Understanding the QUIC Protocol: Security and Reporting Implications for Cyfin Users

Overview

QUIC (Quick UDP Internet Connections) is a transport layer protocol developed by Google to improve web performance and reduce latency. While QUIC offers speed benefits, it creates significant challenges for network security and reporting solutions like Cyfin. This article explains how QUIC works, its impact on your network visibility, and how to resolve issues associated with QUIC traffic.

What is QUIC?

QUIC is essentially HTTP/2 over UDP rather than the traditional TCP protocol. Where protocols like SPDY and HTTP/2 were incremental improvements to HTTP over TCP, QUIC takes a fundamentally different approach by using UDP as its transport mechanism.

Current QUIC Adoption

• Enabled by default in Google Chrome (which holds approximately 60% of browser market share)
• Supported in Microsoft Edge, Firefox, Opera, and other modern browsers
• Implemented across all Google properties (YouTube, Gmail, Google Drive, Google Search, etc.)
• Growing adoption by third-party websites and services
• Increasingly used by malicious actors who recognize QUIC as a way to bypass security controls

The Security Problem

The core issue is not with QUIC itself, but rather that most firewalls and security appliances do not recognize QUIC traffic as web traffic. This creates a significant security gap.

Why Firewalls Can’t Process QUIC

Traditional firewalls have extensive functionality for HTTP and HTTPS traffic:

• Deep packet inspection
• Web filtering and categorization
• Malware scanning
• Content filtering
• Enhanced logging and reporting

These features work because firewalls can interpret HTTP/HTTPS traffic from Layer 4 up to Layer 7. However, QUIC uses UDP on ports 80 and 443 (the same ports as HTTP/HTTPS), but that’s where the similarity ends. Network devices cannot determine the application protocol and treat QUIC as generic Layer 4 UDP traffic.

Real-World Security Implications

When QUIC traffic bypasses inspection, organizations face:

• Loss of content filtering: Cannot restrict access to YouTube or enforce Google SafeSearch
• Malware exposure: Malware and ransomware can be downloaded through Gmail or QUIC-enabled websites without detection
• Policy violations: Web usage policies cannot be enforced on QUIC traffic
• Compliance risks: Unable to meet regulatory requirements for web traffic monitoring

Impact on Cyfin Reporting

Incomplete Visibility

Cyfin relies on comprehensive logging from your firewall or UTM to provide accurate web usage reports. When QUIC is enabled:

• Missing web traffic data: Most firewalls only log QUIC as generic UDP traffic in firewall logs, not web logs
• Lost URL information: Cannot capture full URLs for Google Search terms or YouTube videos
• Incomplete user activity: Web filtering logs are not generated for QUIC sessions
• Inaccurate bandwidth reports: QUIC traffic may be miscategorized or missing from web usage reports

Example: Normal Traffic vs. QUIC

Normal HTTPS Traffic (Logged Properly):

• Complete URL captured
• Website category identified
• User information recorded
• Full web filtering logs generated

QUIC Traffic (Limited Logging):

• Only IP address and port visible
• No URL information
• No category data
• Only basic firewall log entry (UDP traffic)

If you’ve noticed a recent decline in reported traffic to Google sites (YouTube, Gmail, Drive, etc.) in Cyfin, there is a high probability your firewall is allowing QUIC.

The Solution: Block QUIC Protocol

The good news is that when QUIC communication is blocked, browsers and servers automatically fall back to traditional HTTP/HTTPS over TCP, where traffic can be inspected, controlled, logged, and reported on normally.

General Approach

Most firewall vendors recommend blocking QUIC until full protocol support is added to their products. Methods vary by firewall:

• Block by application type (QUIC protocol)
• Block UDP traffic on ports 80 and 443
• Use application control features
• Create custom firewall rules

Important Consideration: Before blocking UDP on port 443, verify that you’re not blocking other legitimate services. Some applications like OpenVPN can use UDP on port 443 for SSL VPN connections.

