Hi Community,
we notice some weird behavior in our FortiGate-3300E configuration Firmware v7.2.7 build1577 (Mature)
We applied security profiles Web Filtering and Application Control to our Firewall rule, and we expected to block social media, gaming, movies, and other websites and applications from our network.
Expected Result: blocking the connection to these mentioned categories above.
Actual Result: blocking is done for some browsers and others not, Browsers were tested ( GoogleChrome, Mozilla Firefox, Microsoft Edge), and websites were tested (facebook.com)
you can see the screenshots of the weird logs and the settings
Has anyone had this issue before? How did you manage to resolve it?
Regards
Omran Mohamed
Network Security Engineer
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
This is a common, and massive, issue I've found with Chrome. Haven't found a fix yet. In my testing it also only applies to HTTPS. It works perfectly fine for HTTP.
I found some solutions regarding the Chrome browser but it's not practical because you don't have any access to thousands of client PCs to change this specific setting in their browser
Disable TLS 1.3 hybridized Kyber support on the Google Browser:
Navigate to chrome://flags/
Search for TLS 1.3 hybridized Kyber support
Set the action to > Disable
Hi,
- Have you tested if this is the issue? You can try to test if web filter works as per the expectation by disabling the Kyber support in the browser.
- Work around for this issue is to use the proxy based firewall policy instead of the flow based policy.
Regards,
Shiva
As per your suggestion to change the inspection mode to Proxy-based, I can see the blocking is for all browsers being blocked
we will keep monitoring and keep you updated,
I appreciate your support
Regards
Omran
Hi,
- Is the issue seen with one specific browser only?
- Is protocol QUIC disabled? You can try to block the same.
- Is there any improvement if you use SSL deep inspection?
Regards,
Shiva
- Is the issue seen with one specific browser only?
no, it is seen in Chrome and Edge
- Is protocol QUIC disabled? You can try to block the same.
what do you mean by disabling the protocol? we block HTTPS browsing to specific websites
- Is there any improvement if you use SSL deep inspection?
for web filtering does not require deep inspection, but Application Control requires deep inspection only for Legend
Hi,
- If the issue is seen with Chrome/Edge then most likely the issue is with the Kyber Support. You can try to disable the setting in one device and verify if the issue is same or not.
- Information Regarding the quick protocol. If the quic is blocked then it will fallback to TLS.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-QUIC-Protocol/ta-p/197661
- If SNI value is transmitting as encrypted using the ESNI feature of the TLS1.3 then we may need deep inspection as well.
Regards,
Shiva
Hi @Faresnani ,
My understanding is that you are having some traffic passing through even if you are blocking the facebook domain access in the applied UTM profiles. It happens with some browser only (.i.e. Chrome), while other browsers are being blocked 100% of times.
I can see there is some traffic in response on the screenshot logs you attached. Is the end user client actually able to load the webpage or visualise part of it?
In addition to my colleague @smaruvala questions/suggestions, is the issue present if you use both flow and proxy inspection modes?
It might not be related but please be aware that it might depend on the "ECH" topic discussed here:
https://community.fortinet.com/t5/Support-Forum/Facebook-blocked-and-not-blocked-with-same-policy/td...
Best regards,
we changed the inspection mode to Proxy-based, and I can see the blocking is for all browsers being blocked
we will keep monitoring and keep you updated,
I appreciate your support
Regards
Omran
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.