Sites that use Cloudflare DNS Proxy with ECH will not open behind a FortiGate
This recently has happened to us with our own Website and all our FGT.
When one tries to access our website all one gets in Chrome is a QUIC Protocoll error.
Looking at Chrome's netlog on a client affected I saw that it tried to use Cloudflare's ECH Protocoll to do encrypted client handshake to their proxy. This failed because UTM blocks cloudflare-ech.com.
If I add that FQDN to a policy that doesn't have filters and comes in front of the other internet policies our website works fine.
Cloudflare community also has a thread on this: https://community.cloudflare.com/t/err-ech-not-negotiated-problem/710760
I cannot say wether Cloudflare did something bad by enabling a feature they still declare experimental as default or not. (This is said in the linked thread).
However since non-filtering cloudlare-ech.com is not a solution (but a fix) I have openend a ticket with tac (which escalated to a senior with the first answer) aswell as with cloudflare support.
currently waiting for answers.
Thought I post this here just for if someone else runs into this issue :)
stay safe
Sebastian