Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Faresnani
New Contributor II

Created on ‎05-02-2024 01:36 AM

Application Control and Web filter is not blocking websites on browsers

Hi Community,


we notice some weird behavior in our FortiGate-3300E configuration Firmware v7.2.7 build1577 (Mature)
We applied security profiles Web Filtering and Application Control to our Firewall rule, and we expected to block social media, gaming, movies, and other websites and applications from our network.

Expected Result: blocking the connection to these mentioned categories above.
Actual Result: blocking is done for some browsers and others not, Browsers were tested ( GoogleChrome, Mozilla Firefox, Microsoft Edge), and websites were tested (facebook.com)

you can see the screenshots of the weird logs and the settings

Has anyone had this issue before? How did you manage to resolve it?

 

Regards

Omran Mohamed

Network Security EngineerSecurity LogsSecurity LogsFirewall PolicyFirewall PolicyWeb FilteringWeb Filtering

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
865
0 Kudos
10 REPLIES 10
dupleg0
New Contributor

Created on ‎05-02-2024 02:47 AM

This is a common, and massive, issue I've found with Chrome. Haven't found a fix yet. In my testing it also only applies to HTTPS. It works perfectly fine for HTTP.

680
0 Kudos
Faresnani
New Contributor II
In response to dupleg0

Created on ‎05-02-2024 03:15 AM

I found some solutions regarding the Chrome browser but it's not practical because you don't have any access to thousands of client PCs to change this specific setting in their browser

 

Disable TLS 1.3 hybridized Kyber support on the Google Browser:

Navigate to chrome://flags/
Search for TLS 1.3 hybridized Kyber support
Set the action to > Disable

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
666
0 Kudos
smaruvala
Staff
Staff
In response to Faresnani

Created on ‎05-02-2024 03:25 AM

Hi,

 

- Have you tested if this is the issue? You can try to test if web filter works as per the expectation by disabling the Kyber support in the browser.

- Work around for this issue is to use the proxy based firewall policy instead of the flow based policy.

 

Regards,

Shiva

651
0 Kudos
Faresnani
New Contributor II
In response to smaruvala

Created on ‎05-02-2024 05:01 AM

As per your suggestion to change the inspection mode to Proxy-based, I can see the blocking is for all browsers being blocked 

 

we will keep monitoring and keep you updated,

I appreciate your support

 

Regards

Omran 

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
606
0 Kudos
smaruvala
Staff
Staff

Created on ‎05-02-2024 03:03 AM

Hi,

- Is the issue seen with one specific browser only?

- Is protocol QUIC disabled? You can try to block the same.

- Is there any improvement if you use SSL deep inspection?

 

Regards,

Shiva

673
0 Kudos
Faresnani
New Contributor II
In response to smaruvala

Created on ‎05-02-2024 03:30 AM

- Is the issue seen with one specific browser only?

no, it is seen in Chrome and Edge

 

- Is protocol QUIC disabled? You can try to block the same.

what do you mean by disabling the protocol?  we block HTTPS browsing to specific websites

 

- Is there any improvement if you use SSL deep inspection?

for web filtering does not require deep inspection, but Application Control requires deep inspection only for Legend 

Screenshot (219).png

 

 

 

 

 

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
648
0 Kudos
smaruvala
Staff
Staff
In response to Faresnani

Created on ‎05-02-2024 03:45 AM

Hi,

 

- If the issue is seen with Chrome/Edge then most likely the issue is with the Kyber Support. You can try to disable the setting in one device and verify if the issue is same or not.

- Information Regarding the quick protocol. If the quic is blocked then it will fallback to TLS.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-QUIC-Protocol/ta-p/197661

- If SNI value is transmitting as encrypted using the ESNI feature of the TLS1.3 then we may need deep inspection as well. 

 

Regards,

Shiva

639
0 Kudos
fricci_FTNT
Staff
Staff

Created on ‎05-02-2024 03:44 AM

Hi @Faresnani ,

My understanding is that you are having some traffic passing through even if you are blocking the facebook domain access in the applied UTM profiles. It happens with some browser only (.i.e. Chrome), while other browsers are being blocked 100% of times.
I can see there is some traffic in response on the screenshot logs you attached. Is the end user client actually able to load the webpage or visualise part of it?

In addition to my colleague @smaruvala questions/suggestions, is the issue present if you use both flow and proxy inspection modes?

It might not be related but please be aware that it might depend on the "ECH" topic discussed here:
https://community.fortinet.com/t5/Support-Forum/Facebook-blocked-and-not-blocked-with-same-policy/td...

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
640
0 Kudos
Faresnani
New Contributor II
In response to fricci_FTNT

Created on ‎05-02-2024 05:03 AM

we changed the inspection mode to Proxy-based, and I can see the blocking is for all browsers being blocked 

 

we will keep monitoring and keep you updated,

I appreciate your support

 

Regards

Omran 

Omran Mohamed
Network Security Engineer
Omran MohamedNetwork Security Engineer
605
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.