Troubleshooting Tip: Resolving Safari connection issues on the latest iOS/MacOS with FortiGate

In the latest iOS/MacOS releases, such as iOS 18, HTTP/3 is turned on by default on Safari, and its implementation omits the 'max_idle_timeout' transport parameter for the QUIC protocol, which is causing issues when using a Firewall Policy in Proxy-Based inspection with UTM enabled.

On the contrary, when using Firefox or Google Chrome, the issue is not presented.

The client side gets stuck with no errors presented in the WAD Debug output, even if the level is verbose.

To resolve the connection issues with Safari on macOS, one of the following options can be implemented:

1. If using the default Certificate-Inspection profile in the Firewall Policy, clone it and under HTTPS settings, configure to bypass QUIC protocol:

config firewall ssl-ssh-profile     edit "Clone of certificate-inspection"         config https             set quic bypass         end     next end

2. Alternatively, use a flow mode policy instead of a proxy mode policy with UTM enabled.

config firewall policy     edit X         set inspection-mode flow     next end

3. Block QUIC protocol via Application-Control profile and apply that to the Firewall Policy.

    

4. Create a custom service object and name it QUIC using UDP 443 as the port. Then, clone the ALLOW Firewall Policy for this traffic, replace the 'Service' using the new custom service named 'QUIC', and as 'Action' select 'Deny'. Blocking the QUIC protocol will resolve the issue.

    

config firewall service custom     edit "QUIC"         set udp-portrange 443     next end config firewall policy     edit “X”         set service “QUIC”         set action deny     next end

Note: The issue is caused by omitting the 'max_idle_timeout' transport parameter on Safari when using HTTP/3. A FortiOS fix has been introduced in versions 7.4.9 and 7.6.1 to continue using Proxy-Based Inspection Firewall Policy with UTM enabled. If running an earlier version, it may be necessary to upgrade to resolve the issue.

Apple addressed part of the QUIC implementation in iOS 18.1 and macOS 15.1. However, the 'max_idle_timeout' parameter is still omitted in certain conditions (e.g., reused QUIC connections after Alt-Svc). Users on 18.1+ may still experience intermittent stalls with proxy-based UTM until FortiOS v7.4.9 or v7.6.1 is deployed.