FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 297956
Description This article describes that Web filter is not working on Google Chrome browsers, but is working well for others.
Scope FortiGate.

In some cases, users might experience the following issues: 
Webfilter is in place on a flow mode firewall policy on the FortiGate to block certain websites through a static URL filter. 

The websites are blocked when using Firefox or Edge browser, but it is possible to navigate to these websites when using Chrome. 


If experiencing this issue, there are 4 possible solutions:

  1. Manually update the IPS engine of the FortiGate in question following the below procedure: Technical Tip: How to manually upgrade the IPS Engine.
    Open a ticket with Fortinet Support to get the latest IPS Engine and then update it manually.

  2. Disable TLS 1.3 hybridized Kyber support on the Google Browser:
    Navigate to  chrome://flags/.
    Search for TLS 1.3 hybridized Kyber support.
    Set the action to Disable.

  3. Set the firewall policy in the proxy-based inspection.

  4. Adjust the tcp-mss value on the firewall policy; this may vary depending on the MTU path and connection type. Optionally, create another policy for HTTP and HTTPS services that does not affect other services. For instructions on how to set and compute MTU on the firewall policy, see Technical Tip: Setting TCP MSS value.

Additionally, when using flow-based inspection, review and make sure the 'unsupported-ssl-cipher' is set to 'block'. 


config firewall ssl-ssh-profile

    edit "profile-name"
        config https

         set unsupported-ssl-cipher block




The default behavior of this option is to 'bypass' the session when an unsupported cipher is detected. 


set unsupported-ssl-cipher ?
allow Bypass the session when the cipher is not supported.
block Block the session when the cipher is not supported.

The websites should be blocked and the web filter will work as expected.



It will be necessary to close and reopen the browser for the change to occur. 


Related article:

Troubleshooting Tip: Webpages taking too long to load when a webfilter is applied