How to Block Google QUIC Protocol on SonicOSX 7.0?

04/08/2021 58 People found this article helpful 471,398 Views

Description

QUIC stands for Quick UDP Internet Connections. QUIC improves the performance of connection-oriented web applications that are currently using TCP. It does this by establishing a number of multiplexed connections between two endpoints over UDP.

Google Chrome uses this protocol to reduce latency but this allows it to bypass security services on the firewall as they are TCP based. If QUIC is blocked, Google fails back to TCP and the security services can be enforced correctly.

Resolution

The following method shows how QUIC can be disabled on the Google Chrome browser itself:

In the Google Chrome browser, navigate to chrome://flags/
Look for Experimental QUIC protocol and set the state to Disabled instead of Default or Enabled.
You will need to relaunch the browser for this to take effect.

It might not be feasible t make these changes on every computer, buta firewall security policy might help block it for the entire network. It can be either blocked as a service or as an application.

Block Google QUIC as a Service

Navigate to the Policy | Rules and Policies | Security policy tab and click on Top at the bottom of the screen. This adds the new policy at the top of the list. You might need to adjust its priority based on other rules you have.
Choose a relevant name and in the Source/Destination tab, you can select many fields like source/destination zones, address, services, user, geo-location settings and more. Select the pencil icon next to Destination Port/Services to add a new service object.
Give the service object a relevant name, and use UDP as the protocol and set the port range as 443-443. Click on Save.
Under the App/URL/Custom Match tab leave everything on defaults.
Select the Default Profile as the Security Rule action. Make sure that the Action is set to Deny and the policy is in enable state. Click Add.

Block Google QUIC as an application:

Navigate to the Policy | Rules and Policies | Security policy tab and click on Top at the bottom of the screen. This adds the new policy at the top of the list. You might need to adjust its priority based on other rules you have.
Choose a relevant name and in the Source/Destination tab, you can select many fields like source/destination zones, address, services, user, geo-location settings and more.
Under App/URL/Custom Match, use the radio button for 'Match Operation' as OR. Also, select the pencil icon to add a new Application Match Group.
Select the Google QUIC application using the right arrow and move it to the right. Click Save.
Select the Default Profile as the Security Rule action. Make sure that the Action is set to Deny and the policy is in enable state. Click Add.