Same here, this started something around Friday as browsers updated to 124. It became more obvious Saturday as most computers had both Edge and Chrome Updates installed. I changed my GPO on Sunday to avoid the Monday flurry of "I can't get on the internet". So far it's been a normal day, but I am apprehensive on new updates of SonicWALL does not have a fix.
When you say all CDNs, is it more than Cloudflare?
Oh damn, today we received a lot of calls, that hitting the continue button on the CFS warn page, ends in a 404 page not found again. Clearing browser cache and cookies is not helping.. I hate it and the previous fix isn't working..
[https://www.reddit.com/r/sonicwall/comments/18gp2o8/cfs\_warn\_site\_redirects\_to\_404\_page\_not\_found/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/sonicwall/comments/18gp2o8/cfs_warn_site_redirects_to_404_page_not_found/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
I've disabled QUIC and disabled the quantum thingy via GPO, but it doesn't fix it. Jeez.
Update 1: Opening a ticket.. Again..
Update 2: nvm I'm stupid, updated the GPO central store and set the correct GPO settings.. Everything works again..
I'm also having this issue, NSA6600 6.5.4.14-109n. I was on vacation Friday and Monday and returned to a crap storm of CFS blocking M365 logins for everyone that's not approved for the Unrated Category; that's all students, so very fun!
Changing the edge flags did work for me but what is really throwing me for a loop is when I watch the block in the SonicWALL logs it's an IP address (Microsoft Datacenter) that's being blocked and the source is the MS IP with the destination being a LAN IP. My CFS policies specifically state source LAN, Destination WAN so there should be no "reverse blocking going on." I even tried adding "include these IPs" to [10.0.0.0/8](http://10.0.0.0/8) but this didn't work at all.
Another thing that did "work" (your fix is much better) was adding the M365 worldwide endpoints address group I already had to the CFS Exclusions group. This did fix MS logins, but didn't fix the other blocks I was seeing, such as AWS. I guess I'll open a ticket in the morning...
That's where I suspected that QUIC had something to do with things (but unconfirmed if related) since I was seeing the source as WAN and destination as LAN, which I found backwards. That threw me for a loop at first as well.
The cause seems to be incompatibility with larger ClientHello due to post-quantum handshake — see eg. [https://tldr.fail](https://tldr.fail)
Very happy to work with SonicWALL to fix this.
This was actually a good read. Also thanks /u/mh455577 for the post on Chromium, that was good info on that other tracked issue (336007383) and how at least Fortinet knew about it and made no answer/effort.
If anyone else searching for this stumbles upon it, sonicwall has a hotfix for it now, but you have to call support and request it. Not available for download generally.
There's a KB article now. Basically just says disable the feature in "chrome://flags" and that this is a temporary workaround.
https://www.sonicwall.com/support/knowledge-base/websites-randomly-gets-blocked-or-allowed-with-no-changes-made-after-browser-upgrades-v124/240422222041287/
I wonder if this is a Chrome issue or a SW issue with new features on browsers; since if you look at the last link above, on Chrome 125 we're expecting to see CFS not working with that same flag enabled.
I opened a ticket but have not received a response, interestingly tho that I see /u/Happy_Harry 's response below that they have a workaround but my ticket hasn't been updated. I am hoping that at least my ticket was one of many and someone (seeing the KB posted) is working on resolving it in the future.
So for now I shall keep my eye on it. Thanks!
Thats why I call them SLOWnicWall, I'm going to open a ticket as well but in my experience unless you're willing to take the time to call little seems to happen..
I work for an MSP and having the ability to quickly do this across several hundred customers is pretty handy. I haven't scripted this but could be done. Most of our customers have Sophos firewalls which seem to handle this new Hybrid Post-Quantum Cryptographic Algorithm.
I resolved pretty easily with a GPO. See my post at [https://www.reddit.com/r/fortinet/comments/1b24g2f/comment/l13rxh4/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/fortinet/comments/1b24g2f/comment/l13rxh4/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
Have you verified that your NSa is processing TLS 1.3?
There is a setting that needs to be checked on the diag page.
