Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NapaCab
New Contributor

TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it?

Now that the standard has been ratified, how will the Fortigate D (CP8) and Fortigate E series (CP9) deal with TLSv1.3?

 

 

23 REPLIES 23
kurtli_FTNT

Hi Philippe,

   The engine "3.00518" is now available for download. However, like I said previously, for now the IPS engine is not fully ready with TLS 1.3, we are still working on it. 

 

 

 

Regards

NKL
New Contributor III

Now I'm wondering where to download the engine-update file? For FortiOS V5.6, the Fortinet Support Portal only offers "Virus Definition", "Attack Definition", "Application Definition" and (depending on contract) "Mobile Malware" and "Industrial Definition". Is the engine packaged in one of the files mentioned above? Or am I missing something?

BrianSTL
New Contributor

Have there been any updates or movement on fortigate support for TLS1.3?

kurtli_FTNT

There is no official support for TLS1.3 yet, it is still under the internal test. So far the deep-inspection works well with both chrome69 and firefox62 and most popular servers with TLS1.3 enabled. It will support all the 5 ciphers defined in RFC8446 as well as for 1-rtt, 0-rtt and 2-rtt (HelloRetryRequest). Unlike TLS1.2 to TLS1.1, TLS1.3 is really a big change. It takes more time to provide full features and stabilities. However, thanks for the hard work, I think it's coming soon.   

 

Thanks

Suchit_k2

I am facing the same issue and had raised ticket with fortinet support. They said it will be resolved in the firmware update. Please find the reply below by fortinet.

 

"As per Engineering team, the current IPS engine branches 3.6 and 4.0 can only bypass TLS 1.3. WebFilter TLSv1.3 is supported, but no block page could be delivered. The session would be reset when blocked. Replacement messages are not supported. So you won't see a block page util the native TLS 1.3 support is implemented. Supposedly, session should be reset. But the session could go into BYPASS mode once the webfilter is done.  IPS engine doesn't change the client/server negotiation. It doesn't downgrade or upgrade any security factors. Without support of TLS 1.3, it couldn't intercept the process to inject block pages. The project to support TLSv1.3 in IPS engine is scheduled for FOS 6.2 having IPS engine Build: 4.205  SSL_INTERFERENCE_ERROR is fixed in IPS Engine 3.522.  You will have to wait for 6.2 firmware to get replacement block for TLSv1.3 connections. 6.2 is expected to release on Mar 22, 2019. Note: Release date may change. Please let me know if you have any questions."

 

Waiting desperately for the update.

 

Regards...

boneyard
Valued Contributor

we are two months further, anyone from Fortinet who could chime in on the current status?

 

specially how TLS 1.3 will be handled in 5.6 and 6.0, to upgrade to 6.2 when it is just released for TLS 1.3 feels extreme.

Wayne11

We just recognized a similar problem with https://www.techsmith.de and Deep Inspection with 6.0.4, but what's mysterious for me is the fact that the page is also supporting TLS 1.2, so why the FG is not just falling back to 1.2 instead of 1.3?

 

https://www.ssllabs.com/ssltest/analyze.html?d=www.techsmith.de

 

In our case it's not depending on the IPS engine, the page gets blocked also without any Security Profil, so it's definitely SSL Inspection itself. Nothing special in the Logs, no blocked packets at all.

 

Any hints?

boneyard
Valued Contributor

are you in flow mode? then TLS 1.3 is not supported and will be bypassed with out any hint about this happening (not really happy with this choice by Fortinet).

 

as it is flow mode it would be odd / against the idea of flow mode to fallback to TLS 1.2 some how.

 

if you use proxy mode then you will see the FortiGate change the client SSL handshake and end up speaking TLS 1.2.

 

6.2 is supporting TLS 1.3 in flow mode.

Wayne11

Hi Boneyard

 

We are in Proxy Mode and the point is, the FG is even not falling back to 1.2. We can't reach the website at all as long as we have Deeps Inspection active for the domain. As soon as we create an exempt rule for the site we can reach it, but with active Deeps Inspection we get just the "ERR_CONNECTION_CLOSED" in each browser. We have no deny or any other special entry in the FortiAnalyzer logs, just normal HTTPS port 443 Action allow and Sent/Received bytes with Subtype forward. No closing or anything else. 

boneyard
Valued Contributor

interesting, are you sure that is caused by TLS 1.3 and not something else?

 

checked the website and it works for me on a 5.6.8 FortiGate with deep inspection and webfilter applied. have to tried with limited UTM profiles?

 

do other TLS 1.3 sites work? i.e. www.mozilla.org

 

if you do a packet capture you will be see if the website send the reset or the FortiGate and if the proxy does strip the TLS 1.3 support of the client in the request to the server.

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors