Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
miciti
New Contributor III

Created on ‎11-18-2024 12:21 AM

Fortigate DeepInspection - quic not working

Hi everyone,

I have a FortiGate 120G with deep inspection profile applied.

Since the update to v7.2.10 I have random issues and I think it does belong to quic.

 

This morning several clients called me to tell that www.google.at does not work any more in edge browser:

ERR_SSL_PROTOCOL_ERROR

 

First I did try to block quic via application control, that didn't help so I did create a policy blocking udp 443. Didn't help either.

So if blocking does not work I tried to allow it - as this telling me blocking is not neccesarry:

https://docs.fortinet.com/document/fortigate/7.2.10/administration-guide/984075/blocking-quic-manual...

 

But this does not help either. What is really strange: the error messages does not appear to be consistent at all. Websites do work on some clients and on others they do not (using same firewall policy and same inspection profile).

The next hour these websites do work on clients that were affected before but then it does not work on other clients.

 

As a workaround I disable deep inspection for now... Any ideas how to fix this? Should I create a ticket?

Labels:
491
0 Kudos
2 Solutions
abarushka
Staff
Staff

Created on ‎11-18-2024 01:13 AM

Hello,

 

I would recommend to disable TLS 1.3 hybridized Kyber support on Google Chrome side and check whether the issue persists. Please find the details by following the link below:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Web-pages-not-loading-or-taking-too-...

FortiGate

View solution in original post

471
0 Kudos
miciti
New Contributor III

Created on ‎11-19-2024 04:07 AM Edited on ‎11-19-2024 04:08 AM

As @abarushka mentioned disabling TLS 1.3 hybridizied kyber support disabling helps with the issue. 

 

For all windows admins here: There is an option in the microsoft edge group policy template called "Enable post-quantum key agreement for TLS"

View solution in original post

273
0 Kudos
6 REPLIES 6
abarushka
Staff
Staff

Created on ‎11-18-2024 01:13 AM

Hello,

 

I would recommend to disable TLS 1.3 hybridized Kyber support on Google Chrome side and check whether the issue persists. Please find the details by following the link below:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Web-pages-not-loading-or-taking-too-...

FortiGate
472
0 Kudos
miciti
New Contributor III
In response to abarushka

Created on ‎11-19-2024 02:29 AM Edited on ‎11-19-2024 02:30 AM

I guess the flag does look different now in edge than what is described in your link:

 
edge flagedge flag

 

290
0 Kudos
pminarik
Staff
Staff
In response to miciti

Created on ‎11-19-2024 05:20 AM

There's potentially two options:

1: disable "use-ml-kem": This will disable the new ML-KEM key exchange and fall back to Kyber (handled correctly by IPS if you have up-to-date IPS engine).

2. disable "enable-tls13-kyber": This will completely disable post-quantum key exchange.

 

You can pick one based on if they're available in your flavor of Chromium-based browser.

[ corrections always welcome ]
251
0 Kudos
miciti
New Contributor III
In response to pminarik

Created on ‎11-21-2024 01:14 AM Edited on ‎11-21-2024 01:33 AM

Hello @pminarik 

I found another website that does not work: https://immich.app

 

This site also does not work in firefox (SSL_ERROR_ECH_RETRY_WITH_ECH) or edge (ERR_ECH_NOT_NEGOTIATED)

 

the use-ml-kem flag can't be found in edge... there is only #enable-tls13-kyber. Any ideas how to proceed further?

The IPS engine on my FG120G is Version 7.00349

 

msedge_9UbP4gdfIA.png

 

Edit: The website does work a few minutes later on firefox, but still not on Edge... (I did not change anything in the meantime)

 

 

 

85
0 Kudos
pminarik
Staff
Staff
In response to miciti

Created on ‎11-21-2024 03:05 AM

This is unrelated.

ECH is Encrypted ClientHello, a feature not related to ML-KEM key exchange.

 

Have a look here for tips on dealing with ECH:

https://docs.fortinet.com/document/fortigate/7.4.0/new-features/447220/control-tls-connections-that-...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-TLS-1-3-Encrypted-Client-Hell...

 

----------

 

For ML-KEM in Edge, it will suffice to disable the "enable-tls13-kyber" flag.

[ corrections always welcome ]
59
0 Kudos
miciti
New Contributor III

Created on ‎11-19-2024 04:07 AM Edited on ‎11-19-2024 04:08 AM

As @abarushka mentioned disabling TLS 1.3 hybridizied kyber support disabling helps with the issue. 

 

For all windows admins here: There is an option in the microsoft edge group policy template called "Enable post-quantum key agreement for TLS"

274
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.