Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NAS
New Contributor III

Created on ‎10-21-2025 01:46 PM

Major lags with enabled web filter on FortiGate 70G (FortiOS 7.4.8 & 7.4.9)

I have a FortiGate 70G (tested with FortiOS 7.4.8 & 7.4.9) in use at a customer site. The FortiGate is connected to FortiClient EMS Cloud and FortiAnalyzer Cloud. When I enable the most basic web filter (in the policy’s security profiles: only Web Filter: “Default” and SSL Inspection: “certificate-inspection”), websites take an extremely long time to load for users — and eventually they just pop up all at once.


Following the packet flow, where you can see that it takes 23 seconds before the next data packets appear.


webfilterlags_debugflow.jpg

 

I can’t explain this behavior and don’t really know how to analyze it further in detail — maybe someone has an idea or suggestions for additional analysis. I’ve already checked the processes (wad), but couldn’t identify any anomalies there.
The accessed page was timebutler.de, but the issue also occurs on other sites. If I remove the web filter, everything runs completely normal. The logs don’t show that anything is being blocked when the web filter is enabled.

 

It would be great if you have any ideas or suggestions — thanks!

 

Best regards,
Karsten

Labels:
1819
17 REPLIES 17
BillH_FTNT
Staff
Staff

Created on ‎10-21-2025 03:24 PM Edited on ‎10-21-2025 03:25 PM

send to ips.pngHi @NAS 

After checking the logs, it seems that the issue has not been offloaded to the NPU yet; it was sent to the IPS instead. The slowness or blockage is likely caused by the IPS engine. If you already have a ticket number, please share it with me. I will retrieve the logs and configuration from the ticket to reproduce the issue in my lab. Alternatively, if you're okay with it, you can share the logs and configuration directly with me via my official email at bhoang@fortinet.com. I will use them to replicate the issue and investigate further. Thank you

 

 

 

Preview file
890 KB
673
NAS
New Contributor III
In response to BillH_FTNT

Created on ‎10-21-2025 11:54 PM

Good morning from Germany, Bill,
I just came across an article in the knowledge base that describes exactly the behavior I’m seeing.

Web pages not loading or taking too long ... - Fortinet Community

I’ll test it again later and let you know whether the solution suggested in the KB helps. Otherwise, I’ll share the configuration and logs with you by email.

 

Thanks and best regards,
Karsten

647
AEK
SuperUser
SuperUser
In response to NAS

Created on ‎10-22-2025 02:01 AM Edited on ‎10-22-2025 02:01 AM

Nice doc.

It mentions 3 options:

  • Option 1: Disable TLS 1.3 hybridized Kyber support on the Google Chrome/Edge Browser
    Option 2: Change the firewall policy inspection mode from flow-based to proxy-based
    Option 3: Change the tcp-mss for sender and receiver to a value less or equal to 1450 for the related firewall policy

If you can test each of them and share the result it would be great.

AEK
AEK
635
BillH_FTNT
Staff
Staff
In response to NAS

Created on ‎10-22-2025 07:14 AM

Hi @NAS 

Could you please conduct some tests, as @AEK mentioned, and share the results?

Bill

622
0 Kudos
NAS
New Contributor III
In response to BillH_FTNT

Created on ‎10-22-2025 03:17 PM

The flag (TLS 1.3 hybridized Kyber support) apparently has been removed again in the browsers (Chrome, Edge, and Firefox). For Edge, it seems you can still re-enable it through the registry or group policies. I’ve checked everything — the flag isn’t set anywhere on my systems, neither on a Windows 11 device nor on a Windows Server 2022 terminal server. All of these devices had the delay issue when the web filter was enabled.

I’ve now reverted my policy changes from yesterday and disabled auto-asic-offload. The policy doesn’t perform Deep Inspection; it only has the standard Security Profiles enabled (Web Filter: “Default” and SSL Inspection: “certificate-inspection”).

What can I say — everything is currently working flawlessly on all devices, and I can no longer reproduce the lags. Very strange, and honestly, I’m a bit puzzled now. I’ll report back if the problem reappears.

 

Best regards,
Karsten

605
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to NAS

Created on ‎10-22-2025 03:54 PM

Would the symptom come back once you re-enable auto-asic-offload, then clear cache at the browser and clear sessions at the FGT?

You want to enable (default setting) the offloading on all policies to maximize FGT's performance.

Toshi

601
0 Kudos
NAS
New Contributor III
In response to Toshi_Esumi

Created on ‎10-22-2025 04:38 PM

That’s exactly what I did — my last action yesterday was disabling auto-asic-offload in the policy. The behavior still occurred, although it seemed a bit more sporadic. Maybe I forgot to clear the sessions; it was late yesterday ;)
Today, I re-enabled it, cleared the sessions and browser cache, and the issue no longer appears. I can’t reproduce it anymore — which is quite strange.

595
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to NAS

Created on ‎10-22-2025 05:03 PM

So it's now "enable"d then. Are the policies now proxy mode or flow mode? Something in the environment must have changed since yesterday. Keep an eye out. It might come back in the future.

Toshi

587
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.