Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            QUIC block for EDGE/Chrome at Zscaler FW

            Modified on Tue, 9 Mar, 2021 at 7:50 PM


             

            TABLE OF CONTENT

            QUIC. 3

            About & Managing QUIC protocol 3

            How to block QUIC through Firewall Filter. 4

            Add FW filtering Rule Step. 5

            Troubleshooting and Verification. 6

             

             


                          

            QUIC

            About & Managing QUIC protocol

            Google developed the QUIC protocol to increase the performance of HTTPS and HTTP (TCP 443 and TCP 80) connections. Chrome browsers have had experimental support for it since 2014 and it's also used in Chromium and Android devices.

            QUIC connections do not require TCP handshakes. However, SSL inspection requires TCP session information. Because of this, Zscaler cannot examine QUIC sessions when users have SSL inspection enabled. When using QUIC, users might also experience certificate errors.

            Zscaler best practice is to block QUIC. When it's blocked, QUIC has a failsafe to fall back to TCP. This enables SSL inspection without negatively impacting user experience. 

            Later/current Version of Microsoft EDGE also have implemented experimental QUIC as well.

             

             


             

            How to block QUIC through Firewall Filter

            If you are sending your outbound internet traffic to Zscaler through a GRE or IPSec tunnel, or Zscaler Client Connector using Z-Tunnel 2.0, you can effectively block QUIC by creating a Firewall Filtering rule. This blocks QUIC UDP flows and forces the browser to default to TCP 80/443.

             



             

             

            1. Select Policy
            2. Click on Firewall Control


             


             

             

            Add FW filtering Rule Step

            1. Select Add Firewall Filtering Rule
            2. Name/label the rules
            3. Who will be applied to the rules. (TNB – Gsuite -Group)
            4. Select “Service Application” Tab
            5. Add a Network Services
            6. Look For QUIC
            7. Select “Network Traffic” for Block/Reset. Then Save and Activate.

             

            Troubleshooting and Verification

            Now You may Either go to Chrome/Edge to test it out. Firstly, test with your Policy which has applied Tenant profile restriction Feature. This case (G-DRIVE google to only allow certain domain)

            1. Block Message / Error Message is Show.
            2. Click on the Lock Icons
            3. Verify the browser is with Zscaler Cert


            Verification

            Right Click on GDRIVE and select Either 1 Multiple Time.

             

             

            Verify The certificate for every page have correctly Received. And the Policy work as Intended. Not only New tab, you can try to open new browser while other tap is open as well.

            **This way you can reset/block all QUIC to every user accordingly to the policy you define.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0