FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
duenlim
Staff
Staff
Article Id 394647
Description This article describes how FortiGate could block access to the domains that are using Encrypted Client Hello.
Scope FortiGate 7.4 and v7.6.
Solution
  1. The certificate inspection with Static URL Filtering (Web Filter) generally works well on the website landing page or a URL domain name, such as https://example.com or https://www.fortinet.com, not URL paths such as https://example.com/fortinet or https://www.fortinet.com/example. For more information, refer to Technical Tip: Using a static URL filter feature to allow/block web sites.

  2. The Static URL Filtering has been configured as shown below. But, unable to block the URLs torrentz.eu.com, pirateproxy-bay.com, and thepiratebay.org.

 

config webfilter urlfilter
    edit 1
        set name "Block URLs"
        config entries
            edit 1
                set url "*pirateproxy-bay*"
                set type wildcard
                set action block
            next
            edit 2
                set url "*thepiratebay*"
                set type wildcard
                set action block
            next
            edit 3
                set url "*torrentz*"
                set type wildcard
                set action block
            next

        end

    next

end

 

The static URL filter then needs to be applied to a web filter profile:

 

config webfilter profile
    edit "Block URLs"
        config web
            set urlfilter-table 1
        end
    next
end

 

For more information about web filtering and static URL filters, see the documentation:

Configuring a web filter profile

Static URL filter

 

  1. The packet captured shows access to https://pirateproxy-bay.com via Cloudflare Server Name.

StaticURLFiltering_Cloudflare-ech.png

 

Note:

For more information, refer to the following resources:

Oblivious DNS - Cloudflare Blog
Announcing encrypted client hello - Cloudflare Blog

 

  1. To block those domains name that access via Cloudflare Server Name and enable QUIC inspection if the Firewall policy is in proxy-based inspection mode. Refer to Control TLS connections that utilize Encrypted Client Hello v7.4.4

     

config firewall ssl-ssh-profile
    edit "block-ech"
        config https
            set ports 443
            set status certificate-inspection

                    set quic inspect
            set encrypted-client-hello block
        end
        config ech-outer-sni
            edit "cloudflare"
                set sni "cloudflare-ech.com"
            next
            edit "tls-ech"
                set sni "public.tls-ech.dev"
            next
            edit "pirateproxy"
                set sni "pirateproxy-bay.com"
            next
            edit "thepiratebay"
                set sni "thepirate.org"
            next
            edit "torrentz"
                set sni "torrentz.eu.com"
            next

        end
    next
end