Description
This article describes how to block or disable QUIC (Quick UDP Internet Connections).
Scope
FortiGate.
Solution
QUIC (Quick UDP Internet Connections) is an experimental transport layer network protocol developed by Google. Starting from 2015, some sites (For example, Google and YouTube) offer connections via the QUIC protocol. Google Chrome supports it by default in the latest version.
QUIC uses UDP ports 80 and 443 and often permits clients to bypass transparent proxies, where UTM features such as web filtering may not work properly in Google Chrome, but work perfectly in other browsers, like Internet Explorer or Mozilla Firefox.
QUIC uses UDP ports 80 and 443 and often permits clients to bypass transparent proxies, where UTM features such as web filtering may not work properly in Google Chrome, but work perfectly in other browsers, like Internet Explorer or Mozilla Firefox.
There are three ways to block/disable QUIC:
Method 1: Disable the Experimental QUIC protocol on the Google Chrome browser.
To do this, open Google Chrome, enter 'chrome://flags' in the address bar, then search for 'Experimental QUIC protocol' and disable it.
Method 1: Disable the Experimental QUIC protocol on the Google Chrome browser.
To do this, open Google Chrome, enter 'chrome://flags' in the address bar, then search for 'Experimental QUIC protocol' and disable it.
Method 2: Block QUIC using Application Control.
Go to the Application Control profile, look for 'QUIC' under the Options, and select the action 'Block'. Apply this Application Control profile to the firewall policy.
Note:
As of FortiOS v7.2.0, the option to allow or block QUIC has been removed. Refer to this article: Remove option to block QUIC by default in application control 7.2.4 for more information. To allow/block QUIC, use the Application and Filter Overrides -> Create New -> Search QUIC and add a 'block' action.
Method 3: Block QUIC using a firewall policy.
Create a custom firewall service for UDP ports 80 and 443. Configure a firewall policy with the custom service created and set the action to Deny.
Create a custom firewall service for UDP ports 80 and 443. Configure a firewall policy with the custom service created and set the action to Deny.
Method 4: Block QUIC using an SSL Inspection profile.
From version 7.4 onward, it is possible to block QUIC using an SSL inspection profile. Make sure to create a custom SSL inspection profile before editing, as the default profile is read-only, and use the following command:
config firewall ssl-ssh-profile
edit "profile name"
config https
set ports 443
set quic block
next
end
end
