Created on
‎11-25-2024
11:02 PM
Edited on
‎11-28-2024
12:06 AM
By
Jean-Philippe_P
Description
This article describes how to block TLS 1.3 PQC and the users' environment cannot use Deep Inspection and Proxy Mode enable.
Scope
FortiOS.
Solution
When using Web Filter in a policy with flow-base and SSL Certificate inspection the environment does not allow using deep inspection or proxy mode because there is not an option to modify the certificates on the devices that use the network resources and the behavior experimented is that pages already blocked with Web Filter are being bypassed because of a TLS 1.3 PQC certificate is necessary to follow the next:
- Analyze the 'false positive' block on the Web Filter Log (Log and report -> Security events -> Web Filter).
The action is 'Block' but can access the web page even if the action is executed correctly.
-
On the policy used to limit the content with the Web Filter enable, enable a custom 'Application Control' profile:
Note: It is mandatory to enable the profile to see logs about the protocol used by the page. To see the logs go to 'Log & report -> Security Events -> Application Control'.
-
At the moment the user tries to access the 'blocked' page, see the next Log on the Application Control section where the protocol TLS 1.3 PQC is 'Pass' state, that means that the communication is being forwarded and granted correctly and the Web Filter is being bypassed by the protocol that is being in use by the Web Page even if in the Web Filter is hitting the correct filter and is in a 'blocked' state.
-
In this scenario, it is necessary to enable inside the Application Control custom profile done in step 2 an exception inside the 'Application and filter Overrides' that contains the protocol 'SSL_TLSv1.3.PQC' with a 'Block' action.
-
With this change, the page is going to be blocked and inaccessible to the user. After this change, see the Log on the Application Control that the protocol is blocked but the SSL communication continues to be granted.
Note: If blocking TLS 1.3 with application control is not possible, the issue can be addressed using DNS filtering. This solution applies to FortiOS 7.4.X and later. For detailed instructions, refer to Option 1 in this FortiGate knowledge base article.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Amazing! Keep up the great job @rain !!
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Awesome job, @rain !!! Keep it up!!!
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Great job @rain THANK YOU!