In this example, sites belonging to the 'Gambling' category cannot be blocked because those sites use ECH.

Examples:

• 1xbets-ar.com.
• bets-ar.com.

Diagram:
Client-PC ---> [VLAN1] FortiGate [SD-WAN] ----> Internet.

config firewall policy
    edit 25
        set srcintf "VLAN1"
        set dstintf "SD-WAN"
        set action accept
        set srcaddr "pc-test"  <--- IP=10.1.1.35.
        set dstaddr "all"

        set schedule "always"

        set service "HTTPS" "HTTP" "DNS" "Quic"

        set utm-status enable

        set inspection-mode flow
        set ssl-ssh-profile "certificate-inspection_Alumnos"
        set av-profile "AV_Alumnos"
        set webfilter-profile "NavegacionAlumnos"
        set dnsfilter-profile "DF-Alumnos"
        set application-list "AC-Alumnos"
        set logtraffic all
        set auto-asic-offload disable

        set nat enable

    next

end

config webfilter profile
    edit "NavegacionAlumnos"
        set feature-set flow
        ...
            config filters
            ...
                edit 11
                    set category 11   <----- Gambling Category.
                    set action block
                    set log enable
                next
                ...
            end
        set rate-javascript-urls enable
        set rate-css-urls enable
        set rate-crl-urls enable
end
    ...
    next
end

config firewall ssl-ssh-profile
    edit "certificate-inspection_Alumnos"
        set comment "Read-only SSL handshake inspection profile."
            config https
                set ports 443
                set status certificate-inspection
                set quic bypass
                set unsupported-ssl-cipher block
                set encrypted-client-hello allow
            end
            ...
            config ech-outer-sni
                edit "tls-ech"
                    set sni "public.tls-ech.dev"
                next
                edit "defo.ie"
                    set sni "cover.defo.ie"
                next
                edit "cloudflare-ech.com"
                    set sni "cloudflare-ech.com"
                next
            end
    next
end

With the previous configuration, the sites cannot be blocked, identifying that those sites use ECH, generating logs like the following:

date=2025-08-08 time=12:38:16 eventtime=1754667495655478890 tz="-0300" logid="1702062103" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="information" vd="root" action="info" policyid=25 poluuid="916a1a8a-ab4a-51ef-8238-c0f79567272e" policytype="policy" sessionid=54164787 service="SSL" profile="certificate-inspection_Alumnos" srcip=10.1.1.35 srcport=64432 srccountry="Reserved" dstip=172.67.178.119 dstport=443 dstcountry="United States" srcintf="VLAN1" srcintfrole="lan" dstintf="wan2" dstintfrole="wan" srcuuid="bc5355aa-c400-51ed-6f23-4fa5e520c8f9" dstuuid="5a9b4e2a-bf4c-51ed-dc50-e448f485ac50" proto=6 sni="cloudflare-ech.com" eventsubtype="encrypted-client-hello" hostname="cloudflare-ech.com"

The behavior is fixed by performing the next configuration changes in the SSL profile:

config firewall ssl-ssh-profile
    edit "certificate-inspection_Alumnos"
        config https
            set ports 443
            set status certificate-inspection
            set quic bypass <----- Set to inspect.
            set unsupported-ssl-cipher block
            set encrypted-client-hello allow. <----- Set to block.
        end

    end

end

After those changes, even if the Gambling websites use ECH, the FortiGate will be able to block them:

date=2025-09-24 time=14:30:24 eventtime=1758735023765172940 tz="-0300" logid="1704062220" type="utm" subtype="ssl" eventtype="ssl-handshake" level="information" vd="root" action="info" policyid=25 poluuid="916a1a8a-ab4a-51ef-8238-c0f79567272e" policytype="policy" sessionid=28987146 service="SSL" profile="certificate-inspection_Alumnos" srcip=10.1.1.35 srcport=50293 srccountry="Reserved" dstip=104.21.93.125 dstport=443 dstcountry="United States" srcintf="VLAN1" srcintfrole="lan" dstintf="wan2" dstintfrole="wan" srcuuid="bc5355aa-c400-51ed-6f23-4fa5e520c8f9" dstuuid="5a9b4e2a-bf4c-51ed-dc50-e448f485ac50" proto=6 tlsver="tls1.3" sni="1xbets-ar.com" cipher="0x1301" authalgo="ecdsa" kxproto="ecdhe" kxcurve="x25519" eventsubtype="handshake-done" hostname="1xbets-ar.com" handshake="full" mitm="yes"
date=2025-09-24 time=14:30:24 eventtime=1758735023535901859 tz="-0300" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" policyid=25 poluuid="916a1a8a-ab4a-51ef-8238-c0f79567272e" policytype="policy" sessionid=28987145 srcip=10.1.1.35 srcport=50292 srccountry="Reserved" srcintf="VLAN1" srcintfrole="lan" srcuuid="bc5355aa-c400-51ed-6f23-4fa5e520c8f9" dstip=104.21.93.125 dstport=80 dstcountry="United States" dstintf="wan2" dstintfrole="wan" dstuuid="5a9b4e2a-bf4c-51ed-dc50-e448f485ac50" proto=6 httpmethod="GET" service="HTTP" hostname="1xbets-ar.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/201001" profile="NavegacionAlumnos" action="blocked" reqtype="direct" url="http://1xbets-ar.com/" sentbyte=355 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" cat=11 catdesc="Gambling" ratemethod="domain"

Note: To effectively block websites using TLS Encrypted ClientHello (ECH), it is mandatory to set the encrypted-client-hello block and ensure QUIC traffic is inspected instead of bypassed in the SSL inspection profile.