Created on
08-23-2024
05:48 AM
Edited on
11-19-2024
01:21 AM
By
Jean-Philippe_P
Description |
This article describes that FortiGate is now capable of handling the QUIC/TLS handshake and performing deep inspection or certificate inspection for HTTP3 and QUIC traffic. |
Scope |
FortiGate and FortiProxy running 7.4.1 or higher. |
Solution |
QUIC connections can now be inspected using the ssl-ssh-inspection profile. This is possible for version 7.4.1 and higher of FortiGate and FortiProxy. When firewall policy uses proxy inspection and firewall ssl-ssh-profile has QUIC setting enabled under HTTPS, all traffic with configured HTTPS ports is redirected to WAD for inspection. The same applies to the FortiProxy policy configured as a Transparent proxy.
config firewall ssl-ssh-profile edit "custom-inspect-quic" config https set ports 443 set status deep-inspection set quic inspect end end
The options available that can be configured are inspect/bypass/block. The same can be enabled for certificate inspection as well.
DNS over http3 inspection is also now supported.
config firewall ssl-ssh-profile edit "custom-inspect-quic" config dot set quic inspect end end
Note: QUIC inspection is not supported for the below scenarios:
FG40FI-2 (custom-deep-insp~ion) # config https FG40FI-2 (https) # set ports 443 FG40FI-2 (https) # set quic inspect Command parse error before 'quic' |