Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Gurpreet_Kaur
Staff
Staff

Created on ‎10-29-2025 03:57 AM Edited on ‎11-23-2025 10:41 PM By Moderator

Article Id 416323

Technical Tip: FortiGate fails to block HTTPS websites due to encrypted traffic

Description This article describes how to troubleshoot and resolve issues where FortiGate fails to block adult or restricted HTTPS websites due to encrypted traffic (HTTPS / TLS 1.3 ECH).
Scope FortiGate.
Solution

Administrators may observe that FortiGate fails to block adult or restricted websites even when Web Filter and URL Filter profiles are properly configured.

Symptoms:

  • Adult or restricted sites are still accessible.
  • FortiGate logs show 'Allow' instead of 'Block'.
  • Destination or application name mismatch in logs.
  • Web filter profiles appear to have no effect.

 

Root Cause:

Most adult sites and large CDN-hosted domains (e.g., Cloudflare, Akamai) use HTTPS with Encrypted Client Hello (ECH). Without Deep SSL Inspection, FortiGate cannot decrypt and read the true URL or hostname inside the TLS 1.3 session, resulting in failed filtering.

When SSL deep inspection is disabled (default certificate-inspection mode), FortiGate only examines the SNI from the TLS handshake. However, with ECH, even the SNI is encrypted. This prevents FortiGate from knowing the actual destination domain.

 

Note: SNI may still appear in the Encrypted Client Hello, but this is the outer SNI, which is sent in clear text. Refer to this article for more info: Technical Tip: How to block TLS 1.3 Encrypted Client Hello (ECH) in FortiGate firewalls.


Recommended Solution:

  1. Enable SSL Deep Inspection:
  • Choose Deep Inspection mode.
  • Apply the SSL inspection profile to the firewall policy that handles user web traffic.

 

  1. Block ECH-Related Domain :
  • To mitigate Cloudflare-based ECH traffic, which hides true destinations, add wildcard entries in the URL filter or the DNS filter:

 

*cloudflare-ech*

*whos.amung*

 

  • Apply this filter to the same policy used for user traffic.

 

  1. Verify URL Filtering Functionality:
  • Confirm the correct Web Filter profile is attached to the outgoing firewall policy.
  • Test using HTTP (unencrypted) sites first to confirm filtering logic.
  • Once confirmed, test HTTPS sites under Deep Inspection mode.
  • Monitor logs in Log & Report → Web Filter or use CLI:


diagnose debug enable
diagnose debug application urlfilter -1

 

  1. Collect diagnostic data:
  •  If filtering still fails after enabling deep inspection:
    • Capture HAR File (Browser-Level): Follow Fortinet’s guide to collect HAR files for web analysis.
    • Capture Traffic using Wireshark: On the client or FortiGate, capture packets:


diagnose sniffer packet any 'host <destination_IP>' 6

 

  • Analyze TLS handshake and SNI fields for ECH presence.
650
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.