| Solution | On September 2nd, 2025, The FortiGuard team has removed the HTTPS.BROWSER signature from the Application Control database as of version 34.00076. A pre-release notification was given on August 28th, 2025 via Application Control version 34.00075. This signature was removed due its nature as a legacy signature, as FortiGuard has already released better, more-accurate signatures as replacements in the past. 
The current Application Definitions database version on the FortiGate can be validated in one of two ways: GUI method: Navigate to System -> FortiGuard (in the Global VDOM, if applicable), then expand the Firmware & General Updates -> Application Control Signatures section. 
CLI method: Run the command diagnose autoupdate versions | grep Application -A 7: FortiGate (global) # diagnose autoupdate versions | grep Application -A 7
Application Definitions
---------
Version: 34.00076 signed
Contract Expiry Date: Fri Mar 27 2026
Last Updated using scheduled update on Wed Sep 3 08:04:20 2025
Last Update Attempt: Wed Sep 3 08:04:20 2025
Result: Updates Installed Note: Most users will not be impacted by this change, as the vast majority of HTTPS traffic will by categorized by Application Control as one of the following families of signatures: - The SSL family in the Network Service group (such as SSL_TLSv1.2, SSL_TLSv1.3, or SSL_TLSv1.3.PQC), typically observed when pairing Application Control with SSL certificate-inspection.
- This may also include the QUIC/DTLS signature for UDP/443 web traffic.
- The HTTP.BROWSER family in the Web Client group (such as HTTP.BROWSER_Chrome or HTTP.BROWSER_Firefox), typically observed when pairing Application Control with SSL deep-inspection.
- More specific HTTPS traffic may be matched to specific known applications, such as Google.Services or Microsoft.Portal
However, users who will be impacted by this change will include those that: - Used NGFW Policy-based mode with Application-based filtering and who also used the HTTPS.BROWSER application to match traffic, or
- Used Application Control profiles in NGFW profile-based mode with very specific/narrow sets of signatures that were allowed (e.g. specifically allowing HTTPS.BROWSER but not allowing other HTTPS-related application signatures).
Workaround: To workaround this change in behavior, there are a few recommended methods: - The primary method is to replace the HTTPS.BROWSER signature with the SSL and HTTP.BROWSER signature families. This will allow HTTP traffic to match successfully for the certificate-inspection and deep-inspection cases respectively (though using both together is a good idea to ensure that traffic is consistently matched).
- Note that the superset signature (e.g. SSL and HTTP.BROWSER) can be used on its own, but adding the members of the signature family (such as SSL_TLSv1.3 or HTTP.BROWSER_Chrome) can allow for much greater logging granularity in matched applications.
- Alternatively, users may also create Firewall or Security Policies (for NGFW profile-based and policy-based respectively) that utilize the HTTPS Service object instead (i.e. allowing traffic that matches TCP/443, rather than relying on Application Control to match traffic to signatures).
|
