Technical Tip: How to block TLS 1.3 PQC when using deep inspection is not enable and Web Filter is Bypassed (Using Flow-based Policy / SSL Certificate Inspection)
Description
This article describes how to block TLS 1.3 PQC in environments where Deep Inspection and Proxy Mode cannot be enabled.
Scope
FortiOS.
Solution
When using Web Filter in a policy with flow-base and SSL Certificate inspection where the environment does not allow deep inspection or proxy mode because modifying certificates on client devices is not an option, the behavior experimented is that pages already blocked with Web Filter are being bypassed due to TLS 1.3 PQC. In this case, it is necessary to follow the steps below:
- Analyze the 'false positive' block on the Web Filter Log (Log and report -> Security events -> Web Filter).
The action is 'Block', but the page can be accessed even if the action is executed correctly.
-
On the policy used to limit the content where Web Filter is activated, enable a custom 'Application Control' profile:
Note: It is mandatory to enable the profile to see logs about the protocol used by the page. To see the logs, go to 'Log & report -> Security Events -> Application Control'.
-
At the moment the user tries to access the 'blocked' page, see the next Log on the Application Control section where the protocol TLS 1.3 PQC shows 'Pass' state, that means that the communication is being forwarded and granted correctly and the Web Filter is being bypassed by the protocol that is being in use by the Web Page even if in the Web Filter is hitting the correct filter and is in a 'blocked' state.
-
In this scenario, it is necessary to enable inside the Application Control custom profile configured in step 2 the 'Application and filter Overrides' that must contains the protocol 'SSL_TLSv1.3.PQC' with 'Block' action.
-
With this change, the page is going to be blocked and inaccessible to the user. After this change, see the Log on the Application Control that the protocol is blocked but the SSL communication continues to be granted.
Note: If blocking TLS 1.3 with application control is not possible, the issue can be addressed using DNS filtering. This solution applies to FortiOS 7.4.X and later. For detailed instructions, refer to Option 1 in this FortiGate knowledge base article.