Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Faresnani
New Contributor III

Application Control and Web filter is not blocking websites on browsers

Hi Community,


we notice some weird behavior in our FortiGate-3300E configuration Firmware v7.2.7 build1577 (Mature)
We applied security profiles Web Filtering and Application Control to our Firewall rule, and we expected to block social media, gaming, movies, and other websites and applications from our network.

Expected Result: blocking the connection to these mentioned categories above.
Actual Result: blocking is done for some browsers and others not, Browsers were tested ( GoogleChrome, Mozilla Firefox, Microsoft Edge), and websites were tested (facebook.com)

you can see the screenshots of the weird logs and the settings

Has anyone had this issue before? How did you manage to resolve it?

 

Regards

Omran Mohamed

Network Security EngineerSecurity LogsSecurity LogsFirewall PolicyFirewall PolicyWeb FilteringWeb Filtering

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
10 REPLIES 10
dupleg0
New Contributor

This is a common, and massive, issue I've found with Chrome. Haven't found a fix yet. In my testing it also only applies to HTTPS. It works perfectly fine for HTTP.

Faresnani
New Contributor III

I found some solutions regarding the Chrome browser but it's not practical because you don't have any access to thousands of client PCs to change this specific setting in their browser

 

Disable TLS 1.3 hybridized Kyber support on the Google Browser:

Navigate to chrome://flags/
Search for TLS 1.3 hybridized Kyber support
Set the action to > Disable

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
smaruvala

Hi,

 

- Have you tested if this is the issue? You can try to test if web filter works as per the expectation by disabling the Kyber support in the browser.

- Work around for this issue is to use the proxy based firewall policy instead of the flow based policy.

 

Regards,

Shiva

Faresnani
New Contributor III

As per your suggestion to change the inspection mode to Proxy-based, I can see the blocking is for all browsers being blocked 

 

we will keep monitoring and keep you updated,

I appreciate your support

 

Regards

Omran 

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
smaruvala
Staff
Staff

Hi,

- Is the issue seen with one specific browser only?

- Is protocol QUIC disabled? You can try to block the same.

- Is there any improvement if you use SSL deep inspection?

 

Regards,

Shiva

Faresnani
New Contributor III

- Is the issue seen with one specific browser only?

no, it is seen in Chrome and Edge

 

- Is protocol QUIC disabled? You can try to block the same.

what do you mean by disabling the protocol?  we block HTTPS browsing to specific websites

 

- Is there any improvement if you use SSL deep inspection?

for web filtering does not require deep inspection, but Application Control requires deep inspection only for Legend 

Screenshot (219).png

 

 

 

 

 

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
smaruvala

Hi,

 

- If the issue is seen with Chrome/Edge then most likely the issue is with the Kyber Support. You can try to disable the setting in one device and verify if the issue is same or not.

- Information Regarding the quick protocol. If the quic is blocked then it will fallback to TLS.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-QUIC-Protocol/ta-p/197661

- If SNI value is transmitting as encrypted using the ESNI feature of the TLS1.3 then we may need deep inspection as well. 

 

Regards,

Shiva

fricci_FTNT
Staff
Staff

Hi @Faresnani ,

My understanding is that you are having some traffic passing through even if you are blocking the facebook domain access in the applied UTM profiles. It happens with some browser only (.i.e. Chrome), while other browsers are being blocked 100% of times.
I can see there is some traffic in response on the screenshot logs you attached. Is the end user client actually able to load the webpage or visualise part of it?

In addition to my colleague @smaruvala questions/suggestions, is the issue present if you use both flow and proxy inspection modes?

It might not be related but please be aware that it might depend on the "ECH" topic discussed here:
https://community.fortinet.com/t5/Support-Forum/Facebook-blocked-and-not-blocked-with-same-policy/td...

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Faresnani

we changed the inspection mode to Proxy-based, and I can see the blocking is for all browsers being blocked 

 

we will keep monitoring and keep you updated,

I appreciate your support

 

Regards

Omran 

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors