|
In some cases, users might experience the following issues:
Webfilter is in place on a flow mode firewall policy on the FortiGate to block certain websites through a static URL filter.
The websites are blocked when using Firefox or Edge browser, but it is possible to navigate to these websites when using Chrome.
If experiencing this issue, there are 3 possible solutions:
- Manually update the IPS engine of the FortiGate in question following the below procedure: Technical Tip: How to manually upgrade the IPS Engine
Open a ticket with Fortinet Support to get the latest IPS Engine and then update it manually.
- Disable TLS 1.3 hybridized Kyber support on the Google Browser:
Navigate to chrome://flags/
Search for TLS 1.3 hybridized Kyber support
Set the action to Disable
- Set the firewall policy in proxy-based inspection
Additionally, when using flow-based inspection, review and make sure the "unsupported-ssl-cipher" is set to "block".
config firewall ssl-ssh-profile
edit "profile-name"
config https
set unsupported-ssl-cipher block
end
end
The default behaviour of this option is to "bypass" the session when an unsupported cipher is detected.
set unsupported-ssl-cipher ?
allow Bypass the session when the cipher is not supported.
block Block the session when the cipher is not supported.
The websites should be blocked and the web filter will work as expected.
Note:
It will be necessary to close and reopen the browser for the change to take place.
|
