Fortinet black logo

Administration Guide

Inspecting HTTP3 traffic

Inspecting HTTP3 traffic

HTTP/3 traffic can be inspected on the FortiGate in flow mode inspection.

Note

When using Chrome, the browser may switch the HTTP/3 connection to HTTP/2 when deep inspection is applied, due to its sensitivity to delays caused by deep inspection.

Example

In this example, a web filter profile is created to block the words Welcome to aioquic, which appear in a website that uses HTTP/3.

To block content in HTTP/3 traffic:
  1. Configure the web filter banned word table:

    config webfilter content
        edit 1
            set name "aioquic"
            config entries
                edit "Welcome to aioquic"
                    set status enable
                next
            end
        next
    end
  2. Apply the banned word table in the web filter profile:

    config webfilter profile
        edit "flow-webfilter"
            config web
                set bword-table 1
            end
            config ftgd-wf
                unset options
            end
        next
    end
  3. Configure the firewall policy:

    config firewall policy
        edit 1
            set utm-status enable
            set ssl-ssh-profile "deep-inspection"
            set webfilter-profile "flow-webfilter"
            set logtraffic all
            set nat enable
        next
    end
  4. Access the website using a supported HTTP/3 client, such as Chrome or Firefox. The website is blocked by the FortiGate.

Inspecting HTTP3 traffic

HTTP/3 traffic can be inspected on the FortiGate in flow mode inspection.

Note

When using Chrome, the browser may switch the HTTP/3 connection to HTTP/2 when deep inspection is applied, due to its sensitivity to delays caused by deep inspection.

Example

In this example, a web filter profile is created to block the words Welcome to aioquic, which appear in a website that uses HTTP/3.

To block content in HTTP/3 traffic:
  1. Configure the web filter banned word table:

    config webfilter content
        edit 1
            set name "aioquic"
            config entries
                edit "Welcome to aioquic"
                    set status enable
                next
            end
        next
    end
  2. Apply the banned word table in the web filter profile:

    config webfilter profile
        edit "flow-webfilter"
            config web
                set bword-table 1
            end
            config ftgd-wf
                unset options
            end
        next
    end
  3. Configure the firewall policy:

    config firewall policy
        edit 1
            set utm-status enable
            set ssl-ssh-profile "deep-inspection"
            set webfilter-profile "flow-webfilter"
            set logtraffic all
            set nat enable
        next
    end
  4. Access the website using a supported HTTP/3 client, such as Chrome or Firefox. The website is blocked by the FortiGate.