Websites randomly gets blocked or allowed with no changes made - Kyber on Chromium browsers v124
Description
Update:
The fix for this issue has been integrated in SonicOS 7.1.1-7058 onwards including in SonicOS 7.1.2-7019 for all GEN7 devices (both physical and virtual), and in SonicOS 6.5.4.15-116n for GEN6 devices. You can access it on MySonicWall.com.
As of April 22, 2024, many websites that could have been successfully accessed earlier are now showing up as blocked. Alternatively, in some scenarios website that should have been blocked is now accessible. And all of this without making any changes in the content filter policies on the firewall with or without DPI SSL inspection.
This predominantly is reported only after Chrome and Edge browsers were upgraded to the latest versions : Chrome v124.0.6367.61 and Edge v124.0.2478.
Resolution
Please verify the issue has occurred without any changes made in the CFS configuration on the SonicWall. The below resolution is a workaround. The issue is being investigated and worked toward a resolution. Packet captures would show drops - "Drop code 107 ( Enforced Content Filter Policy )"
Please run a packet capture based on the destination IP of the blocked websit.
Please navigate to
Monitor << Tools and Monitor << Packet Monitor
Enter the following details under the General tab of packet monitor
Ether Type : IP
IP Type : TCP
Destination IP : IP address of the website
The workaround is temporary and is the same for both GEN6 and GEN7 devices regardless of the firmware. This article will be updated as and when there is one.
- For Chrome, in a new tab, enter chrome://flags
Search for Kyber either using CTRL+F or in the search box given
Disable the option "TLS 1.3 hybridized Kyber support"
- For Edge, in a new tab, enter edge://flags
Search for Kyber either using CTRL+F or in the search box given
Disable the option "TLS 1.3 hybridized Kyber support"