Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dtogkas
Staff
Staff

Created on ‎11-06-2025 03:08 AM Edited on ‎11-10-2025 02:58 AM By Moderator

Article Id 418017

Troubleshooting Tip: Resolving Safari connection issues on the latest iOS/MacOS with FortiGate

Description This article describes the steps to resolve connection issues with Safari on macOS when using FortiGate with Proxy-Inspection and UTM activated. The issue is caused by the QUIC protocol and can be resolved by blocking QUIC or using a flow mode policy.
Scope FortiGate v7.4.8 and below, iOS/MacOS.
Solution

In the latest iOS/MacOS releases, such as iOS 18, HTTP/3 is turned on by default on Safari, and its implementation omits the 'max_idle_timeout' transport parameter for the QUIC protocol, which is causing issues when using a Firewall Policy in Proxy-Based inspection with UTM enabled.

 

On the contrary, when using Firefox or Google Chrome, the issue is not presented.

 

The client side gets stuck with no errors presented in the WAD Debug output, even if the level is verbose.

 

To resolve the connection issues with Safari on macOS, one of the following options can be implemented:

 

  1. If using the default Certificate-Inspection profile in the Firewall Policy, clone it and under HTTPS settings, configure to bypass QUIC protocol:

 

config firewall ssl-ssh-profile
    edit "Clone of certificate-inspection"
        config https
            set quic bypass
        end
    next
end

 

  1. Alternatively, use a flow mode policy instead of a proxy mode policy with UTM enabled.

 

config firewall policy
    edit X
        set inspection-mode flow
    next
end

 

  1. Block QUIC protocol via Application-Control profile and apply that to the Firewall Policy.

     

  2. Create a custom service object and name it QUIC using UDP 443 as the port. Then, clone the ALLOW Firewall Policy for this traffic, replace the 'Service' using the new custom service named 'QUIC', and as 'Action' select 'Deny'. Blocking the QUIC protocol will resolve the issue.

     

config firewall service custom
    edit "QUIC"
        set udp-portrange 443
    next
end
config firewall policy
    edit “X”
        set service “QUIC”
        set action deny
    next
end

 

Note: The issue is caused by omitting the 'max_idle_timeout' transport parameter on Safari when using HTTP/3. A FortiOS fix has been introduced in versions 7.4.9 and 7.6.1 to continue using Proxy-Based Inspection Firewall Policy with UTM enabled. If running an earlier version, it may be necessary to upgrade to resolve the issue.

 

Apple addressed part of the QUIC implementation in iOS 18.1 and macOS 15.1. However, the 'max_idle_timeout' parameter is still omitted in certain conditions (e.g., reused QUIC connections after Alt-Svc). Users on 18.1+ may still experience intermittent stalls with proxy-based UTM until FortiOS v7.4.9 or v7.6.1 is deployed.
Labels:
656
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.