Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ahernandez_FTNT
Staff
Staff

Created on ‎04-30-2015 09:24 AM Edited on ‎10-29-2024 08:34 AM By Moderator

Article Id 191657

Technical Tip: Disabling / Blocking QUIC Protocol to force Google Chrome to use TLS

Description


This article describes how to disable or block QUIC protocol to force Google Chrome web browsers to use TLS/SSL and guarantee a proper SSL inspection by FortiGate.


Scope

 

UDP/443 must be blocked in the FortiGate from the LAN network to the Internet to force the Google Chrome web browsers to use TLS/SSL.

 

Solution

 

QUIC is a transport layer protocol that has been developed by Google and even when it started to be implemented in 2013, is still in an experimental stage. This protocol was designed to replace TLS/SSL providing multiplexed connections between two endpoints over port UDP/ 443.
 
The main goal of this protocol is to optimize connection-oriented web applications currently using TCP and reduce transport latency avoiding congestion. However, due to the protocol being still in the experimental stage, it is not supported by Fortinet and causes some issues when SSL inspection profiles are needed to block specific websites or applications provided by Google itself.
 
The reason why this is affecting the filtering of apps and websites is that the most recent versions of Google Chrome browsers have QUIC enabled by default when connections to Google servers are established. For example, connections to Gmail, Google Translate, Google Drive, Google Maps, Google search engine, YouTube, Hangouts, and more, are using QUIC instead of TLS when the connection is established through a Google Chrome browser.
 
QUIC-used.png
 
This article explains how to avoid these issues by disabling or blocking the QUIC Protocol.


Configuration:
There are three options to avoid the QUIC protocol to be used.

 
  1. Disabling QUIC directly in the Google Chrome browser: 
 
Go to the Chrome web browser and type 'chrome://flags/' in the search line.
 
Chrome-flag.JPG
 
Find the flag 'Experimental QUIC protocol'. And change it from 'Default' to 'Disabled'.
 
Chrome-QUIC.JPG
 
The browser must be closed completely for the changes to take effect. Then it will be possible to confirm the protocol TLS is being used for any HTTPS connection (even Google servers).
 
  1. Blocking the port UDP/443:
     
    Create a service-object 'QUIC' specifying the port UDP/443.
     
    QUIC-service.JPG
     
    Create a firewall policy denying QUIC traffic from the internal network to the Internet.
     
QUIC-Policy.JPG
 
  1. Blocking QUIC using Application Control.
     
 
Go to Security Profiles -> Application Control. Select a profile and select 'Edit'. Under 'Application and Filter Overrides', select 'Create New'. 
 
sec pro.PNG

 

Search for QUIC. Select QUIC and Add Selected as shown below. Select OK and OK again to save the changes. 
 
QUIC.PNG

 

Enable the Application Control in the firewall policy. When traffic hits this policy, QUIC will be blocked. 

 

app con.PNG

This policy must be at the top of the firewall policies sequence. After applying the changes, Google Chrome browsers will be forced to use TLS instead of QUIC.


Verification:
To confirm that TLS is being used after the changes:

 
Open a connection HTTPS against any Google Server and select the padlock in the search field. Then, select 'connection' and it will show which protocol is being used:
 
TLS-used.png
37472
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.