Hi,
I have problem accessing some websites, google chrome browser shows this error:
err_quic_protocol_error
I see on the logs that traffic is destined to Cloudflare-CDN Protocol 17 Destination Port 443.
If I add this UDP 443 port to ipv4 policy responsible for this network traffic, then Chrome still shows this error.
The same problem is on Edge browser.
Fortigate with Firmware 7.2.9.
Could anyone help me with that?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello , please check if QUIC protocol is blocked under application control
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-disable-QUIC/ta-p/191273
Please do follow the below steps:
1. Disable QUIC Protocol in Chrome
Step 1: Open Chrome.
Step 2: In the address bar, type chrome://flags/ and press Enter.
Step 3: Search for QUIC in the search bar on the flags page.
Step 4: Set "Experimental QUIC protocol" to "Disabled".
Step 5: Relaunch Chrome.
This stops Chrome from using QUIC and forces it to use traditional HTTPS (TCP) for traffic.
2. FortiGate Configuration
If you are using FortiGate and your network traffic is being filtered or managed, ensure that:
UDP port 443 is allowed, as QUIC uses UDP rather than TCP. However, disabling QUIC might solve the issue, bypassing the need for UDP 443.
Ensure FortiGate SSL/HTTPS inspection policies are properly configured. Sometimes FortiGate's deep SSL inspection can interfere with QUIC or other protocols.
3. Check FortiGate Logs
Check FortiGate logs for any blocked traffic related to UDP 443 or Cloudflare.
Adjust the firewall rules to allow traffic to Cloudflare or any other specific sites that might be getting blocked.
4. Disable QUIC at FortiGate Level
You can disable QUIC traffic at the firewall level if you want to prevent all users from utilizing QUIC:
Use the following CLI command to block QUIC traffic:
config firewall policy
edit <policy_id>
set service HTTP HTTPS (remove any reference to UDP 443)
next
end
Alternatively, you can create a specific policy to block UDP traffic on port 443 if you want to stop QUIC entirely from the network.
Also, you can use this article-https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-disable-QUIC/ta-p/191273
Hi,
I did QUICK disable on the chrome browser but this didn't helpded.
What I did I added in whitelist ssl inspection profile this site: cloudflare-ech.com and it is working now.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
229 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.