Sophos XG Firewall: How to block Google QUIC protocol on Sophos XG.

May 11, 2021 john Firewall 0

Overview

QUIC (Quick UDP Internet Connection) is an experimental network protocol designed by Google to reduce latency and avoid network congestion on Google Chrome. Since QUIC works on UDP ports 80 and 443, not over TCP, when connecting via QUIC, Sophos XG’s security features like Sophos Sandstorm, decrypt HTTPs, as well as scan for malware and filter content may be bypassed and not working well on Google Chrome. Blocking QUIC traffic will make the connection fall back to TCP and ensure that all web traffic traverses through the proxy and filtering is not bypassed.

This article will guide how to block Google’s QUIC protocol to prevent Sophos XG’s security, scanning, filtering features from being bypassed when using Google Chrome web browser.

Instructions

There are four different ways to block the QUIC protocol.

Option 1: Disable QUIC with Application Control.

Step 1: Go to Protect> Application> Application Filter> Add.

Enter the name and Template as Allow All. Click Save.

Step 2: Edit Application Filter

Click the pencil icon to edit the policy you just created.

Click Add.

Click Select Individual Application. Under Technology, select Network Protocol.

Scroll down and select QUIC. The Action selects Deny

Click Save.

Step 3: Create a Firewall Rule

Go to Protect> Rule and policies> Add firewall rule> New firewall rule

Enter Rule Name. Action select Drop. Rule Position selects Top.

Select Source Zone as LAN, Destination Zone as WAN.

Scroll down to the Other Security features in App control select Block QUIC created in Application Filter. Click Save.

Option 2: Web filtering

Scroll down to the Security feature when creating the rule.

In Web filtering, Click choose Scan HTTP and decrypted HTTPS and click choose Block QUIC protocol.

Option 3: Block protocol QUIC Firewall Rule.

Go to Protect> Rule and policies> Add firewall rule> New firewall rule

Enter Rule Name. Action select Drop. Rule Position selects Top.

Select Source Zone as LAN, Destination Zone as WAN.

In Services> Add New Item> Create New> Services.

Enter name you want. Click choose TCP / UDP. Protocol select UDP and Destination Port enter port 80 and 443. Click Save.

Option 4: Disable QUIC on Google Chrome.

Open Google Chrome browser, enter the address chrome://flags /.

Search in the QUIC search bar, find Experimental Quic Protocol, select Disable

Finally click Relaunch.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.