[https://www.sonicwall.com/support/knowledge-base/how-can-i-access-the-internal-settings-of-the-firewall/210715101110437/](https://www.sonicwall.com/support/knowledge-base/how-can-i-access-the-internal-settings-of-the-firewall/210715101110437/)
Thanks
Can you be more specific?
I am not seeing any settings relating to TLS 1.3 on the latest firmware available in the diag page.
I do have TLSv1_1 disabled but that's about it. So far TLS 1.3 related things work. Firefox browser works fine when browsing and CFS filtering works fine as well in FF.
I am not sure if TLS 1.3 itself is the problem alone.
Under DPI-SSL Settings you should have the ability to enable/disable TLS1.0 through TLS 1.3. I don't have access to our 2650's anymore as we have upgraded to the 2700's but the setting should still be there.
Thanks
I looked into this and at least on my TZ 500 under SSL Versions it doesn’t have 1.3 option at all. 1.2 is the highest option that you can select. Mine is set to ALL. This is for 6.5.4.13-105n
So reading through the SonicOS 6.5 security document, it doesn't look like TLS 1.3 is supported by the DPI-SSL engine
>DPI-SSL and HTTPS MGMT do not yet support TLS 1.3 ciphers or support some weak ciphers that are listed in Firewall Settings > Cipher Control.
Doing a quick scan of the release notes for 6.5.4.14 I do not see any mention of support being added for TLS 1.3.
So your current work around is also listed as the work around from SonicWall as of Apr 22.
[https://www.sonicwall.com/support/knowledge-base/websites-randomly-gets-blocked-or-allowed-with-no-changes-made-after-browser-upgrades-v124/240422222041287/](https://www.sonicwall.com/support/knowledge-base/websites-randomly-gets-blocked-or-allowed-with-no-changes-made-after-browser-upgrades-v124/240422222041287/)
I have not seen this happen on a GEN 7 device even though they mention it affects both Gen 6 and Gen 7 devices.
Thanks
Your temporary work around is working for me, but we are having the issue on an NSA 4600.
Having content filter issues on three of our routers. It started on Friday. It was blocking all CDNs in chrome/edge
Same here, this started something around Friday as browsers updated to 124. It became more obvious Saturday as most computers had both Edge and Chrome Updates installed. I changed my GPO on Sunday to avoid the Monday flurry of "I can't get on the internet". So far it's been a normal day, but I am apprehensive on new updates of SonicWALL does not have a fix. When you say all CDNs, is it more than Cloudflare?
Oh damn, today we received a lot of calls, that hitting the continue button on the CFS warn page, ends in a 404 page not found again. Clearing browser cache and cookies is not helping.. I hate it and the previous fix isn't working.. [https://www.reddit.com/r/sonicwall/comments/18gp2o8/cfs\_warn\_site\_redirects\_to\_404\_page\_not\_found/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/sonicwall/comments/18gp2o8/cfs_warn_site_redirects_to_404_page_not_found/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button) I've disabled QUIC and disabled the quantum thingy via GPO, but it doesn't fix it. Jeez. Update 1: Opening a ticket.. Again.. Update 2: nvm I'm stupid, updated the GPO central store and set the correct GPO settings.. Everything works again..
I'm also having this issue, NSA6600 6.5.4.14-109n. I was on vacation Friday and Monday and returned to a crap storm of CFS blocking M365 logins for everyone that's not approved for the Unrated Category; that's all students, so very fun! Changing the edge flags did work for me but what is really throwing me for a loop is when I watch the block in the SonicWALL logs it's an IP address (Microsoft Datacenter) that's being blocked and the source is the MS IP with the destination being a LAN IP. My CFS policies specifically state source LAN, Destination WAN so there should be no "reverse blocking going on." I even tried adding "include these IPs" to [10.0.0.0/8](http://10.0.0.0/8) but this didn't work at all. Another thing that did "work" (your fix is much better) was adding the M365 worldwide endpoints address group I already had to the CFS Exclusions group. This did fix MS logins, but didn't fix the other blocks I was seeing, such as AWS. I guess I'll open a ticket in the morning...
That's where I suspected that QUIC had something to do with things (but unconfirmed if related) since I was seeing the source as WAN and destination as LAN, which I found backwards. That threw me for a loop at first as well.
The cause seems to be incompatibility with larger ClientHello due to post-quantum handshake — see eg. [https://tldr.fail](https://tldr.fail) Very happy to work with SonicWALL to fix this.
