Description
This article outlines a change in behavior in how FortiGate handles QUIC traffic, starting from v7.4.2 and higher. It describes enhanced QUIC control options and describes how this impacts browser performance and traffic handling in environments with specific DNS or proxy configurations.
Scope
FortiGate v7.4.2 and above.
Solution
From v7.4.2 and above, FortiGate has three QUIC options within the SSL/SSH inspection profile:
config firewall ssl-ssh-profile
edit <name>
config https
set quic {inspect | bypass | block}
end
config dot
set quic {inspect | bypass | block}
end
next
end
- The default behavior for QUIC is now set to inspect.
- This change results in SSL inspection being applied to QUIC traffic unless explicitly configured otherwise.
Available options for the QUIC setting:
- 'inspect': Inspect QUIC (HTTP/3) traffic.
- 'bypass': Allow QUIC traffic without inspection.
- 'block': Deny QUIC traffic entirely.
Observed behavior:
Browsers using experimental QUIC or DNS over QUIC (e.g., Cisco Umbrella Cloud Proxy) may experience:
- Slow webpage loads.
- Pages failing to load on the first attempt, but loading after a refresh.
Cause:
- In previous versions, QUIC traffic might have passed implicitly if not blocked via Application Control or a firewall policy. This is the equivalent of using the 'bypass' setting on 7.4.2 and higher.
- With 7.4.2+, FortiGate applies SSL inspection by default ('inspect'), which affects how QUIC traffic is handled. This can affect traffic on firewall policies that are in flow mode and have an SSL inspection profile assigned. HTTP/3 and QUIC inspection is not supported in flow mode firewall policies and can lead to one of the observed behaviors above due to incomplete handshakes or dropped traffic.
Recommendations:
To properly handle or block QUIC traffic under the new behavior, apply one of the following methods:
