Description
This article outlines the change in behavior related to how FortiGate handles QUIC traffic, starting from v7.4.5 and continuing later. It introduces enhanced QUIC control options and describes how this impacts browser performance and traffic handling in environments with specific DNS or proxy configurations.
Scope
FortiGate v v7.4.5 and above.
Solution
From v7.4.5 and above, FortiGate has three QUIC options within the SSL/SSH inspection profile:
config firewall ssl-ssh-profile
edit <name>
config https
set quic {inspect | bypass | block}
end
config dot
set quic {inspect | bypass | block}
end
next
end
- The default behavior for QUIC is now set to inspect.
- This change results in SSL inspection being applied to QUIC traffic unless explicitly configured otherwise.
Available options for the QUIC setting:
- 'inspect': Inspect QUIC (HTTP/3) traffic.
- 'bypass': Allow QUIC traffic without inspection.
- 'block': Deny QUIC traffic entirely.
Observed behavior:
Browsers using experimental QUIC or DNS over QUIC (e.g., Cisco Umbrella Cloud Proxy) may experience:
- Slow webpage loads.
- Pages failing to load on the first attempt, but loading after a refresh.
Cause:
- In older versions, QUIC traffic might have passed implicitly if not blocked via Application Control or firewall policy.
- With 7.4.5+, FortiGate applies SSL inspection by default, which affects how QUIC is handled.
- If QUIC is not explicitly blocked, the inspection attempts may result in incomplete handshakes or dropped traffic.
Recommendations:
To properly handle or block QUIC traffic under the new behavior:
- Block QUIC at the SSL/SSH Profile Level: Technical Tip: QUIC traffic denied when SSL/SSH profile is configured with 'block' option
- Block QUIC using Application Control: Technical Tip: How to block/disable QUIC
- Block QUIC with a Firewall Policy: Technical Tip: How to block/disable QUIC
