FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains an issue where users are unable to access Facebook, Meta, Instagram and/or Whatsapp URLs after performing a Google Chrome update to version 122.0.6261.112.
Scope
FortiGate, FortiOS: 7.0.14, 7.2.8, 7.4.3.
Solution
This issue occurs because Meta apps have changed the encoding method to 'zstd', which is not supported by the following current versions of FortiOS: 7.0.14, 7.2.8, 7.4.3.
This is also present on internet access through the FortiSASE portal.
To make sure this issue is due to the encoding change, try the following:
Access the same websites through Firefox or Microsoft Edge.
Check the traffic logs: they should show these sites are 'blocked by UTM' while the application name is detected as 'SSL' (assuming the SSL category is not blocked under the firewall 'application control' profile for other reasons).
One way to resolve this issue is to remove the web filtering profile from the matching firewall policy.
Use the other browsers as an alternative until the encoding method is added in upcoming fortiOS releases.
A configuration change that allows unknown encoding is an option, but this is not recommended for security reasons:
config firewall profile-protocol-options
edit <profile>
config http
set unknown-content-encoding { block | inspect | bypass }
