| Description | This article describes a possible troubleshooting step to allow websites blocked as a result of the Cloudflare encrypted client hello (ECH) protocol. |
| Scope | FortiGate with Deep Packet Inspection (DPI) enabled. |
| Solution |
Some websites may become inaccessible due to Cloudflare’s Encrypted Client Hello (ECH) protocol during the TLS handshake, combined with firewall policies that use Deep Packet Inspection (DPI) on source devices. This results in the browser displaying the error: ERR_ECH_NOT_NEGOTIATED.
When Deep Packet Inspection is enabled, the browser sends ECH-enabled handshake data and requests ECH parameters from cloudflare-ech.com. FortiGate attempts to inspect this encrypted handshake, but ECH cannot be inspected. As a result, the handshake fails, the browser cannot retrieve the ECH configuration, and all Cloudflare-hosted websites fail to load.
Solution: Add cloudflare-ech.com to the SSL exception list in the relevant SSL/SSH profile.
FortiGate stops inspecting that domain. The ECH keys download goes through clearly. The browser successfully receives ECH parameters, and the browser can open the Cloudflare website normally.
More information about Encrypted Packet Hello and how to block it in the following KB article: Technical Tip: How to block TLS 1.3 Encrypted Client Hello (ECH) in FortiGate firewalls Troubleshooting Tip: Page blocked with ERR_ECH_NOT_NEGOTIATED |
