How to Block Google QUIC Protocol on SonicOS 7?
Description
QUIC (Quick UDP Internet Connections) is a modern transport protocol developed by Google and standardized by the IETF. It is designed to improve the performance of connection‑oriented web applications that traditionally rely on TCP. QUIC achieves this by establishing multiple multiplexed, encrypted streams between two endpoints over UDP (443), reducing latency and improving reliability.
To ensure full inspection, firewalls often block QUIC, forcing the browser to fall back to standard HTTPS over TCP, where all security services can be enforced properly.
Resolution
Resolution
QUIC can be blocked by browser, by firewall access rule and/or firewall app control.
Block QUIC by browser:
1.- In the Google Chrome browser, navigate to chrome://flags/
2.- Look for Experimental QUIC protocol and set the state to Disabled instead of Default or Enabled.
3.- You will need to relaunch the browser for this to take effect.
Block Google QUIC as a firewall access rule:
1.- Give the service object a relevant name, and use UDP as the protocol and set the port range as 443-443. Click on Save.
2.- Navigate to the Policy | Rules and Policies | Access Rules
Create a Deny rule and add the previously created Service Object for QUIC. Ensure the rule is placed with high priority so it is evaluated before any allow rules.
Block Google QUIC as an application:
1.- Make sure that App Control is enabled.
2.- Navigate to Policy | Security Services | App Control | Signatures.
In the filter options, set Application and search for QUIC.
3.- Edit the app control Protocols – QUIC and enable the ‘Block’.
How to Test QUIC Blocking.
If the firewall is correctly blocking QUIC traffic, you should observe the following:
1. QUIC Access Rule getting hits counts
2. Log Events for QUIC application.
3. Packet Capture Shows Policy Drops based on UDP 443