Description

This article describes that FortiGate is now capable of handling the QUIC/TLS handshake and performing deep inspection or certificate inspection for HTTP3 and QUIC traffic.

Scope

FortiGate and FortiProxy running 7.4.1 or higher.

Solution

QUIC connections can now be inspected using the ssl-ssh-inspection profile. This is possible for version 7.4.1 and higher of FortiGate and FortiProxy.

When firewall policy uses proxy inspection and firewall ssl-ssh-profile has QUIC setting enabled under HTTPS, all traffic with configured HTTPS ports is redirected to WAD for inspection. The same applies to the FortiProxy policy configured as a Transparent proxy.

config firewall ssl-ssh-profile

    edit "custom-inspect-quic"

        config https

            set ports 443

            set status deep-inspection

            set quic inspect

        end

end

The options available that can be configured are inspect/bypass/block.

The same can be enabled for certificate inspection as well.

DNS over http3 inspection is also now supported.

config firewall ssl-ssh-profile

    edit "custom-inspect-quic"

        config dot

            set quic inspect

        end

end

Note: QUIC inspection is not supported for the below scenarios:

1. Explicit-proxy policy configurations currently.
   
   
2. On FortiGate models with 2 GB RAM or less: FortiGate/FortiWiFi 40F, 60E, 60F, 80E, and 90E series and FortiGate-Rugged 60F (2 GB versions only).
   Proxy-related features no longer supported on FortiGate 2 GB RAM models 7.4.4

FG40FI-2 (custom-deep-insp~ion) # config https

FG40FI-2 (https) # set ports 443

FG40FI-2 (https) # set quic inspect

Command parse error before 'quic'
Command fail. Return code -61