Hot!TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it?

Page: 12 > Showing page 1 of 2
Author
NapaCab
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/12/13 18:26:04
  • Status: offline
2018/03/27 15:30:01 (permalink)
0

TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it?

Now that the standard has been ratified, how will the Fortigate D (CP8) and Fortigate E series (CP9) deal with TLSv1.3?
 
 
#1

23 Replies Related Threads

    x_member
    Silver Member
    • Total Posts : 120
    • Scores: 14
    • Reward points: 0
    • Joined: 2015/01/12 03:18:57
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/03/28 01:26:30 (permalink)
    #2
    Philippe Gagne
    Bronze Member
    • Total Posts : 37
    • Scores: 4
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/09 16:01:51 (permalink)
    0
    Hi,
     
    On my side, I received a IPS Engine update file from the TAC. Executed two commands in CLI and reboot the fortigate. Deep-inspection is now working well with Facebook, Gmail and all other TLS 1.3 enabled sites! 
     
    I'm waiting for an answer about the file they gave me: is this file is model related or I can use it in all my Fortiges.
     
    Philippe
     
    #3
    bommi
    Gold Member
    • Total Posts : 143
    • Scores: 10
    • Reward points: 0
    • Joined: 2016/08/03 03:42:49
    • Location: Germany
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/09 22:04:21 (permalink)
    0
    Hi,
     
    can you tell us the version of ipsengine you got from TAC?
     
    Best Regards
    Dominik
    #4
    Philippe Gagne
    Bronze Member
    • Total Posts : 37
    • Scores: 4
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/10 04:06:00 (permalink)
    0
    Hi Dominik,
     
    The file name is: flen-560-3.516.pkg. So, in the Fortigate, it's named Version 3.00516. 
     
    If I take a look in another 5.6.3 Fortigate, original version look like Version 3.00442.
     
    I receive the confirmation from the TAC: I can install this in any models. 
     
    Thanks
     
    Philippe
    #5
    kurtli_FTNT
    Bronze Member
    • Total Posts : 49
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/29 15:07:50
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/12 15:00:08 (permalink)
    0
    Hi guys,
       Thanks for the concern on Tls1.3. But the engine 3.00516/7 is not fully ready for tls1.3 yet, our IPS team is still working on it. 
     
     
    Regards
    #6
    Philippe Gagne
    Bronze Member
    • Total Posts : 37
    • Scores: 4
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/12 18:53:03 (permalink)
    0
    Hi,
     
    Do you know if there is any new version/interim? Actually, the version 3.00516 is now the one deployed by Fortiguard. 
     
    Thanks
     
    Philippe
    #7
    kurtli_FTNT
    Bronze Member
    • Total Posts : 49
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/29 15:07:50
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/13 16:32:28 (permalink)
    0
    Hi Philippe,
       The latest version of IPS engine now is  3.00518.
     
     
    Thanks
    #8
    Philippe Gagne
    Bronze Member
    • Total Posts : 37
    • Scores: 4
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/16 17:06:00 (permalink)
    0
    Hi,
     
    Is this version (or newer) will be released soon? 
     
    thanks
     
    Philippe
     
    #9
    romanr
    Platinum Member
    • Total Posts : 908
    • Scores: 30
    • Reward points: 0
    • Joined: 2004/06/08 08:29:56
    • Location: Vienna/Austria
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/17 00:56:26 (permalink)
    0
    Hey,
     
    I doubt that only the IPS engine will bring full TLS 1.3 compatibility.... I guess Fortigate is using mostly openssl and the new librarie will need to go into the firmware...
     
    Br,
    Roman
    #10
    kurtli_FTNT
    Bronze Member
    • Total Posts : 49
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/29 15:07:50
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/17 15:56:07 (permalink)
    0
    Hi Philippe,
       The engine "3.00518" is now available for download. However, like I said previously, for now the IPS engine is not fully ready with TLS 1.3, we are still working on it. 
     
     
     
    Regards
    #11
    NKL
    Bronze Member
    • Total Posts : 26
    • Scores: 6
    • Reward points: 0
    • Joined: 2006/06/04 04:00:19
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/17 23:16:10 (permalink)
    0
    Now I'm wondering where to download the engine-update file? For FortiOS V5.6, the Fortinet Support Portal only offers "Virus Definition", "Attack Definition", "Application Definition" and (depending on contract) "Mobile Malware" and "Industrial Definition".

    Is the engine packaged in one of the files mentioned above? Or am I missing something?
    #12
    BrianSTL
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/28 08:10:16
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/09/28 08:12:03 (permalink)
    0
    Have there been any updates or movement on fortigate support for TLS1.3?
    #13
    kurtli_FTNT
    Bronze Member
    • Total Posts : 49
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/29 15:07:50
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/09/28 10:18:00 (permalink)
    0
    There is no official support for TLS1.3 yet, it is still under the internal test. So far the deep-inspection works well with both chrome69 and firefox62 and most popular servers with TLS1.3 enabled. It will support all the 5 ciphers defined in RFC8446 as well as for 1-rtt, 0-rtt and 2-rtt (HelloRetryRequest). Unlike TLS1.2 to TLS1.1, TLS1.3 is really a big change. It takes more time to provide full features and stabilities. However, thanks for the hard work, I think it's coming soon.   
     
