Technical Tip: Change in QUIC handling behavior from v7.4.2+

Description

This article outlines a change in behavior in how FortiGate handles QUIC traffic, starting from v7.4.2 and higher. It describes enhanced QUIC control options and describes how this impacts browser performance and traffic handling in environments with specific DNS or proxy configurations.

Scope

FortiGate v7.4.2 and above.

Solution

From v7.4.2 and above, FortiGate has three QUIC options within the SSL/SSH inspection profile:

config firewall ssl-ssh-profile     edit <name>         config https             set quic {inspect | bypass | block}         end         config dot             set quic {inspect | bypass | block}         end     next end

• The default behavior for QUIC is now set to inspect.
• This change results in SSL inspection being applied to QUIC traffic unless explicitly configured otherwise.

Available options for the QUIC setting:

• 'inspect': Inspect QUIC (HTTP/3) traffic.
• 'bypass': Allow QUIC traffic without inspection.
• 'block': Deny QUIC traffic entirely.

Observed behavior:

Browsers using experimental QUIC or DNS over QUIC (e.g., Cisco Umbrella Cloud Proxy) may experience:

• Slow webpage loads.
• Pages failing to load on the first attempt, but loading after a refresh.

Cause:

• In previous versions, QUIC traffic might have passed implicitly if not blocked via Application Control or a firewall policy. This is the equivalent of using the 'bypass' setting on 7.4.2 and higher.
• With 7.4.2+, FortiGate applies SSL inspection by default ('inspect'), which affects how QUIC traffic is handled. This can affect traffic on firewall policies that are in flow mode and have an SSL inspection profile assigned. HTTP/3 and QUIC inspection is not supported in flow mode firewall policies and can lead to one of the observed behaviors above due to incomplete handshakes or dropped traffic.

Recommendations:

To properly handle or block QUIC traffic under the new behavior, apply one of the following methods:

• Set the firewall policy in proxy-mode. FortiOS supports inspecting HTTP/3 and QUIC traffic in proxy-based inspection mode starting from 7.4.1, see Enhancement to QUIC and HTTP3 inspection. SSL Deep inspection may be required if the payload content has to be decrypted. See Technical Tip: Differences between SSL Certificate Inspection and Full SSL Inspection
• Block QUIC at the SSL/SSH Profile Level: Technical Tip: QUIC traffic denied when SSL/SSH profile is configured with 'block' option
• Block QUIC using Application Control: Technical Tip: How to block/disable QUIC
• Block QUIC with a Firewall Policy: Technical Tip: How to block/disable QUIC