Skip to main content
Gurpreet_Kaur
Staff
Gurpreet_Kaur
Staff
October 29, 2025

Technical Tip: FortiGate fails to block HTTPS websites due to encrypted traffic

  • October 29, 2025
  • 0 replies
  • 2002 views
Description This article describes how to troubleshoot and resolve issues where FortiGate fails to block adult or restricted HTTPS websites due to encrypted traffic (HTTPS / TLS 1.3 ECH).
Scope FortiGate.
Solution

Administrators may observe that FortiGate fails to block adult or restricted websites even when Web Filter and URL Filter profiles are properly configured.

Symptoms:

  • Adult or restricted sites are still accessible.
  • FortiGate logs show 'Allow' instead of 'Block'.
  • Destination or application name mismatch in logs.
  • Web filter profiles appear to have no effect.

 

Root Cause:

Most adult sites and large CDN-hosted domains (e.g., Cloudflare, Akamai) use HTTPS with Encrypted Client Hello (ECH). Without Deep SSL Inspection, FortiGate cannot decrypt and read the true URL or hostname inside the TLS 1.3 session, resulting in failed filtering.

When SSL deep inspection is disabled (default certificate-inspection mode), FortiGate only examines the SNI from the TLS handshake. However, with ECH, even the SNI is encrypted. This prevents FortiGate from knowing the actual destination domain.

 

Note: SNI may still appear in the Encrypted Client Hello, but this is the outer SNI, which is sent in clear text. Refer to this article for more info: Technical Tip: How to block TLS 1.3 Encrypted Client Hello (ECH) in FortiGate firewalls.


Recommended Solution:

  1. Enable SSL Deep Inspection:
  • Choose Deep Inspection mode.
  • Apply the SSL inspection profile to the firewall policy that handles user web traffic.

 

  1. Block ECH-Related Domain :
  • To mitigate Cloudflare-based ECH traffic, which hides true destinations, add wildcard entries in the URL filter or the DNS filter:

 

*cloudflare-ech*

*whos.amung*

 

  • Apply this filter to the same policy used for user traffic.

 

  1. Verify URL Filtering Functionality:
  • Confirm the correct Web Filter profile is attached to the outgoing firewall policy.
  • Test using HTTP (unencrypted) sites first to confirm filtering logic.
  • Once confirmed, test HTTPS sites under Deep Inspection mode.
  • Monitor logs in Log & Report → Web Filter or use CLI:


diagnose debug enable
diagnose debug application urlfilter -1

 

  1. Collect diagnostic data:
  •  If filtering still fails after enabling deep inspection:
    • Capture HAR File (Browser-Level): Follow Fortinet’s guide to collect HAR files for web analysis.
    • Capture Traffic using Wireshark: On the client or FortiGate, capture packets:


diagnose sniffer packet any 'host <destination_IP>' 6

 

  • Analyze TLS handshake and SNI fields for ECH presence.
      Terms & ConditionsAccessibility statement