Hi, is anyone else having a problem doing deep inspection using Google Chrome?
Google Chrome version: 119.0.6045.160 (Versão oficial) 64 bits
Fortigate 200F, 7.4.1.
config sys global
set admin-https-ssl-versions tlsv1-2 tlsv1-3
google same policy/ssl profile from prints below.
same policy ID from above - EGDE
same policy ID from abobe - firefox
SSL Profile:
Do you guys have some advices?
TY
Solved! Go to Solution.
Hi,
- I suspect the issue is seen due to Kyber Support introduced by chrome for TLS1.3 version.
- Check the chrome flags the configuration of the same. You can use "chrome://flags/#enable-tls13-kyber" check the configuration in chrome.
- Try to disable the option and check if the issue gets fixed. If yes then we can confirm the issue matches to a reported issue for which fixes will be coming soon.
Regards,
Shiva
Hi,
Good workaround, but this bug has not been fixed for more than 14 months.
It's still a problem.
Regards,
Bertalan
Hardware 401F (Firmware 7.4.3), If web filter is turn on, Chrome cannot access website. Disable TLS 1.3 hybridized Kyber, problem is resolved. When Fortinet fix this issue?
I'm also having a hard time turning off Kyber for each computer. Our company has more than 100 pc
stop using chatgpt
We're having the same issue.
Only solution was to disable TLS1.3 kyber support on chromium based browsers or disable ssl-inspection (Which would be stupid since that's one of the security measures of the product).
After inspecting the issue further we discovered that we were having fragmentation issues with this kind of tls handshake, check this out. https://community.fortinet.com/t5/Support-Forum/Fortigates-with-PPPoE-WAN-suddenly-need-TCP-MSS-1452...
Seems that the only way to keep SSL INSPECTION and TLS 1.3 kyber support in browsers is to set the tcp-mss value to the correct size. Since we're using PPPoE ours is 1452, yours might be different. Once the tcp-mss is set, everything works... or does it?
Which surprises me is that fortigate hasn't said anything about it...
Why doesn't fortinet have an update to fix this problem? I also encountered an error of not being able to load SD-WAN rules with firmware 7.4.3
Hi,
Regarding the Kyber issue there is a KB
- This talks about the workarounds including the MSS settings.
Regards,
Shiva
Thank you smaruvala,
Might add that if you're following the "Disable kyber support" way you can use this registry keys in Edge, Chrome and Brave browsers which can be applied via GPO:
Setting the value to REG_DWORD 0.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.