|
In the latest iOS/MacOS releases, such as iOS 18, HTTP/3 is turned on by default on Safari, and its implementation omits the 'max_idle_timeout' transport parameter for the QUIC protocol, which is causing issues when using a Firewall Policy in Proxy-Based inspection with UTM enabled.
On the contrary, when using Firefox or Google Chrome, the issue is not presented.
The client side gets stuck with no errors presented in the WAD Debug output, even if the level is verbose.
To resolve the connection issues with Safari on macOS, one of the following options can be implemented:
- If using the default Certificate-Inspection profile in the Firewall Policy, clone it and under HTTPS settings, configure to bypass QUIC protocol:
config firewall ssl-ssh-profile
edit "Clone of certificate-inspection"
config https
set quic bypass
end
next
end
-
Alternatively, use a flow mode policy instead of a proxy mode policy with UTM enabled.
config firewall policy
edit X
set inspection-mode flow
next
end
-
Block QUIC protocol via Application-Control profile and apply that to the Firewall Policy.
-
Create a custom service object and name it QUIC using UDP 443 as the port. Then, clone the ALLOW Firewall Policy for this traffic, replace the 'Service' using the new custom service named 'QUIC', and as 'Action' select 'Deny'. Blocking the QUIC protocol will resolve the issue.
config firewall service custom
edit "QUIC"
set udp-portrange 443
next
end
config firewall policy
edit “X”
set service “QUIC”
set action deny
next
end
Note: The issue is caused by omitting the 'max_idle_timeout' transport parameter on Safari when using HTTP/3. A FortiOS fix has been introduced in version 7.4.9 to continue using Proxy-Based Inspection Firewall Policy with UTM enabled. If running an earlier version, it may be necessary to upgrade to resolve the issue.
|
