Troubleshooting Tip: FortiClient Web Filter did not block website due to QUIC protocol

In some scenarios, FortiClient's Web Filter does not block websites as expected, even when the sites are configured to be blocked based on web filter categories or added to the web filter exclusion list. This can occur intermittently or consistently for certain websites, particularly those utilizing modern web protocols. Affected websites may load partially or fully, bypassing the configured restrictions in the web filter profile.

The primary cause of this issue is the use of the QUIC (Quick UDP Internet Connections) protocol by certain websites and browsers, for instance Google Chrome. QUIC operates over UDP ports 443 and 80, which allows it to evade traditional HTTP/HTTPS filtering mechanisms that primarily target TCP traffic.

In order to resolve this issue, consider blocking QUIC protocol with FortiClient's Application Application Control. This ensures that QUIC traffic is prevented, forcing browsers to fall back to standard TCP-based protocols so that the Web Filter can effectively manage.

In FortiClient EMS, access to Endpoint Profiles -> Firewall -> Edit Firewall profile -> Application Overrides -> Add -> Filter Application Name -> QUIC (Category: Network.Service), Set Action to Block and select Add and Save.

Apply the firewall profile into the endpoint policy for it to take affect.