Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
SuperUser
SuperUser

Created on ‎10-01-2024 07:53 AM

Sites that use Cloudflare DNS Proxy with ECH will not open behind a FortiGate

This recently has happened to us with our own Website and all our FGT.

 

When one tries to access our website all one gets in Chrome is a QUIC Protocoll error.

Looking at Chrome's netlog on a client affected I saw that it tried to use Cloudflare's ECH Protocoll to do encrypted client handshake to their proxy. This failed because UTM blocks  cloudflare-ech.com.

If I add that FQDN to a policy that doesn't have filters and comes in front of the other internet policies our website works fine.

Cloudflare community also has a thread on this: https://community.cloudflare.com/t/err-ech-not-negotiated-problem/710760

 

I cannot say wether Cloudflare did something bad by enabling a feature they still declare experimental as default or not. (This is said in the linked thread).

 

However since non-filtering cloudlare-ech.com is not a solution (but a fix) I have openend a ticket with tac (which escalated to a senior with the first answer) aswell as with cloudflare support.

currently waiting for answers.

Thought I post this here just for if someone else runs into this issue :)

 

stay safe

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels:
4335
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎10-01-2024 12:56 PM

Thanks for sharing, Sebastian.

A new hard challenge for web filtering.

Few days ago I heard about twitter ban in Brazil, then twitter managed to bypass the restriction using Cloudflare. Now I understand.

AEK
AEK
4293
0 Kudos
DPadula
Staff
Staff

Created on ‎10-01-2024 06:12 PM

Hi Sebastian,

 

As described on this link https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/405234/control-ech-tls-conne...

You could force Cloudflare to not use ECH if you use a DNS filter on FGT.

 

A DNS filter profile is applied that strips the ECH information from the DoH response, forcing the browser to use a non-ECH TLS connection.

 

 

4272
0 Kudos
AEK
SuperUser
SuperUser
In response to DPadula

Created on ‎10-02-2024 02:12 AM

Correcting the link.

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/405234/control-ech-tls-conne...

 

AEK
AEK
4210
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.