FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that FortiGate is now capable of handling the QUIC/TLS handshake and performing deep inspection or certificate inspection for HTTP/3 and QUIC traffic.
Scope
FortiOS v7.2.0 and above, FortiProxy v7.4.1 and above.
Solution
QUIC and HTTP3 inspection are supported starting in the following product and firmware versions:
From v7.4.2 and above, FortiGate has three QUIC options within the SSL/SSH inspection profile that affect proxy-based QUIC processing. These options do not affect flow-based QUIC processing.
config firewall ssl-ssh-profile
edit <name>
config https
set quic {inspect | bypass | block}
end
config dot
set quic {inspect | bypass | block}
end
next
end
Notes:
QUIC inspection is currently not supported for explicit-proxy policy configurations.
FortiGate models with 2 GB RAM or less have the ssl-ssh-profile QUIC configurations removed in v7.6.0, since flow-based deep inspection does not require this option. The HTTP/3 dissector runs by default when flow-based inspection is used.
FortiOS v7.6.5 introduces support for TLS 1.3 hybrid Post-Quantum Cryptography (PQC) key exchanges in SSL flow-based deep inspection, see New features or enhancements. Hybrid key PQC algorithms such as X25519MLKEM768 are frequently used in conjunction with QUIC and HTTP/3.