Firewall-Specific Configuration Guides

Below are links and instructions for blocking QUIC on popular firewall platforms:

Fortinet FortiGate

FortiGate firewalls offer multiple methods to block QUIC:

Method 1: Application Control (Recommended)

1. Navigate to Security Profiles > Application Control
2. Create a new profile or edit an existing one
3. Under “Application and Filter Overrides,” select “Create New”
4. Search for “QUIC” application signature
5. Set the action to “Block”
6. Apply this profile to your firewall policies

Method 2: Custom Firewall Policy

1. Create custom firewall services for UDP ports 80 and 443
2. Configure a firewall policy with these custom services
3. Set the action to “Deny”

Note: From FortiOS v7.2.0 onward, the default QUIC blocking option was removed. You must now use Application and Filter Overrides to block QUIC.

Method 3: SSL Inspection Profile (FortiOS 7.4+)

• Use SSL inspection profiles to detect and block QUIC traffic
• Create a custom inspection profile before making changes

Reference: Fortinet Community – Block QUIC Protocol

Palo Alto Networks

Palo Alto firewalls can inspect QUIC traffic but cannot decrypt it like traditional HTTPS. Blocking QUIC forces fallback to standard SSL/TLS which can be decrypted with SSL Forward Proxy.

Configuration Steps:

1. Create a custom service object for UDP ports 80 and 443:
   • Navigate to Objects > Services
   • Click “+Add”
   • Set Protocol to UDP
   • Enter Destination Ports: 80, 443
2. Create security policies:
   • Navigate to Policies > Security
   • Create two rules:
     • Rule 1: Block the custom UDP service
     • Rule 2: Block the QUIC application
   • Set both rules to “Deny” action
   • Configure appropriate zones, sources, and destinations

Note: With some Chrome versions, QUIC may be misidentified as “unknown-udp.” Create an additional rule to block unknown UDP traffic on ports 80 and 443.

Reference: Palo Alto Knowledge Base – Block QUIC

SonicWall

SonicWall offers multiple approaches depending on your firmware version:

Method 1: Application Control (SonicOS 6.x and later)

1. Navigate to Security Services > App Control Advanced
2. Locate “Google QUIC” application
3. Set the action to “Block”
4. Apply to relevant firewall policies

Method 2: Security Policy with Application Match (SonicOS 7.0+)

1. Create a custom service object:
   • Navigate to Objects > Services
   • Create service for UDP port 443
   • Click Save
2. Create a security policy:
   • Navigate to Policy > Rules and Policies > Security Policy
   • Click “Add” at the top
   • Configure Source/Destination zones, addresses, services
   • Under “App/URL/Custom Match,” set Match Operation to “OR”
   • Add “Google QUIC” to Application Match Group
   • Set Action to “Deny”
   • Enable the policy and save

Method 3: Custom Firewall Service

1. Create service objects for UDP ports 80 and 443
2. Create a firewall rule denying these UDP ports
3. Position the rule appropriately in your rule base

References:

• SonicWall KB – Block QUIC Protocol
• SonicWall KB – Block QUIC on SonicOS 7.0

Sophos XG/Sophos Firewall

Sophos firewalls provide native QUIC blocking functionality:

Method 1: Firewall Rule with QUIC Blocking (Recommended)

1. Navigate to Rules and Policies > Firewall Rules
2. Create a new firewall rule or edit existing LAN to WAN rule
3. In the rule settings, enable the following:
   • “Scan HTTP and decrypted HTTPS”
   • “Block QUIC protocol” (This is the key setting)
   • “Decrypt HTTPS” (if using web proxy)
4. Under Services, ensure UDP ports 443 and 80 are included (or set Services to “Any”)
5. Position the rule appropriately
6. Click Save

Important: The “Block QUIC protocol” option only works when UDP 443/80 is included in the Services section of the firewall rule. If QUIC service is not included, the blocking will not function properly.

