Troubleshooting Google Chrome Kyber Issues on FortiGate Firewalls

Many users of FortiGate firewalls have reported experiencing problems with Google Chrome and its implementation of Kyber, a post-quantum cryptography algorithm. This article delves into these issues, offering potential solutions and workarounds for slow website loading and pages that fail to load entirely.

Understanding the Problem

The core issue revolves around Google Chrome's support for Kyber in TLS 1.3, which appears to be causing compatibility problems with certain FortiGate firewall configurations. Users have reported these problems specifically on the 40F series firewalls across various firmware versions (7.4.3, 7.4.4, and 7.4.5). The symptoms include:

Slowness in opening websites.
Web pages failing to load.

Version-Specific Solutions

The solutions may differ based on the FortiOS version running on your FortiGate firewall:

FortiOS 7.4.3

Impacted Feature: Web Filter
Solutions:
- Disable the Web Filter.
- Disable Google Chrome Kyber.
- Adjust the TCP-MSS sender and receiver settings to 1450 in the firewall policy.

FortiOS 7.4.4

Impacted Feature: Application Control
Solutions:
- Disable Application Control.
- Disable Google Chrome Kyber.
- Note: Adjusting TCP-MSS sender/receiver may not resolve the issue in this version.

FortiOS 7.4.5

Impacted Feature: Application Control
Solutions:
- Disable Application Control.
- Note: Disabling Google Chrome Kyber and adjusting TCP-MSS sender/receiver settings may not be effective in this version.

Proposed Solutions

Disable Kyber Support in Chrome:
- Navigate to chrome://flags/#enable-tls13-kyber in your Chrome browser.
- Disable the "Enable Kyber support for TLS 1.3" option.
- Restart Chrome for the changes to take effect.
Update IPS Version:
- Ensure your FortiGate's Intrusion Prevention System (IPS) is up to date. Outdated IPS signatures can sometimes cause compatibility issues.
Adjust TCP-MSS:
- As mentioned earlier, try adjusting the TCP-MSS sender and receiver settings in your FortiGate firewall policy to 1450.
Firmware Considerations:
- If the issues persist across multiple FortiOS 7.4 versions, downgrading to a more stable 7.2 version might be a viable option, especially if you're migrating multiple customers.

Additional Tips

Review Chrome flags configuration.
Disable web filter.
Disable application control.

Conclusion

While Google Chrome's implementation of Kyber aims to enhance security, it can sometimes lead to compatibility issues with network devices like FortiGate firewalls. By understanding the specific symptoms and applying the appropriate solutions, network administrators can effectively mitigate these problems and ensure a smooth browsing experience for their users.

. . .

Jobscan ATS Resume Checker and Job Search Tools

AI-powered system will show you how to tailor your resume so that you highlight the skills and experience recruiters are searching for. APPLICANT TRACKING ...

Fake Name Generator: Generate a Random Name

These name sets apply to this country: American, Hispanic Female. Logged in users can view full social security numbers and can save their fake names to use ...

chrome://flags/#password-import-export. ==> not found import button ...

Dec 30, 2019 ... Try to disconnect your desktop from sync, reset sync data from your laptop. Sync laptop and then the desktop.

Microsoft Bing Search on the App Store

Microsoft Bing helps you find trusted search results fast, tracks topics ... Monica AI: Chat, Image & Video. Productivity.

IBAN Calculator: Calculate IBAN from Bank Code and Account ...

IBAN Calculator - Convert a bank account number to IBAN. View BIC code, branch address and relevant information for international bank wire transfer.