Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
miciti
Contributor

Fortigate DeepInspection - quic not working

Hi everyone,

I have a FortiGate 120G with deep inspection profile applied.

Since the update to v7.2.10 I have random issues and I think it does belong to quic.

 

This morning several clients called me to tell that www.google.at does not work any more in edge browser:

ERR_SSL_PROTOCOL_ERROR

 

First I did try to block quic via application control, that didn't help so I did create a policy blocking udp 443. Didn't help either.

So if blocking does not work I tried to allow it - as this telling me blocking is not neccesarry:

https://docs.fortinet.com/document/fortigate/7.2.10/administration-guide/984075/blocking-quic-manual...

 

But this does not help either. What is really strange: the error messages does not appear to be consistent at all. Websites do work on some clients and on others they do not (using same firewall policy and same inspection profile).

The next hour these websites do work on clients that were affected before but then it does not work on other clients.

 

As a workaround I disable deep inspection for now... Any ideas how to fix this? Should I create a ticket?

2 Solutions
abarushka
Staff
Staff

Hello,

 

I would recommend to disable TLS 1.3 hybridized Kyber support on Google Chrome side and check whether the issue persists. Please find the details by following the link below:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Web-pages-not-loading-or-taking-too-...

FortiGate

View solution in original post

miciti
Contributor

As @abarushka mentioned disabling TLS 1.3 hybridizied kyber support disabling helps with the issue. 

 

For all windows admins here: There is an option in the microsoft edge group policy template called "Enable post-quantum key agreement for TLS"

View solution in original post

6 REPLIES 6
abarushka
Staff
Staff

Hello,

 

I would recommend to disable TLS 1.3 hybridized Kyber support on Google Chrome side and check whether the issue persists. Please find the details by following the link below:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Web-pages-not-loading-or-taking-too-...

FortiGate
miciti

I guess the flag does look different now in edge than what is described in your link:

 
edge flagedge flag

 

pminarik

There's potentially two options:

1: disable "use-ml-kem": This will disable the new ML-KEM key exchange and fall back to Kyber (handled correctly by IPS if you have up-to-date IPS engine).

2. disable "enable-tls13-kyber": This will completely disable post-quantum key exchange.

 

You can pick one based on if they're available in your flavor of Chromium-based browser.

[ corrections always welcome ]
miciti

Hello @pminarik 

I found another website that does not work: https://immich.app

 

This site also does not work in firefox (SSL_ERROR_ECH_RETRY_WITH_ECH) or edge (ERR_ECH_NOT_NEGOTIATED)

 

the use-ml-kem flag can't be found in edge... there is only #enable-tls13-kyber. Any ideas how to proceed further?

The IPS engine on my FG120G is Version 7.00349

 

msedge_9UbP4gdfIA.png

 

Edit: The website does work a few minutes later on firefox, but still not on Edge... (I did not change anything in the meantime)

 

 

 

pminarik

This is unrelated.

ECH is Encrypted ClientHello, a feature not related to ML-KEM key exchange.

 

Have a look here for tips on dealing with ECH:

https://docs.fortinet.com/document/fortigate/7.4.0/new-features/447220/control-tls-connections-that-...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-TLS-1-3-Encrypted-Client-Hell...

 

----------

 

For ML-KEM in Edge, it will suffice to disable the "enable-tls13-kyber" flag.

[ corrections always welcome ]
miciti
Contributor

As @abarushka mentioned disabling TLS 1.3 hybridizied kyber support disabling helps with the issue. 

 

For all windows admins here: There is an option in the microsoft edge group policy template called "Enable post-quantum key agreement for TLS"

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors