Hi, is anyone else having a problem doing deep inspection using Google Chrome?
Google Chrome version: 119.0.6045.160 (Versão oficial) 64 bits
Fortigate 200F, 7.4.1.
config sys global
set admin-https-ssl-versions tlsv1-2 tlsv1-3
google same policy/ssl profile from prints below.
same policy ID from above - EGDE
same policy ID from abobe - firefox
SSL Profile:
Do you guys have some advices?
TY
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.
- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.
- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.
Regards,
Shiva
Hi,
- The command "set admin-https-ssl-versions" is used for GUI access of the Firewall.
- I tried to check using the same chrome version. I didn't face any issue in which I saw the DigiCert CA certificate instead of the Fortigate certificate.
- Was the issue not seen when chrome version was older?
- Is the issue seen in every or multiple users behind the Firewall?
- I don't see the page you are accessing in the chrome. Is it the facebook URL as well?
Regards,
Shiva
Hi, the same issue with 400F, 7.0.13. WebFilter doesn't work too. But on some stations with Google Chrome 119.0.6045.160/64 deep inspection and WebFilter work fine. Interesting...
Regards
DarioP
Hi,
- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.
- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.
- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.
Regards,
Shiva
Thank you, I was able to use deep inspection in Chrome with your tip.
Hi again,
It works for me. After disabling "TLS 1.3 hybridized Kyber support" in Chrome everything looks fine.
Regards,
DarioP
Hi @DarioP ,
Great, Then it would be matching the same issue. Current IPS Engine is not supporting this. So the fixes will be coming soon.
Regards,
Shiva
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Hi you
I disabled Kyber in Chrome and it worked. But why does it only fail on a few clients?
Hi,
I am assuming these updates in chrome is coming as staged update. Basically if we see 25519KyberDraft in the supported groups in the client hello packet then the Firewall will not support it. This will cause this issue. You may have to compare the working and non-working capture in the client and look for the supported groups extension header in the Client hello packet.
Regards,
Shiva
Hi you
Does Fortinet have an update with this error? Recently I encountered this error with other browsers like Edge, Firefox and I had to disable Kyber
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.