Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiArt
Staff
Staff

Created on ‎11-12-2024 10:19 PM Edited on ‎11-15-2024 03:21 AM By Community Manager

Article Id 356557

Troubleshooting Tip: Cloudflare's ECH Blocked Websites with Deep Packet Inspection (DPI)

Description This article describes a possible troubleshooting step to allow websites blocked as a result of Cloudflare encrypted client hello (ECH) protocol.
Scope FortiGate with DPI.
Solution

If some websites are not accessible because of Cloudflare's ECH protocol during TLS handshake and firewall policy managing the source devices using DPI, exempting Cloudflare's ECH FQDN address in the relevant SSL-SSH profile will allow the traffic.

 

image-1.PNG

 

image-2.PNG

 

 

More information about Encrypted Packet Hello and how to block it in the following KB article:

Technical Tip: How to block TLS 1.3 Encrypted Client Hello (ECH) in FortiGate firewalls
355
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.