TABLE OF CONTENT
About & Managing QUIC protocol 3
How to block QUIC through Firewall Filter. 4
Troubleshooting and Verification. 6
QUIC
About & Managing QUIC protocol
Google developed the QUIC protocol to increase the performance of HTTPS and HTTP (TCP 443 and TCP 80) connections. Chrome browsers have had experimental support for it since 2014 and it's also used in Chromium and Android devices.
QUIC connections do not require TCP handshakes. However, SSL inspection requires TCP session information. Because of this, Zscaler cannot examine QUIC sessions when users have SSL inspection enabled. When using QUIC, users might also experience certificate errors.
Zscaler best practice is to block QUIC. When it's blocked, QUIC has a failsafe to fall back to TCP. This enables SSL inspection without negatively impacting user experience.
Later/current Version of Microsoft EDGE also have implemented experimental QUIC as well.
How to block QUIC through Firewall Filter
If you are sending your outbound internet traffic to Zscaler through a GRE or IPSec tunnel, or Zscaler Client Connector using Z-Tunnel 2.0, you can effectively block QUIC by creating a Firewall Filtering rule. This blocks QUIC UDP flows and forces the browser to default to TCP 80/443.
- Select Policy
- Click on Firewall Control
Add FW filtering Rule Step
- Select Add Firewall Filtering Rule
- Name/label the rules
- Who will be applied to the rules. (TNB – Gsuite -Group)
- Select “Service Application” Tab
- Add a Network Services
- Look For QUIC
- Select “Network Traffic” for Block/Reset. Then Save and Activate.
Troubleshooting and Verification
Now You may Either go to Chrome/Edge to test it out. Firstly, test with your Policy which has applied Tenant profile restriction Feature. This case (G-DRIVE google to only allow certain domain)
- Block Message / Error Message is Show.
- Click on the Lock Icons
- Verify the browser is with Zscaler Cert
Verification
Right Click on GDRIVE and select Either 1 Multiple Time.
Verify The certificate for every page have correctly Received. And the Policy work as Intended. Not only New tab, you can try to open new browser while other tap is open as well.
**This way you can reset/block all QUIC to every user accordingly to the policy you define.