FortiProxy Release 

Notes
Version 1.2.9
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE
http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com 

http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES
http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

FORTICAST
http://forticast.fortinet.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FORTINET PRIVACY POLICY

https://www.fortinet.com/corporate/about-us/privacy.html

FEEDBACK
Email: [email protected]

December 14, 2020

FortiProxy 1.2.9 Release Notes

Revision 1
TABLE OF CONTENTS

Change log 4
Introduction 5
Security modules 5
Caching and WAN optimization 6
Whatʼs new 7
Supported models 7
Product integration and support 9
Web browser support 9
Fortinet product support 9
Software upgrade path 9
Virtualization environment support 9
New deployment of the FortiProxy VM 9
Upgrading the FortiProxy VM 10
Downgrading the FortiProxy VM 10
Resolved issues 11
Common vulnerabilities and exposures 13
Known issues 14
Change log

Date Change Description

December 14, 2020 Initial release for FortiProxy 1.2.9

Introduction

FortiProxy delivers a class-leading Secure Web Gateway, security features, unmatched performance,
and the best user experience for web sites and cloud-based applications. All FortiProxy models include
the following features out of the box:

Security modules

The unique FortiProxy architecture offers granular control over security, understanding user needs and
enforcing Internet policy compliance with the following security modules:

l Web filtering
o The web-filtering solution is designed to restrict or control the content a reader is authorized to

access, delivered over the Internet using the web browser.

o The web rating override allows users to change the rating for a web site and control access to the
site without affecting the rest of the sites in the original category.
l DNS filtering
o Similar to the FortiGuard web filtering. DNS filtering allows, blocks, or monitors access to web

content according to FortiGuard categories.

l Email filtering
o The FortiGuard Antispam Service uses both a sender IP reputation database and a spam

signature database, along with sophisticated spam filtering tools on Fortinet appliances and
agents, to detect and block a wide range of spam messages. Updates to the IP reputation and
spam signature databases are provided continuously by the FDN.
l CIFS filtering
o CIFS UTM scanning, which includes antivirus file scanning and data leak prevention (DLP) file

filtering.
l Application control
o Application control technologies detect and take action against network traffic based on the

application that generated the traffic.

l Data Leak Prevention (DLP)
o The FortiProxy data leak prevention system allows you to prevent sensitive data from leaving your

network.
l Antivirus
o Antivirus uses a suite of integrated security technologies to protect against a variety of threats,

including both known and unknown malicious codes (malware), plus Advanced Targeted Attacks
(ATAs), also known as Advanced Persistent Threats (APTs).
l SSL/SSH inspection (MITM)
o SSL/SSH inspection helps to unlock encrypted sessions, see into encrypted packets, find threats,

and block them.

l Intrusion Prevention System (IPS)
o Intrusion Prevention System technology protects your network from cybercriminal attacks by

actively seeking and blocking external threats before they can reach potentially vulnerable
network devices.
l Content Analysis
o Content Analysis allow you to detect adult content images in real time. This service is a real-time

analysis of the content passing through the FortiProxy unit.

Caching and WAN optimization

All traffic between a client network and one or more web servers is intercepted by a web cache policy.
This policy causes the FortiProxy unit to cache pages from the web servers on the FortiProxy unit and
makes the cached pages available to users on the client network. Web caching can be configured for
standard and reverse web caching.

FortiProxy supports WAN optimization to improve traffic performance and efficiency as it crosses the
WAN. FortiProxy WAN optimization consists of a number of techniques that you can apply to improve
the efficiency of communication across your WAN. These techniques include protocol optimization,
byte caching, SSL offloading, and secure tunneling.

Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI
protocol, as well as general TCP traffic. Byte caching caches files and other data on FortiProxy units to
reduce the amount of data transmitted across the WAN.

