Hi
So we are testing deep SSL inspection and have a policy setup with our own cert (tried it with default as well).
If I go to a site that is outside of the allowed categories on the web filter I get the usual FortiGuard Intrusion prevention blocked, have the page re-evaluated or override.
The page shows it's connected by HTTPS and has a valid certificate.
If i click on override I'm taking to the same URL but on port 8015,
eg : https www.cdn-national-lottery.co.uk:8015/ovrd?fblob=UE-1
but this site returns a "This site can't provide a secure connectoin" and ERR_SSL_PROTOCOL_ERROR, on closer "inspection" (cough) it doesnt seem to have a certificate against the site.
I can't see how the initial page has a valid Certificate but the 8015 port override page doesn't have a cert, any ideas?
If I change the 8015 URL to HTTP it then loads the page,
Login to override gets to to http on port 8015 with ERR_EMPTY_RESPONSE and "This page isnt working at the moment"
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thanks. Can you please retry with the Kyber chipher support disabled in your browser? It might be an issue with that.
chrome://flags/#enable-tls13-kyber
-> disable the option -> restart the browser (close all windows) -> try again
(I'm assuming this is something Chromium-based)
So if I start Fiddler, it adds it's own Cert's which then means the override site on port 8015 has a cert that means the browser actually loads the page, and everything from then on works as expected and I can login and override by content filter ...
I dont understand how the override page on port 8015 doesnt have a certificate applied, is there a way to manually force a certificate?
other SSL websites show the fortinet applied certificate correctly for Deep SSL inspection
Can you clarify a few points?
What is the FortiOS firmware version?
Are you using proxy-mode or flow-mode inspection?
If flow-mode, please specify the IPS engine version (GUI: System > FortiGuard > License Information -> Intrusion Prevention -> IPS engine)
Created on 06-03-2024 05:38 AM Edited on 06-03-2024 05:39 AM
v7.0.14 build 601
Flow Based Content Filter
IPS Engine version : Version 7.00180
Thanks. Can you please retry with the Kyber chipher support disabled in your browser? It might be an issue with that.
chrome://flags/#enable-tls13-kyber
-> disable the option -> restart the browser (close all windows) -> try again
(I'm assuming this is something Chromium-based)
Hi
That has worked, although I'm not sure what / why that is the case.
Problem with the certificate we're using or something else?
And yes using Chrome / Edge
Many thanks
IPS engine currently seems to have issues when a client tries using the Kyber cipher and the FortiGate needs to handle webfilter override. Known issue, an updated version of IPS engine is yet to be published.
Many thanks for your help
Is there a bug id assign to this yet? Folks can't seem to find this documented as a bug or known issue.
The work around to disable tls13-kyber I can confirm does work.
We are running 7.2.8 and I understand the IPS engine is the same version as 7.2.9
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.