Common Vulnerabilities and Exposures

For more information, visit https://www.fortiguard.com/psirt.

Bug ID CVE reference

0988524 FortiWeb 7.6.0 is no longer vulnerable to the following CVE: CVE-2024-23665.

FortiWeb Release Notes Fortinet Technologies, Inc.

Resolved issues 24

Bug ID CVE reference

0985987 FortiWeb 7.6.0 is no longer vulnerable to the following CVE: CVE-2023-48795.

FortiWeb Release Notes Fortinet Technologies, Inc.

Known issues 25

Known issues

The following issues have been identified in version 7.6.0. To inquire about a particular bug or report a bug, please
contact Fortinet Customer Service & Support: https://support.fortinet.com.

Bug ID Description

1025388 Certificate Verification doesn't work with HTTP3 traffic from the
Firefox/Chrome/Edge browsers.

1026187 HTTP3 and "noparse" in config server-policy policy is not compatible.

FortiWeb Release Notes Fortinet Technologies, Inc.

 www.fortinet.com

Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.