Technical Tip: QUIC traffic denied when SSL/SSH profile is configured with ‘block’ option
| Description | This article describes the expected behavior when the QUIC option is set to 'block' in an SSL/SSH inspection profile and guides how to adjust the configuration to allow or inspect QUIC (HTTP/3) traffic. |
| Scope | FortiOS (FortiOS with SSL/SSH inspection profiles applied to policies handling HTTPS/QUIC traffic). |
| Solution | When the QUIC option in the SSL/SSH inspection profile is set to 'block', FortiGate will deny QUIC traffic. This behavior is expected and is reflected in traffic logs similar to the example below:
To change this behavior, verify and modify the QUIC setting in the SSL/SSH profile that is applied to the relevant policy. Use the following commands to inspect or bypass QUIC traffic:
Note: Replace '<profile_name>' with the name of the SSL/SSH inspection profile in use.
Available options for the QUIC setting:
If inspection of HTTP/3 traffic over QUIC is required, set the option to ‘inspect’. There is no setting labeled ‘allow’. Instead, use ‘bypass’ to permit the traffic without inspection. |