Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Websites do not work "err_quic_protocol_error"

Hi,

I have problem accessing some websites, google chrome browser shows this error:

err_quic_protocol_error

I see on the logs that traffic is destined to Cloudflare-CDN Protocol 17 Destination Port 443.

If I add this UDP 443 port to ipv4 policy responsible for this network traffic, then Chrome still shows this error.

The same problem is on Edge browser.

Fortigate with Firmware 7.2.9.

Could anyone help me with that?

3 REPLIES 3
Shashwati
Staff
Staff

Hello , please check if QUIC protocol is blocked under application control 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-disable-QUIC/ta-p/191273

Durga_Ashwath

Please do follow the below steps:

1. Disable QUIC Protocol in Chrome
Step 1: Open Chrome.
Step 2: In the address bar, type chrome://flags/ and press Enter.
Step 3: Search for QUIC in the search bar on the flags page.
Step 4: Set "Experimental QUIC protocol" to "Disabled".
Step 5: Relaunch Chrome.

This stops Chrome from using QUIC and forces it to use traditional HTTPS (TCP) for traffic.

2. FortiGate Configuration

If you are using FortiGate and your network traffic is being filtered or managed, ensure that:
UDP port 443 is allowed, as QUIC uses UDP rather than TCP. However, disabling QUIC might solve the issue, bypassing the need for UDP 443.
Ensure FortiGate SSL/HTTPS inspection policies are properly configured. Sometimes FortiGate's deep SSL inspection can interfere with QUIC or other protocols.

3. Check FortiGate Logs
Check FortiGate logs for any blocked traffic related to UDP 443 or Cloudflare.
Adjust the firewall rules to allow traffic to Cloudflare or any other specific sites that might be getting blocked.

4. Disable QUIC at FortiGate Level
You can disable QUIC traffic at the firewall level if you want to prevent all users from utilizing QUIC:

Use the following CLI command to block QUIC traffic:

config firewall policy
edit <policy_id>
set service HTTP HTTPS (remove any reference to UDP 443)
next
end

Alternatively, you can create a specific policy to block UDP traffic on port 443 if you want to stop QUIC entirely from the network.

Also, you can use this article-https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-disable-QUIC/ta-p/191273

Tutek
Contributor

Hi,

I did QUICK disable on the chrome browser but this didn't helpded.

What I did I added in whitelist ssl inspection profile this site: cloudflare-ech.com and it is working now.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors