Technical Tip: QUIC traffic denied when SSL/SSH profile is configured with ‘block’ option

akileshc · ‎04-07-2025

Description

This article describes the expected behavior when the QUIC option is set to 'block' in an SSL/SSH inspection profile and guides how to adjust the configuration to allow or inspect QUIC (HTTP/3) traffic.

Scope

FortiOS (FortiOS with SSL/SSH inspection profiles applied to policies handling HTTPS/QUIC traffic).

Solution

When the QUIC option in the SSL/SSH inspection profile is set to 'block', FortiGate will deny QUIC traffic. This behavior is expected and is reflected in traffic logs similar to the example below:

action="deny" service="udp/443" msg="Traffic denied because of quic inspection setting."

To change this behavior, verify and modify the QUIC setting in the SSL/SSH profile that is applied to the relevant policy. Use the following commands to inspect or bypass QUIC traffic:

config firewall ssl-ssh-profile
edit <profile_name>
config https
set quic inspect
end
end

Note: Replace '<profile_name>' with the name of the SSL/SSH inspection profile in use.

Available options for the QUIC setting:

'inspect': Inspect QUIC (HTTP/3) traffic.
'bypass': Allow QUIC traffic without inspection.
'block': Deny QUIC traffic entirely.

If inspection of HTTP/3 traffic over QUIC is required, set the option to ‘inspect’. There is no setting labeled ‘allow’. Instead, use ‘bypass’ to permit the traffic without inspection.

Technical Tip: QUIC traffic denied when SSL/SSH profile is configured with ‘block’ option

You are leaving our website