HTTP/3 traffic can be inspected on the FortiGate in flow mode inspection.
When using Chrome, the browser may switch the HTTP/3 connection to HTTP/2 when deep inspection is applied, due to its sensitivity to delays caused by deep inspection.
In this example, a web filter profile is created to block the words Welcome to aioquic, which appear in a website that uses HTTP/3.
Configure the web filter banned word table:
config webfilter content edit 1 set name "aioquic" config entries edit "Welcome to aioquic" set status enable next end next end
Apply the banned word table in the web filter profile:
config webfilter profile edit "flow-webfilter" config web set bword-table 1 end config ftgd-wf unset options end next end
Configure the firewall policy:
config firewall policy edit 1 set utm-status enable set ssl-ssh-profile "deep-inspection" set webfilter-profile "flow-webfilter" set logtraffic all set nat enable next end
Access the website using a supported HTTP/3 client, such as Chrome or Firefox. The website is blocked by the FortiGate.