    Thanks
    #14
    Suchit_k2
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/03 03:43:07
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2019/01/04 03:23:04 (permalink)
    0
    I am facing the same issue and had raised ticket with fortinet support. They said it will be resolved in the firmware update. Please find the reply below by fortinet.
     
    "As per Engineering team, the current IPS engine branches 3.6 and 4.0 can only bypass TLS 1.3. WebFilter TLSv1.3 is supported, but no block page could be delivered. The session would be reset when blocked. Replacement messages are not supported. So you won't see a block page util the native TLS 1.3 support is implemented. Supposedly, session should be reset. But the session could go into BYPASS mode once the webfilter is done. 

    IPS engine doesn't change the client/server negotiation. It doesn't downgrade or upgrade any security factors. Without support of TLS 1.3, it couldn't intercept the process to inject block pages. The project to support TLSv1.3 in IPS engine is scheduled for FOS 6.2 having IPS engine Build: 4.205 

    SSL_INTERFERENCE_ERROR is fixed in IPS Engine 3.522. 

    You will have to wait for 6.2 firmware to get replacement block for TLSv1.3 connections. 6.2 is expected to release on Mar 22, 2019. Note: Release date may change. Please let me know if you have any questions."
     
    Waiting desperately for the update.
     
    Regards...
    #15
    boneyard
    Gold Member
    • Total Posts : 124
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2019/03/19 12:14:19 (permalink)
    0
    we are two months further, anyone from Fortinet who could chime in on the current status?
     
    specially how TLS 1.3 will be handled in 5.6 and 6.0, to upgrade to 6.2 when it is just released for TLS 1.3 feels extreme.
    #16
    Wayne1
    Gold Member
    • Total Posts : 198
    • Scores: 4
    • Reward points: 0
    • Joined: 2004/03/11 08:04:32
    • Location: Switzerland
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2019/05/03 08:16:03 (permalink)
    0
    We just recognized a similar problem with https://www.techsmith.de and Deep Inspection with 6.0.4, but what's mysterious for me is the fact that the page is also supporting TLS 1.2, so why the FG is not just falling back to 1.2 instead of 1.3?
     
    https://www.ssllabs.com/ssltest/analyze.html?d=www.techsmith.de
     
    In our case it's not depending on the IPS engine, the page gets blocked also without any Security Profil, so it's definitely SSL Inspection itself. Nothing special in the Logs, no blocked packets at all.
     
    Any hints?

     
    FG-200E, FG-200D, FG-100E, FG-60E, FWF-60D, FWF-60E, FAZVM64, Fortimail VM
    #17
    boneyard
    Gold Member
    • Total Posts : 124
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2019/05/04 01:40:17 (permalink)
    0
    are you in flow mode? then TLS 1.3 is not supported and will be bypassed with out any hint about this happening (not really happy with this choice by Fortinet).
     
    as it is flow mode it would be odd / against the idea of flow mode to fallback to TLS 1.2 some how.
     
    if you use proxy mode then you will see the FortiGate change the client SSL handshake and end up speaking TLS 1.2.
     
    6.2 is supporting TLS 1.3 in flow mode.
    #18
    Wayne1
    Gold Member
    • Total Posts : 198
    • Scores: 4
    • Reward points: 0
    • Joined: 2004/03/11 08:04:32
    • Location: Switzerland
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2019/05/06 01:46:17 (permalink)
    0
    Hi Boneyard
     
    We are in Proxy Mode and the point is, the FG is even not falling back to 1.2. We can't reach the website at all as long as we have Deeps Inspection active for the domain. As soon as we create an exempt rule for the site we can reach it, but with active Deeps Inspection we get just the "ERR_CONNECTION_CLOSED" in each browser. We have no deny or any other special entry in the FortiAnalyzer logs, just normal HTTPS port 443 Action allow and Sent/Received bytes with Subtype forward. No closing or anything else. 

     
    FG-200E, FG-200D, FG-100E, FG-60E, FWF-60D, FWF-60E, FAZVM64, Fortimail VM
    #19
    boneyard
    Gold Member
    • Total Posts : 124
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2019/05/06 11:41:18 (permalink)
    0
    interesting, are you sure that is caused by TLS 1.3 and not something else?
     
    checked the website and it works for me on a 5.6.8 FortiGate with deep inspection and webfilter applied. have to tried with limited UTM profiles?
     
    do other TLS 1.3 sites work? i.e. www.mozilla.org
     
    if you do a packet capture you will be see if the website send the reset or the FortiGate and if the proxy does strip the TLS 1.3 support of the client in the request to the server.
     
     
    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5