I'm having an odd issue with the forticlient web filtering. For some reason it suddenly has broken all https on Chrome. Seems to be ok on Edge and Firefox. I've uninstalled and reinstalled it a few times but it doesnt seem to help. With the vpn client uninstalled Chrome works fine so it appears to be to do with the web filter extension?
Current version in use is 7.0.9.0493 Extension shows as version 7.2.3.929 (web filter)
Error is just:
login.microsoftonline.com took too long to respond.
Try:
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi, I have exactly the same issue on three locations but for the users on local network. They can't access some https websites (Facebook, Instagram...) with Chrome. On FF and Edge it works with no problem.
We are using webfilter and deep SSL inspection.
As far as I can see Chrome had an update yesterday.
yep and Chrome updated again today. I am starting to think its the webfilter plugin thats the problem.
Problem is with the inspection and webfiltering in combination to latest chrome browser version Versie 122.0.6261.70 (Officiële build) (64-bits). We see it together with forti os 6 as 7. All other browsers don't have the issue. We use different browser like edge atm at workaround. Other fix is to temporary overrule /whitelist the website like facebook or whatsapp / instagram in the webfilter.
i have made ticket about it to have a proper fix for this issue. Still waiting on reply from Fortinet support
We tried disabling webfilter on the policy but the problem persisted. Then, we disabled a deep SSL inspection with webfilter enabled, and we got Chrome working...but, that is not the solution...
It seems the SSL inspection is indeed the problem but disable it is indeed not a good solution as it effects to much. For now i suggest if people need to acces the META websites to use temporay a different browser till its fixed. That way there is no need to adjust the config of the fortigate.
We tried with that, still doesn't work :(
We're seeing the same behaviour, our internet browsing policy is blocking some sites (e.g. Instagram, Facebook) when users are in Chrome, but not while using Edge. The sites should be allowed as they are not blocked. This is on a FortiGate 600E with 7.4.3, we are not using the FortiClient. Chrome appears to be the browser affected. Edge works regardless. If we change "Full SSL Inspection" to SSL Certificate Inspection" within the SSL Inspection security profile it works fine. Also, with Full Inspection enabled, if we change the policy from Proxy-based to Flow-based it works. Reviewing the security logs, Edge seems to use the urlmonitor and passes, whereas Chrome hits the webfilter and fails due to a "warning" level (unknown-ce). We have engaged support.
Solved by adding an exempt to deep inspection profile:
*facebook.com
*fbcdn.net
*instagram.com
Adding exemptions is a workaround. The issue appears to be related to Meta and specifically Zstandard (ZSTD - https://facebook.github.io/zstd/). I'm not sure if FortiOS supports ZSTD yet and I am waiting to hear back from TAC on what they think the issue might be; however, I did find by adding a registry key in Windows to disable ZSTD in Chrome (https://chromeenterprise.google/intl/en_ca/policies/#ZstdContentEncodingEnabled), it allows us to get to the sites now, but again, this is a workaround. In the end I am looking for a root cause and proper fix, not workarounds, I will keep all posted with what TAC comes back with.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.