Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[NSF] Unable access legit websites due to cloudflare -ech.com blocking

Posted
Updated
Byadmin
Views142

Issue Description

Normal business operations being blocked due to block cloudflare policy.

Error/Warning Logs:

The browser’s ECH handshake failed and did not switch to the unencrypted Client Hellow handshake, causing unable to visit the legit websites.

Handling Process

1.Configure a block DoH policy to block TCP ports 443 & 853 and force sending the DNS queries over UDP port 53 (so that can intercept the DNS queries).

2.Create custom IPS signature to restrict the use of ECH.

3.Configure IPS rule to implement the custom IPS rule.

4.Configure the policy and included the IPS rule to intercept DNS response packets and force them to revert to unencrypted Client Hello handshake.

Solution

Configured IPS rule and policies to intercept the DNS packets and force the packets to revert to unencrypted Client Hello handshake.