FortiProxy is intelligent enough to understand the differing caching formats of the major video services
in order to maximize cache rates for one of the biggest contributors to bandwidth usage. FortiProxy will:

l Detect the same video ID when content comes from different CDN hosts
l Support seek forward/backward in video
l Detect and cache separately; advertisements automatically played before the actual videos
Whatʼs new

This release contains the following new features and enhancements:

l You can now back up the FortiProxy configuration to a SSH File Transfer Protocol (SFTP) server. Use the
following CLI command:

execute backup config <destination_IP_address> <SFTP_server_user_name>

<SFTP_server_password> <destination_file_path> [<optional_password_for_
backup_file>]

l You can now create a data loss prevention (DLP) sensor with a filter to block files of a specific file type
that also exceed a specified file size. Use the following CLI commands:

config dlp sensor

edit <name>
set comment <comment>
set replacemsg-group <string>
set dlp-log {enable | disable}
set nac-quar-log {enable | disable}
set summary-proto {smtp | pop3 | imap | http-get | http-post | ftp |
nntp | mapi | cifs | ssh}
config filter
edit <id>
set name <filter_name>
set severity {info | low | medium | high | critical}
set type {file | message}
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp
| mapi | cifs | ssh}
set filter-by {credit-card | ssn | regexp | file-type | file-size
| watermark | encrypted | file-type-and-size}
set file-size <0-4294967295 kbytes>
set file-type {builtin-patterns | all_executables}
set action {allow | log-only | block | quarantine-ip}
next
end
next
end

l The new set wccp-local-route {enable | disable} command (under config system
settings) controls whether WCCP uses the local route when the WCCP cache engine is enabled.

Supported models

The following models are supported on FortiProxy 1.2.9, build 0311:

FortiProxy l FPX-2000E
l FPX-4000E
l FPX-400E
 l FPX-AZURE
l FPX-HY
l FPX-KVM
FortiProxy VM l FPX-KVM-AWS
l FPX-KVM-GCP
l FPX-KVM-OPC
l FPX-VMWARE
Product integration and support

Web browser support

The following web browsers are supported by FortiProxy 1.2.9:

l Microsoft Internet Explorer version 11

l Mozilla Firefox version 61
l Google Chrome version 67
Other web browsers might function correctly but are not supported by Fortinet.

Fortinet product support

l FortiOS 5.x and 6.0 to support the WCCP content server

l FortiOS 5.6.3 and 6.0 to support the web cache collaboration storage cluster
l FortiAnalyzer 5.6.5
l FortiSandbox and FortiCloud FortiSandbox, 2.5.1

Software upgrade path

FortiProxy supports upgrading directly from 1.0.x or 1.1.x to 1.2.x.

Virtualization environment support

NOTE: Fortinet recommends running the FortiProxy VM with 2G+ memory because the AI-based
Image Analyzer uses more memory comparing to the previous version.

Linux KVM l RHEL 7.1/Ubuntu 12.04 and later

l CentOS 6.4 (qemu 0.12.1) and later

l ESX versions 4.0 and 4.1

VMware
l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

Microsoft l Hyper-V Server 2008 R2, 2012, 2012R2, and 2016

New deployment of the FortiProxy VM

The minimum memory size for the FortiProxy VM for 1.2.9 or later is 2G. You must have at least 2G of
memory to allocate to the FortiProxy VM from the VM host.
Upgrading the FortiProxy VM
If you are upgrading from FortiProxy 1.1.2 or earlier, including FortiProxy 1.0 to FortiProxy 1.2.9 or
later, use the following procedure:
1. Back up the configuration from the GUI or CLI. Make sure the VM license file is stored on the PC or FTP
or TFTP server.
2. Shut down the original VM.
3. Deploy the new VM. Make sure that there is at least 2G of memory to allocate to the VM.
4. From the VM console, configure the interface, routing, and DNS for GUI or CLI access to the new VM
and its access to FortiGuard.
5. Upload the VM license file using the GUI or CLI
6. Restore the configuration using the CLI or GUI.

Downgrading the FortiProxy VM

If you are downgrading from FortiProxy 1.2.9 or later to FortiProxy 1.1.2 or earlier, use the following
procedure:
1. Back up the configuration from the GUI or CLI. Make sure the VM license file is stored on the PC or FTP
or TFTP server.
2. Shut down the original VM.
3. Deploy the new VM. Make sure that there is at least 2G of memory to allocate to the VM.
4. From the VM console, configure the interface, routing, and DNS for GUI or CLI access to the new VM
and its access to FortiGuard.
5. Upload the VM license file using the GUI or CLI
6. Restore the configuration using the CLI or GUI.
Resolved issues

The following issue has been fixed in FortiProxy 1.2.9. For inquiries about a particular bug, please
contact Customer Service & Support.

