Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JordAnge
Staff
Staff

Created on ‎09-24-2025 09:51 PM Edited on ‎12-23-2025 05:02 AM By Community Manager

Article Id 412509

Troubleshooting Tip: Websites are not blocked due to ECH

Description This article describes how to block websites that use encrypted TLS-ClientHello (ECH).
Scope FortiGate.
Solution

In this example, sites belonging to the 'Gambling' category cannot be blocked because those sites use ECH.

Here is the Web Filter configured to block this category:

 

Examples:

  • 1xbets-ar.com.
  • bets-ar.com.

 

Diagram:
Client-PC ----> [VLAN1] FortiGate [SD-WAN] ----> Internet.

 

config firewall policy
    edit 25
        set srcintf "VLAN1"
        set dstintf "SD-WAN"
        set action accept
        set srcaddr "pc-test"  <----- IP=10.1.1.35.
        set dstaddr "all"

        set schedule "always"

        set service "HTTPS" "HTTP" "DNS" "Quic"

        set utm-status enable

        set inspection-mode flow
        set ssl-ssh-profile "certificate-inspection_Alumnos"
        set av-profile "AV_Alumnos"
        set webfilter-profile "NavegacionAlumnos"
        set dnsfilter-profile "DF-Alumnos"
        set application-list "AC-Alumnos"
        set logtraffic all
        set auto-asic-offload disable

        set nat enable

    next

end

 

config webfilter profile
    edit "NavegacionAlumnos"
        set feature-set flow
        ...
            config filters
            ...
                edit 11
                    set category 11   <----- Gambling Category.
                    set action block
                    set log enable
                next
                ...
            end
        set rate-javascript-urls enable
        set rate-css-urls enable
        set rate-crl-urls enable
end
    ...
    next
end

 

With the previous configuration, the sites cannot be blocked, identifying that those sites use ECH, generating logs like the following:

 

date=2025-08-08 time=12:38:16 eventtime=1754667495655478890 tz="-0300" logid="1702062103" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="information" vd="root" action="info" policyid=25 poluuid="916a1a8a-ab4a-51ef-8238-c0f79567272e" policytype="policy" sessionid=54164787 service="SSL" profile="certificate-inspection_Alumnos" srcip=10.1.1.35 srcport=64432 srccountry="Reserved" dstip=172.67.178.119 dstport=443 dstcountry="United States" srcintf="VLAN1" srcintfrole="lan" dstintf="wan2" dstintfrole="wan" srcuuid="bc5355aa-c400-51ed-6f23-4fa5e520c8f9" dstuuid="5a9b4e2a-bf4c-51ed-dc50-e448f485ac50" proto=6 sni="cloudflare-ech.com" eventsubtype="encrypted-client-hello" hostname="cloudflare-ech.com"


There are two different ways to block ECH currently in the FortiGate:

 

Method 1:

 

This method uses an SSL profile and is available starting with FortiOS 7.6.0. To achieve the desired behavior, apply the following configuration changes within the SSL profile:

 

config firewall ssl-ssh-profile
    edit "certificate-inspection_Alumnos"
        config https
            set ports 443
            set status certificate-inspection
            set quic bypass <----- Set to inspect.
            set unsupported-ssl-cipher block
            set encrypted-client-hello allow. <----- Set to block.
        end

    end

end

 

The SNI can be filtered by using the 'ech-outer-sni' under ssl-ssh-inspection profile settings:

config firewall ssl-ssh-profile
    edit "certificate-name"
        config ech-outer-sni
            edit <name>
                set sni <string> <-----
            next
        end
    next
end

 

For example for the SNI 'cloudflare-ech':

config firewall ssl-ssh-profile
    edit "certificate-name"
        config ech-outer-sni
            edit cloudflare
                set sni cloudflare-ech
            next
        end
    next
end

After those changes, even if the Gambling websites use ECH, the FortiGate will be able to block them:

date=2025-09-24 time=14:30:24 eventtime=1758735023765172940 tz="-0300" logid="1704062220" type="utm" subtype="ssl" eventtype="ssl-handshake" level="information" vd="root" action="info" policyid=25 poluuid="916a1a8a-ab4a-51ef-8238-c0f79567272e" policytype="policy" sessionid=28987146 service="SSL" profile="certificate-inspection_Alumnos" srcip=10.1.1.35 srcport=50293 srccountry="Reserved" dstip=104.21.93.125 dstport=443 dstcountry="United States" srcintf="VLAN1" srcintfrole="lan" dstintf="wan2" dstintfrole="wan" srcuuid="bc5355aa-c400-51ed-6f23-4fa5e520c8f9" dstuuid="5a9b4e2a-bf4c-51ed-dc50-e448f485ac50" proto=6 tlsver="tls1.3" sni="1xbets-ar.com" cipher="0x1301" authalgo="ecdsa" kxproto="ecdhe" kxcurve="x25519" eventsubtype="handshake-done" hostname="1xbets-ar.com" handshake="full" mitm="yes"
date=2025-09-24 time=14:30:24 eventtime=1758735023535901859 tz="-0300" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=25 poluuid="916a1a8a-ab4a-51ef-8238-c0f79567272e" policytype="policy" sessionid=28987145 srcip=10.1.1.35 srcport=50292 srccountry="Reserved" srcintf="VLAN1" srcintfrole="lan" srcuuid="bc5355aa-c400-51ed-6f23-4fa5e520c8f9" dstip=104.21.93.125 dstport=80 dstcountry="United States" dstintf="wan2" dstintfrole="wan" dstuuid="5a9b4e2a-bf4c-51ed-dc50-e448f485ac50" proto=6 httpmethod="GET" service="HTTP" hostname="1xbets-ar.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/201001" profile="NavegacionAlumnos" action="blocked" reqtype="direct" url="http://1xbets-ar.com/" sentbyte=355 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" cat=11 catdesc="Gambling" ratemethod="domain"

 

This traffic can be observed in a wireshark capture output. After ech is blocked, the client requested the destination hostname in plaintext (the client hello is not encrypted). As a result, certificate inspection can be performed properly to block URLs based on FortiGuard categories

ScreenHunter_409 Dec. 19 18.14.jpg

 

Method 2:

 

This approach requires enabling a specific option in the DNS filter profile that is applied to the policy.

 

ECH_GUI_DNS-strip-01.PNG

 

ECH is set up via DNS over HTTPS, and this option prevents that process from completing.

  
For more information on how ECH and the FortiGate interact, see Control TLS connections that utilize Encrypted Client Hello 7.4.4 | FortiGate / FortiOS 7.4.0 | Fort...

 

Method 3:

Block ECH-Related Domain :

  • To mitigate Cloudflare-based ECH traffic, which hides true destinations, add wildcard entries in the URL filter or the DNS filter:

 

*cloudflare-ech*

*whos.amung*

 

  • Apply this filter to the same policy used for user traffic.

 

Note:

For v7.2.x, only Method 3 works.

 

See Technical Tip: FortiGate Fails to block HTTPS website due to encrypted traffic
621
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.