FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the error https:-2 - Must set at least one port for HTTP3(QUIC) when trying to install a security policy from FortiManager to the FortiGate.
Scope
FortiManager, FortiGate.
Solution
While trying to install a firewall policy from the FortiManager to the FortiGate.
On the FortiManager, run the following commands:
diagnose debug application securityconsole 255
diagnose debug enable
From the Output noticed that the port for QUIC is missing
TCL error(Must set at least one port for HTTP3(QUIC).). obj https cert-probe-failure:block cert-validation-failure:block cert-validation-timeout:allow client-certificate:bypass encrypted-client-hello:block expired-server-cert:block min-allowed-ssl-version:tls-1.1 ports: <--- proxy-after-tcp-handshake:disable quic:inspect revoked-server-cert:block sni-server-cert-check:enable status:disable unsupported-ssl-cipher:allow unsupported-ssl-negotiation:allow unsupported-ssl-version:block untrusted-server-cert:allow
This is a known issue 1152640 for the FortiManager and is scheduled to be fixed in v7.4.8 and 7.6.4.
To fix the issue, follow the solution below:
Modify the profile by adding port settings for HTTPS under 'Protocol Port Mapping' even if they were disabled. (Enable the option first, input port setting, such as '443', then disable the option and save the profile.)
Under 'Policy & Objects' | 'Security Profiles' | 'no inspection' and adding port settings for HTTPS.
