Fortinet Override Content Filter

AssistCall · ‎06-03-2024

Hi

So we are testing deep SSL inspection and have a policy setup with our own cert (tried it with default as well).

If I go to a site that is outside of the allowed categories on the web filter I get the usual FortiGuard Intrusion prevention blocked, have the page re-evaluated or override.

The page shows it's connected by HTTPS and has a valid certificate.

If i click on override I'm taking to the same URL but on port 8015,

eg : https www.cdn-national-lottery.co.uk:8015/ovrd?fblob=UE-1

but this site returns a "This site can't provide a secure connectoin" and ERR_SSL_PROTOCOL_ERROR, on closer "inspection" (cough) it doesnt seem to have a certificate against the site.

I can't see how the initial page has a valid Certificate but the 8015 port override page doesn't have a cert, any ideas?

If I change the 8015 URL to HTTP it then loads the page,

Login to override gets to to http on port 8015 with ERR_EMPTY_RESPONSE and "This page isnt working at the moment"

pminarik · ‎06-03-2024

Thanks. Can you please retry with the Kyber chipher support disabled in your browser? It might be an issue with that.

chrome://flags/#enable-tls13-kyber

-> disable the option -> restart the browser (close all windows) -> try again

(I'm assuming this is something Chromium-based)

[ corrections always welcome ]

View solution in original post

AssistCall · ‎06-03-2024

So if I start Fiddler, it adds it's own Cert's which then means the override site on port 8015 has a cert that means the browser actually loads the page, and everything from then on works as expected and I can login and override by content filter ...

I dont understand how the override page on port 8015 doesnt have a certificate applied, is there a way to manually force a certificate?

other SSL websites show the fortinet applied certificate correctly for Deep SSL inspection

pminarik · ‎06-03-2024

Can you clarify a few points?
What is the FortiOS firmware version?

Are you using proxy-mode or flow-mode inspection?
If flow-mode, please specify the IPS engine version (GUI: System > FortiGuard > License Information -> Intrusion Prevention -> IPS engine)

[ corrections always welcome ]

AssistCall · ‎06-03-2024

v7.0.14 build 601

Flow Based Content Filter

IPS Engine version : Version 7.00180

pminarik · ‎06-03-2024

Thanks. Can you please retry with the Kyber chipher support disabled in your browser? It might be an issue with that.

chrome://flags/#enable-tls13-kyber

-> disable the option -> restart the browser (close all windows) -> try again

(I'm assuming this is something Chromium-based)

[ corrections always welcome ]

AssistCall · ‎06-03-2024

Hi

That has worked, although I'm not sure what / why that is the case.

Problem with the certificate we're using or something else?

And yes using Chrome / Edge

Many thanks

pminarik · ‎06-03-2024

IPS engine currently seems to have issues when a client tries using the Kyber cipher and the FortiGate needs to handle webfilter override. Known issue, an updated version of IPS engine is yet to be published.

[ corrections always welcome ]

AssistCall · ‎06-03-2024

Many thanks for your help

mfahey · ‎09-11-2024

Is there a bug id assign to this yet? Folks can't seem to find this documented as a bug or known issue.

The work around to disable tls13-kyber I can confirm does work.

We are running 7.2.8 and I understand the IPS engine is the same version as 7.2.9

Fortinet Override Content Filter

Nominate a Forum Post for Knowledge Article Creation