Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rain
Staff
Staff

Created on ‎11-25-2024 11:02 PM Edited on ‎11-28-2024 12:06 AM By Moderator

Article Id 359555

Technical Tip: How to block TLS 1.3 PQC when using deep inspection is not enable and Web Filter is Bypassed (Using Flow-based Policy / SSL Certificate Inspection)

Description

 

This article describes how to block TLS 1.3 PQC and the users' environment cannot use Deep Inspection and Proxy Mode enable.

 

Scope

 

FortiOS.

 

Solution

 

When using Web Filter in a policy with flow-base and SSL Certificate inspection the environment does not allow using deep inspection or proxy mode because there is not an option to modify the certificates on the devices that use the network resources and the behavior experimented is that pages already blocked with Web Filter are being bypassed because of a TLS 1.3 PQC certificate is necessary to follow the next:

 

  1. Analyze the 'false positive' block on the Web Filter Log (Log and report -> Security events -> Web Filter).

 

KB_01.png

 

The action is 'Block' but can access the web page even if the action is executed correctly.

 

  1. On the policy used to limit the content with the Web Filter enable, enable a custom 'Application Control' profile:

    Note: It is mandatory to enable the profile to see logs about the protocol used by the page. To see the logs go to 'Log & report -> Security Events  -> Application Control'.

     

    KB_02.png

     

  2. At the moment the user tries to access the 'blocked' page, see the next Log on the Application Control section where the protocol TLS 1.3 PQC is 'Pass' state, that means that the communication is being forwarded and granted correctly and the Web Filter is being bypassed by the protocol that is being in use by the Web Page even if in the Web Filter is hitting the correct filter and is in a 'blocked' state.

     

    KB_03.png

     

  3. In this scenario, it is necessary to enable inside the Application Control custom profile done in step 2 an exception inside the 'Application and filter Overrides' that contains the protocol 'SSL_TLSv1.3.PQC' with a 'Block' action.

     

    KB_04.png

     

  4. With this change, the page is going to be blocked and inaccessible to the user. After this change, see the Log on the Application Control that the protocol is blocked but the SSL communication continues to be granted.

     

    KB_07.png

     

    KB_06.png

 

Note: If blocking TLS 1.3 with application control is not possible, the issue can be addressed using DNS filtering. This solution applies to FortiOS 7.4.X and later. For detailed instructions, refer to Option 1 in this FortiGate knowledge base article.

Labels:
500
Suggest New Article
Article Feedback
Comments
MaryBolano
Staff
Staff
‎11-27-2024 04:40 PM

Amazing! Keep up the great job @rain !!

JorgeMonroyPad
Staff
Staff
‎11-27-2024 04:43 PM

Awesome job, @rain !!! Keep it up!!!

GILMENDO
Staff
Staff
‎11-27-2024 04:44 PM

Great job @rain THANK YOU!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.