File blocking does not work as expected due to Quic

File blocking does not work as expected due to Quic

9783
Created On 09/23/22 15:50 PM - Last Modified 03/12/24 21:28 PM


Symptom


  • QUIC protocol is allowed on the firewall.
  • Decryption and File blocking is configured on the Firewall.
  • File downloading works from Google drive.
  • Traffic logs continue to display "deny" or block" even when the file is downloaded.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Decryption
  • File Blocking
  • QUIC Protocol

Cause


  • File-sharing technologies uses or has dependency on quic protocol to provide a faster SSL user experience.
  • quic works over udp/80 and udp/443. Since this is not a standard TLS/SSL traffic, Palo Alto cannot decrypt the traffic.
  • This causes the traffic to be incorrectly identified as "web browsing" causing intended "block" file to be downloaded.

Resolution


  1. Block QUIC traffic on Firewall OR
  2. Disable QUIC on the chrome browser:
  • Open the chrome browser and type chrome://flags in the title bar.
2015-10-07 13_16_38-chrome___flags.jpg
  • Go to Experimental QUIC protocol.
  • Change to Disabled. Default action is Enabled.
  • Restart the browser.

Additional Information


Google Services are Not Decrypted when Accessed from Chrome
NOTE: Impact is not limited to just chrome browser. Issue is observed on all browser.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZEpCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail