Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff

Created on ‎02-06-2024 02:46 AM Edited on ‎11-14-2024 02:14 AM By Moderator

Article Id 297956

Technical Tip: Web filter is not blocking websites on Google Chrome and Microsoft Edge

Description This article describes that Web filter is not working on Google Chrome browsers, but is working well for others.
Scope FortiGate.
Solution

In some cases, users might experience the following issues: 
Webfilter is in place on a flow mode firewall policy on the FortiGate to block certain websites through a static URL filter. 

The websites are blocked when using Firefox browser, but it is possible to navigate to these websites when using Chrome or Edge browser.

 

If experiencing this issue, there are 4 possible solutions:

  1. Manually update the IPS engine of the FortiGate in question following the below procedure: Technical Tip: How to manually upgrade the IPS Engine.
    Open a ticket with Fortinet Support to get the latest IPS Engine and then update it manually.

  2. Disable TLS 1.3 hybridized Kyber support on the Google Browser and/or Microsoft Edge:
    For Google Browser: Navigate to chrome://flags/.
    Search for TLS 1.3 hybridized Kyber support.
    Set the action to Disable.

    For Microsoft Edge: Navigate to edge://flags/.
    Search for TLS 1.3 hybridized Kyber support.
    Set the action to Disable.

  3. Set the firewall policy in the proxy-based inspection.

  4. Adjust the tcp-mss value on the firewall policy; this may vary depending on the MTU path and connection type. Optionally, create another policy for HTTP and HTTPS services that does not affect other services. For instructions on how to set and compute MTU on the firewall policy, see Technical Tip: Setting TCP MSS value.

Additionally, when using flow-based inspection, review and make sure the 'unsupported-ssl-cipher' is set to 'block'. 

 

config firewall ssl-ssh-profile

    edit "profile-name"
        config https

         set unsupported-ssl-cipher block

     end

end

 

The default behavior of this option is to 'bypass' the session when an unsupported cipher is detected. 

 

set unsupported-ssl-cipher ?
allow Bypass the session when the cipher is not supported.
block Block the session when the cipher is not supported.


The websites should be blocked and the web filter will work as expected.

 

Note:

It will be necessary to close and reopen the browser for the change to occur. 

For issues with the new Chrome browser while having the new IPS Engines. refer to the below-related article:
Technical Tip: ERR_SSL_PROTOCOL_ERROR when using Flow-based Deep Inspection due to ML-KEM post-quant... 

 

Related article:

Troubleshooting Tip: Webpages taking too long to load when a webfilter is applied
 
41382
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.