| Description |
This article describes how to fix webpages not loading or taking too long with a web filter in place. |
| Scope |
All FortiGates running any IPSE versions lower than:
|
| Solution |
Note: If the device is running v7.4 but lower than v7.4.5, open a support case to request a new IPS engine with the fix. This fix will be included in the release v7.4.5 onwards. (note date June 21, 2024).
Changes from the update on Google Chrome version 124.0.6367.61 and in Edge version 124.0.2478.51 (Edge is a derivative of Chrome) where the variable 'TLS 1.3 Hybridized Kyber Support' was changed from disabled to enabled. This feature added support for the new quantum-resistant X25519Kyber768 encapsulation mechanism. The result of this feature is that the 'Client Hello' packet of the TLSv1.3 negotiation is getting huge – bigger than the normal MTU of a packet and therefore the packet needs to be fragmented.
This change increases the time webpages load when the firewall policy is in flow mode. In some cases, the pages do not load completely and the page tab shows an icon spinning for a long period.
Removing the web filter from the firewall policy helps to load the page faster, but this might not be an option in some environments. There are a few solutions that can be applied.
Option 1: Disable TLS 1.3 hybridized Kyber support on the Google Chrome/Edge Browser.
Chrome:
Edge:
Option 2: Change the firewall policy inspection mode from flow-based to proxy-based.
Option 3: Change the tcp-mss for sender and receiver to a value less or equal to 1450 for firewall policies that match HTTP and HTTPS traffic. Depending on each environment and MTU path, the TCP MSS value might need to be adjusted. Calculate the correct TCP MSS by following the steps outlined in Technical Tip: Setting TCP MSS value.
Firewall policy in flow mode with default values for tcp-mss (1500):
Firewall policy after the changes:
Related article: Technical Tip: Web filter is not blocking websites on Google Chrome |