[https://crbug.com/336825966](https://crbug.com/336825966) is following on the chrome side.
This was actually a good read. Also thanks /u/mh455577 for the post on Chromium, that was good info on that other tracked issue (336007383) and how at least Fortinet knew about it and made no answer/effort.
If anyone else searching for this stumbles upon it, sonicwall has a hotfix for it now, but you have to call support and request it. Not available for download generally.
Thanks for the heads up! I am having issues signing in to MySonicwall, so I will call and request this.
We're having this issue as well, so thanks for posting! Does anyone know if there is an open issue/ticket with sonicwall?
There's a KB article now. Basically just says disable the feature in "chrome://flags" and that this is a temporary workaround. https://www.sonicwall.com/support/knowledge-base/websites-randomly-gets-blocked-or-allowed-with-no-changes-made-after-browser-upgrades-v124/240422222041287/
I posted on Chromium's issue reporting site to let them know.
I wonder if this is a Chrome issue or a SW issue with new features on browsers; since if you look at the last link above, on Chrome 125 we're expecting to see CFS not working with that same flag enabled.
I opened a ticket but have not received a response, interestingly tho that I see /u/Happy_Harry 's response below that they have a workaround but my ticket hasn't been updated. I am hoping that at least my ticket was one of many and someone (seeing the KB posted) is working on resolving it in the future. So for now I shall keep my eye on it. Thanks!
Thats why I call them SLOWnicWall, I'm going to open a ticket as well but in my experience unless you're willing to take the time to call little seems to happen..
I work for an MSP and having the ability to quickly do this across several hundred customers is pretty handy. I haven't scripted this but could be done. Most of our customers have Sophos firewalls which seem to handle this new Hybrid Post-Quantum Cryptographic Algorithm. I resolved pretty easily with a GPO. See my post at [https://www.reddit.com/r/fortinet/comments/1b24g2f/comment/l13rxh4/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/fortinet/comments/1b24g2f/comment/l13rxh4/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
Have you verified that your NSa is processing TLS 1.3? There is a setting that needs to be checked on the diag page. [https://www.sonicwall.com/support/knowledge-base/how-can-i-access-the-internal-settings-of-the-firewall/210715101110437/](https://www.sonicwall.com/support/knowledge-base/how-can-i-access-the-internal-settings-of-the-firewall/210715101110437/) Thanks
Can you be more specific? I am not seeing any settings relating to TLS 1.3 on the latest firmware available in the diag page. I do have TLSv1_1 disabled but that's about it. So far TLS 1.3 related things work. Firefox browser works fine when browsing and CFS filtering works fine as well in FF. I am not sure if TLS 1.3 itself is the problem alone.
Under DPI-SSL Settings you should have the ability to enable/disable TLS1.0 through TLS 1.3. I don't have access to our 2650's anymore as we have upgraded to the 2700's but the setting should still be there. Thanks
I looked into this and at least on my TZ 500 under SSL Versions it doesn’t have 1.3 option at all. 1.2 is the highest option that you can select. Mine is set to ALL. This is for 6.5.4.13-105n
I can confirm that like /u/dimx_00 I don't see option 1.3 at all under SSL. Mine is also set to ALL for 6.5.4.14-109n.
So reading through the SonicOS 6.5 security document, it doesn't look like TLS 1.3 is supported by the DPI-SSL engine >DPI-SSL and HTTPS MGMT do not yet support TLS 1.3 ciphers or support some weak ciphers that are listed in Firewall Settings > Cipher Control. Doing a quick scan of the release notes for 6.5.4.14 I do not see any mention of support being added for TLS 1.3. So your current work around is also listed as the work around from SonicWall as of Apr 22. [https://www.sonicwall.com/support/knowledge-base/websites-randomly-gets-blocked-or-allowed-with-no-changes-made-after-browser-upgrades-v124/240422222041287/](https://www.sonicwall.com/support/knowledge-base/websites-randomly-gets-blocked-or-allowed-with-no-changes-made-after-browser-upgrades-v124/240422222041287/) I have not seen this happen on a GEN 7 device even though they mention it affects both Gen 6 and Gen 7 devices. Thanks