Skip to main content
miciti
miciti
Visitor III
November 18, 2024
Solved

Fortigate DeepInspection - quic not working

  • November 18, 2024
  • 4 replies
  • 8376 views

Hi everyone,

I have a FortiGate 120G with deep inspection profile applied.

Since the update to v7.2.10 I have random issues and I think it does belong to quic.

 

This morning several clients called me to tell that www.google.at does not work any more in edge browser:

ERR_SSL_PROTOCOL_ERROR

 

First I did try to block quic via application control, that didn't help so I did create a policy blocking udp 443. Didn't help either.

So if blocking does not work I tried to allow it - as this telling me blocking is not neccesarry:

https://docs.fortinet.com/document/fortigate/7.2.10/administration-guide/984075/blocking-quic-manually

 

But this does not help either. What is really strange: the error messages does not appear to be consistent at all. Websites do work on some clients and on others they do not (using same firewall policy and same inspection profile).

The next hour these websites do work on clients that were affected before but then it does not work on other clients.

 

As a workaround I disable deep inspection for now... Any ideas how to fix this? Should I create a ticket?

Best answer by miciti

As @abarushka mentioned disabling TLS 1.3 hybridizied kyber support disabling helps with the issue. 

 

For all windows admins here: There is an option in the microsoft edge group policy template called "Enable post-quantum key agreement for TLS"

4 replies

abarushka
Staff
abarushka
Staff
November 18, 2024

Hello,

 

I would recommend to disable TLS 1.3 hybridized Kyber support on Google Chrome side and check whether the issue persists. Please find the details by following the link below:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Web-pages-not-loading-or-taking-too-long-to/ta-p/313958

miciti
micitiAuthor
Visitor III
November 19, 2024

I guess the flag does look different now in edge than what is described in your link:

 
edge flagedge flag

 

pminarik
Staff
pminarik
Staff
November 19, 2024

There's potentially two options:

1: disable "use-ml-kem": This will disable the new ML-KEM key exchange and fall back to Kyber (handled correctly by IPS if you have up-to-date IPS engine).

2. disable "enable-tls13-kyber": This will completely disable post-quantum key exchange.

 

You can pick one based on if they're available in your flavor of Chromium-based browser.

miciti
micitiAuthorAnswer
Visitor III
November 19, 2024

As @abarushka mentioned disabling TLS 1.3 hybridizied kyber support disabling helps with the issue. 

 

For all windows admins here: There is an option in the microsoft edge group policy template called "Enable post-quantum key agreement for TLS"

OskarDyjach
OskarDyjach
New Member
May 14, 2025

Hi! I found solution that resolves err_quic_protocol_error and err_ech_not_negotiated errors

 

The problem is in default Inspection mode of Firewall policy - Flow-based. Try to change it to Proxy-based - it helped me with multiple services

johndavidjohn22
johndavidjohn22
New Member
May 14, 2025

I’ve run into similar issues after upgrading to v7.2.10, especially with the inconsistencies in QUIC behavior. It seems like the deep inspection is causing interference ì—¬ê¸°ì—¬, even with manual adjustments. I ended up disabling SSL deep inspection temporarily as a workaround, which helped stabilize things. Still waiting on a permanent fix.

Terms & ConditionsAccessibility statement