Blocking QUIC
To ensure security features requiring SSL deep inspection work with HTTP3 traffic, you can manually block QUIC (UDP 443) traffic to ensure fallback from QUIC to TLS 1.3 occurs.
For VPN remote users, you can block QUIC traffic by creating a new policy that blocks QUIC using the predefined QUIC service in FortiSASE.
For secure web gateway (SWG) users, on the endpoint, you can block QUIC traffic by disabling the corresponding web browser setting.
To block QUIC for VPN remote users using a service and policy:
- Create a policy using the predefined QUIC service by going to Configuration > Policies:
- Click +Create.
- In the New Policy page, configure these settings:
Field
Value
Name
Block QUIC
Source Scope
All
Destination
All Internet Traffic
Service
Click +.
Select QUIC under Web Access.
Click Close.
Action
Deny
Status
Enable
Log Violation Traffic
Enable
- Click OK.
- Drag the newly created policy to the top of the policy list.
To block QUIC for SWG users in web browser settings:
On the endpoint machine, go to the web browser settings and disable QUIC as follows:
Browser |
Action |
---|---|
Google Chrome | In the address bar, enter chrome://flags#enable-quic, and set experimental QUIC protocol to Disabled. |
Mozilla Firefox | In the address bar, enter about:config, search for network.http.http3.enabled and set it to false. |
Microsoft Edge | In the address bar, enter edge://flags/#enable-quic, and set experimental QUIC protocol to Disabled. |
To confirm QUIC has been blocked:
After you have implemented one of the aforementioned approaches to block QUIC traffic, confirm it works as follows:
- On an endpoint machine, open a web browser. For this example, Google Chrome is used.
- Go to https://quic.nginx.org/. If QUIC traffic is blocked, you should see the following web site result: