Inspection of QUIC traffic
It appears that currently QUIC traffic (UDP port 80/443) are not categorized by the web filter. Users seem to be able to access YouTube and other Google sites without any of their traffic being inspected.

5 comments
-
Ian commented
This could better be worked around if we could block https/QUIC based on DNS like we could in UTM9 or Fortinet does it...
-
Jesse B. commented
This needs to be done ASAP!! Not just block it. Especially with a service like Cloudflare adding support for QUIC, they may also add an option to only allow website visit using QUIC, which would effectively break a TON of websites.
-
In version 17.1 we introduced an option in the Firewall rule that allows you to quickly block QUIC traffic, which forces browsers to revert to regular HTTP.
-
Our recommended solution for this right now is to block QUIC in the firewall. This can be done by adding a rule that blocks outbound connections to UDP ports 80 and 443. Browsers will automatically fall back to using regular HTTP/HTTPS.
In the short term, we plan to add a feature to make this blocking simpelr to implement.
In the longer term we will investigate providing direct support to enable full Web Protection for the QUIC protocol.
-
A commented
Further to that, UDP 80/443 can not be added to Web Protection -> Filtering Options -> Allowed Target Services.