FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
DPadula
Staff
Staff
Article Id 313958
Description

This article describes how to fix webpages not loading or taking too long with a web filter in place.

Scope

All FortiGates running any IPSE versions lower than:

  • IPSE 6.0.15:0171.
  • IPSE 7.1.8:0178.
  • IPSE 7.2.6:0331.
  • IPSE 7.4.2:0519.
  • IPSE 7.4.4:0540.
  • IPSE 7.6.0:1010.
Solution

Note:

If the device is running v7.4 but lower than v7.4.5, open a support case to request a new IPS engine with the fix. This fix will be included in the release v7.4.5 onwards. (note date June 21, 2024).

 

Changes from the update on Google Chrome version 124.0.6367.61 and in Edge version 124.0.2478.51 (Edge is a derivative of Chrome) where the variable 'TLS 1.3 Hybridized Kyber Support' was changed from disabled to enabled adds extra data in the client hello message.

 

This change increases the time webpages load when the firewall policy is in flow mode. In some cases, the pages do not load completely and the page tab shows an icon spinning for a long period. 

 

Removing the web filter from the firewall policy helps to load the page faster, but this might not be an option in some environments.   

There are a few solutions that can be applied.

 

Option 1: Disable TLS 1.3 hybridized Kyber support on the Google Chrome/Edge Browser.

 

Chrome:

  • Type chrome://flags/ on the Chrome URL field.
  • Search for TLS 1.3 hybridized Kyber support.
  • Select Disabled.
  • Select Relaunch.

 

Chrome.png

 

Edge:

  • Type edge://flags/ on the Edge URL field.
  • Search for TLS 1.3 hybridized Kyber support.
  • Select Disabled.
  • Select Restart.

 

Edge steps.png

 

Option 2: Change the firewall policy inspection mode from flow-based to proxy-based.

 

Policy.png

 

Option 3: Change the tcp-mss for sender and receiver to a value less or equal to 1450 for firewall policies that match HTTP and HTTPS traffic. Depending on each environment and MTU path, the TCP MSS value might need to be adjusted.

Calculate the correct TCP MSS by following the steps outlined in Technical Tip: Setting TCP MSS value.

 

Firewall policy in flow mode with default values for tcp-mss (1500):


FLOW MODE.PNG

 

Firewall policy after the changes:

 

tcp mss.png

 

 

Related article:

Technical Tip: Web filter is not blocking websites on Google Chrome