Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
SuperUser
SuperUser

Sites that use Cloudflare DNS Proxy with ECH will not open behind a FortiGate

This recently has happened to us with our own Website and all our FGT.

 

When one tries to access our website all one gets in Chrome is a QUIC Protocoll error.

Looking at Chrome's netlog on a client affected I saw that it tried to use Cloudflare's ECH Protocoll to do encrypted client handshake to their proxy. This failed because UTM blocks  cloudflare-ech.com.

If I add that FQDN to a policy that doesn't have filters and comes in front of the other internet policies our website works fine.

Cloudflare community also has a thread on this: https://community.cloudflare.com/t/err-ech-not-negotiated-problem/710760

 

I cannot say wether Cloudflare did something bad by enabling a feature they still declare experimental as default or not. (This is said in the linked thread).

 

However since non-filtering cloudlare-ech.com is not a solution (but a fix) I have openend a ticket with tac (which escalated to a senior with the first answer) aswell as with cloudflare support.

currently waiting for answers.

Thought I post this here just for if someone else runs into this issue :)

 

stay safe

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3 REPLIES 3
AEK
SuperUser
SuperUser

Thanks for sharing, Sebastian.

A new hard challenge for web filtering.

Few days ago I heard about twitter ban in Brazil, then twitter managed to bypass the restriction using Cloudflare. Now I understand.

AEK
AEK
DPadula
Staff
Staff

Hi Sebastian,

 

As described on this link https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/405234/control-ech-tls-conne...

You could force Cloudflare to not use ECH if you use a DNS filter on FGT.

 

A DNS filter profile is applied that strips the ECH information from the DoH response, forcing the browser to use a non-ECH TLS connection.

 

 

Regards
DPadula
AEK

AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors