Summary
QUIC (Quick UDP Internet Connection) is a new type of protocol used to make connections to the internet, with the goal to speed up these connections and reduce bandwidth congestion. This is a protocol developed by Google and is now enabled by default on Chrome browsers version 52 onwards for most of Google’s sites.
Problem
As QUIC works over UDP and not TCP, connections over QUIC bypass the proxy. Blocking this traffic will make the connection fall back to TCP, ensuring that all web traffic traverses through the proxy and filtering cannot be bypassed.
Solution
Two approaches should be taken to solve this issue.
- Blocking outbound traffic on UDP ports
80
and443
on your firewall:- We recommended that you block outbound UDP traffic on ports
80
and443
. This means that the request fails back to TCP and is redirected to the proxy. If your firewall is the Smoothwall, follow the instructions below, depending on the update level of your device. - Go to Network > Firewall > Firewall Rules on the administration user interface, and create a new rule applying a Drop or Reject action to UDP ports 80 and 443. See Creating Firewall Rules.
- We recommended that you block outbound UDP traffic on ports
- Use the filtering engine’s content modification feature:
- Create a Decrypt and inspect HTTPS Inspection policy.
-
Creating a content modification policy:
- Who Everyone
- What Everything
- Where Everywhere
- Action Apply; Remove QUIC header