Bug ID Description

557721 When action=redirect or action=isolatein the config firewall policy

configuration, the attributes that are not applicable should be hidden.

573998 When the policy action=redirect, some fields should be hidden.

604699 Adding an extra space to the HOST header causes a memory leak.

When using MAPI over HTTP (Active-Passive) mode, the WAN-optimization tunnels are
609568
sometimes not established.

627754 Various features of the FortiProxy GUI need to be fixed or improved.

634890 FortiProxy does not support IPsec PFS and Diffie-Hellman group 20.

644299 The WAN-optimization daemon (WAD) process crashes when the local ICAP server handles
an oversized file when the oversize option is enabled.

645851 FTPS using the explicit-FTP proxy does not work for some clients.

651314 There are multiple fnbamd crashes when a Config-Sync cluster was configured with LDAP
authentication and load balancing.

When the FortiProxy unit is configured as a WCCP client, redirected traffic is being dropped
657563
when web caching is enabled in the policy.

661981 The update time is incorrect in the output for the get sys ha status command, and the
host name is empty in the output for the dia sys ha status command.

After FortiProxy is upgraded, the policy type of explicit-ftp changes to transparent if explicit-
662558
ftp is disabled.

665159 Uploading a virus file over 48k is not blocked in stream-scan mode.

666012 Two crashes happened when restarting WAD.

666590 FortiProxy VM models should have irqbalance.

667290 A WAD crash happened during a test.

667581 After config icap local-server is configured on a FortiProxy unit with a specified
incoming-ip, the explicit FTP configured with a different incoming-ip does not respond to the
sync packet.
Bug ID Description

669251 Removed the OPTIONS method from the HTTP 405 “Method Not Allowed” response.

669878 Running the exec report run CLI command causes the report daemon to crash.

Changing the setting for a Content Analysis category still allows images that should be
670528
blocked.

670862 After configuring two LDAP servers in krb-keytab, the PAC cache does not behave as
expected.

675326 The wa_cs process crashes during a test.

675625 The button keeps spinning if an invalid Google domain is added and then Apply is clicked on
the Edit Web Filter Profile page

676516 The active method in the authentication rule should not select the header type scheme.

677158 The DLP file name pattern cannot be added in the GUI.

677606 When the policy type is explicit FTP, the web cache and web proxy profile should be hidden.

677683 WAD crashes when no ICAP service is mapped.

677743 The local ICAP server has memory corruptions.

677843 The WAD process is causing high memory usage, and the wa_cs process is crashing.

678746 When applying log settings, the confirmation page is displayed twice.

680892 The DLP system is not blocking files according to the configured file type.

680945 The WAD process keeps crashing.

681017 The Security Fabric widget in the FortiProxy dashboard should display the correct IP address.

681250 Configuring HA in the GUI causes the HTTPS daemon to crash.

681461 When incoming-ip is set for explicit FTP proxy, iptables ignore it.

681677 A programming tool discovered an invalid read/write.

682254 When deploying a new FortiProxy VM on Azure, you can set the user name and password;
however, you cannot log in to the VM with the user name and password that was configured.

682618 Deleting one or more policy from the GUI results in multiple confirmation pages.

682827 Various issues with the ICAP server need to be fixed.

683833 The WAD process is causing high memory usage and is crashing.
Common vulnerabilities and exposures

FortiProxy 1.2.9 is no longer vulnerable to the following CVEs:

l CVE-2018-13379
l CVE-2018-13380
l CVE-2018-13381
l CVE-2018-13382
l CVE-2018-13383
Visit https://fortiguard.com/psirt for more information.
Known issues

FortiProxy 1.2.9 includes the known issues listed in this section. For inquires about a particular issue,
please contact Fortinet Customer Service & Support.

Bug ID Description

491027 Filtering the YouTube channel does not work.

Workaround: The fix is scheduled for a future release.

490951 The append explicit-outgoing-ip command is not validated.

499787 The FortiGuard firmware versions are not listed on the System > Firmware page.
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.