Summary
QUIC (Quick UDP Internet Connection) is a new type of protocol used to make connections to the internet with the goal to speed up these connections and reduce bandwidth congestion. This is a protocol developed by Google and is now enabled by default on Chrome browsers version 52 onwards for most of Google’s sites.
Problem
As QUIC works over UDP and not TCP, connections over QUIC bypass the proxy. Blocking this traffic will make the connection fall back to TCP, ensuring that all web traffic traverses through the proxy and filtering cannot be bypassed.
Solution
Two approaches can be taken to solve this issue.
- Blocking outbound traffic on UDP ports
80and443on your firewall:- We recommended that you block outbound UDP traffic on ports
80and443. This means that the request fails back to TCP and is redirected to the proxy. If your firewall is the Smoothwall, follow the instructions below depending on the update level of your device. - If you're on Hearst or older, go to Network > Outgoing > Ports on the administration user interface, add UDP ports
80and443to the Reject all port rule. See our help topic, Managing Outbound Traffic and Services. - If you're on Inverness or newer, go to Network > Firewall > Firewall Rules on the administration user interface, and create a new rule applying a Drop or Reject action to UDP ports 80 and 443. See our help topic, Adding new Smoothwall Firewall rules.
- We recommended that you block outbound UDP traffic on ports
- Use the filtering engine’s content modification feature:
- Create a Decrypt and inspect policy, see our help topic, Creating HTTPS inspection policies.
- Create a content modification policy, see our help topic, Creating content modification policies:
- Who Everyone
- What Everything
- Where Everywhere
- Action Apply; Remove QUIC header