FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ahernandez_FTNT
Article Id 191657
Purpose
Disable or Block QUIC protocol to force Google Chrome web browsers to use TLS/SSL and guarantee a proper SSL inspection by the FortiGate.
Scope
QUIC is a transport layer protocol that has been developed by Google and even when it started to be implemented in 2013, is still in an experimental stage. This protocol was designed to replace TLS/SSL providing multiplexed connections between two endpoints over port UDP/ 443.

The main goal of this protocol is to optimize connection-oriented web applications currently using TCP and reduce transport latency avoiding congestion. However, due to the protocol is still in an experimental stage, it is not supported by Fortinet and causes some issues when SSL inspection profiles are needed to block specific websites or applications provided by Google itself.

The reason why this is affecting the filtering of apps and websites is because the most recent versions of Google Chrome browsers have QUIC enabled by default when connections to Google servers are established. For example, connections to Gmail, Google Translate, Google Drive, Google Maps, Google search engine, YouTube, Hangouts and more, are using QUIC instead of TLS when the connection is established through a Google Chrome browser.

QUIC-used.png


This article explains how to avoid these issues disabling or blocking the QUIC Protocol.



Expectations, Requirements
UDP/443 must be blocked in the FortiGate from LAN network to Internet to force the Google Chrome web browsers to use TLS/SSL.
Configuration
There are two options to avoid the QUIC protocol to be used.


1) Disabling QUIC directly in the Google Chrome browser: 

Go to the chrome web browser and type “chrome://flags/” in the search line

Chrome-flags.png

Find the flag “Experimental QUIC protocol.” And change it from “Default” to “Disabled”

QUIC-disable.png

The browser must be closed completely to the changes take effect. Then you will be able to confirm the protocol TLS is being used for any HTTPS connection (even Google servers)


2) Blocking the port UDP/443:

Create a service-object “QUIC” specifying the port UDP/443

QUIC-object.png


Create a firewall policy denying QUIC traffic from the internal network to Internet

QUIC-Policy.png


This policy must be at the top of the firewall policies sequence. After applied the changes, Google Chrome browsers will be forced to use TLS instead of QUIC.


Verification
To confirm that TLS is being used after the changes:

Open a connection HTTPS against any Google Server and click over the padlock in the search field. Then, click on "connection" and you will see which protocol is being used:

TLS-used.png

Contributors