FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sreddi
Staff
Staff
Article Id 197661

Description

 

This article describes how to block QUIC Protocol.

QUIC (Quick UDP Internet Connections) is an experimental transport layer network protocol developed by Google.
Starting in 2015, some sites (for example Google and YouTube) offer connection via QUIC protocol. Google Chrome supports it in the latest version by default.


QUIC uses UDP port 80 and port 443 and often permits clients to bypass transparent proxies, in which UTM features such as web filtering may not work properly on Google Chrome only, but works perfectly on other browsers such as Internet Explorer or Mozilla Firefox.

Solution

 

There are three ways to block QUIC:

Method 1: Disable the Experimental QUIC protocol on the Google Chrome browser.

This can be done by opening Google Chrome, in the URL type 'chrome://flags'.
Look for the Experimental QUIC protocol and disable it.


 
Method 2: Block QUIC using Application Control.
Go to the Application Control profile, look for the Application signature name 'QUIC', and select the action 'Block'.
Apply this Application Control profile to the firewall policy.
 
JeanPhilippe_P_0-1680185806098.png

 

 

Method 3: Block QUIC using the firewall policy.
 
Create a custom firewall service for UDP port 80 and port 443.
Configure a firewall policy with the customs service created and set the action to Deny.

 

JeanPhilippe_P_1-1680185849686.png

 

 

From FortiOS v7.2.4 onward FortiGate can detect Quick protocol over HTTP3, so no need to block it on the browser.

 

Related document:

 

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/984075/remove-option-to-block-quic-b...