When and how to Block QUIC Protocol on Palo alto Networks firewalls?
400012
Created On 09/25/18 19:38 PM - Last Modified 06/21/25 07:12 AM
Objective
Understanding when and how to Block QUIC Protocol on Palo alto Networks firewalls
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- QUIC protocol
Procedure
When to consider blocking "QUIC"?
Palo Alto Networks firewalls can inspect and control QUIC traffic, but they cannot decrypt QUIC in the same way they can with traditional TLS over TCP (HTTPS) hence the layer 7 processing may be impacted. Blocking QUIC may force the applications to fallback on traditional SSL/TLS which can be decrypted with SSL Forward Proxy enabled.
To block QUIC, create a security policy as follows,
- Security policy that denies QUIC App:
- With some versions of the browser Chrome, Google updated protocol QUIC, which causes the "quic" App-ID to be misidentified as "unknown-udp". So one can also create additional security policy to block QUIC UDP traffic (UDP/443 and UDP/80).
Additional Information
What is QUIC?
- QUIC (Quick UDP Internet Connections, pronounced quick) is an transport layer network protocol developed by Google.
- QUIC supports a set of multiplexed connections between two endpoints over User Datagram Protocol (UDP), and was designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latency, and bandwidth estimation in each direction to avoid congestion.
- QUIC's main goal is to optimize connection-oriented web applications currently using TCP.