Method 2: Application Control

1. Navigate to Web > Application Filter
2. Create a new application filter or edit existing
3. Add “QUIC” protocol to the filter
4. Set action to “Block”
5. Apply the filter to your firewall policy

Method 3: Create Custom QUIC Service (if needed)

1. Navigate to System > Hosts and Services > Services
2. Click “Add” to create a new service
3. Create services for:
   • UDP port 443
   • UDP port 80
4. Apply these services in firewall rules with Deny action

References:

• Sophos Documentation – Control Traffic Requiring Web Proxy Filtering
• Sophos Community – Block QUIC Discussion

Cisco Firepower / ASA

Configuration Steps:

1. Create a custom application filter or use access control policy
2. Block application “QUIC” or create service policy blocking UDP 443/80
3. Apply to appropriate access control rules

For Cisco Umbrella/AnyConnect SWG users, QUIC must be blocked to ensure proper proxy operation:

• Block UDP port 443 at the firewall
• Or block QUIC by application name if Layer 7 inspection is available

Reference: Cisco – Disable QUIC for AnyConnect SWG

WatchGuard

Configuration Steps:

1. Navigate to Firewall > Packet Filter
2. Create a new packet filter policy
3. Set Protocol to UDP
4. Set Destination Port to 443 and 80
5. Set Action to Deny
6. Apply to WAN-bound traffic

pfSense / OPNsense

Configuration Steps:

1. Navigate to Firewall > Rules
2. Create new rule on LAN interface
3. Set Action to “Block”
4. Set Protocol to “UDP”
5. Set Destination Port to 443 and 80
6. Add description: “Block QUIC Protocol”
7. Save and apply changes

Generic Firewall Configuration

If your specific firewall is not listed above, follow these general steps:

1. Identify QUIC Traffic: UDP on ports 80 and 443
2. Create a blocking rule:
   • Protocol: UDP
   • Destination Ports: 80, 443
   • Action: Deny/Drop/Block
3. Position the rule before any “allow all” or broader rules
4. Test thoroughly to ensure legitimate UDP services aren’t affected

Browser-Level Blocking (Alternative)

If firewall-level blocking isn’t possible, you can disable QUIC in browsers:

Google Chrome

1. Enter chrome://flags in the address bar
2. Search for “Experimental QUIC protocol”
3. Set to “Disabled”
4. Restart browser

Enterprise Deployment via Group Policy:

1. Open Group Policy Management Console
2. Navigate to User Configuration > Policies > Administrative Templates > Google > Google Chrome
3. Find “Allow QUIC protocol” setting
4. Set to “Disabled”

Microsoft Edge

1. Enter edge://flags in the address bar
2. Search for “Experimental QUIC protocol”
3. Set to “Disabled”
4. Restart browser

Mozilla Firefox

1. Enter about:config in the address bar
2. Search for network.http.http3.enabled
3. Set to false

Note: Browser-level blocking requires configuration on every device and can be circumvented by users. Firewall-level blocking is the recommended enterprise solution.

Testing QUIC Status

Verify if QUIC is Active

Method 1: Chrome Developer Tools

1. Open Google Chrome
2. Press F12 or Ctrl+Shift+I to open Developer Tools
3. Go to the Network tab
4. Right-click column headers and enable “Protocol” column
5. Visit a Google website (google.com, youtube.com, etc.)
6. Look for protocols showing “http/2+quic/43” or “h3” (HTTP/3)

If you see QUIC protocols, your browser is using QUIC and it’s likely not being blocked.

Method 2: Chrome QUIC Sessions

1. Open Chrome
2. Enter chrome://net-internals/#quic in the address bar
3. View active QUIC sessions

Method 3: Browser Extension

• Install the “HTTP/2 and SPDY indicator” Chrome extension
• It will show which pages are served via QUIC/HTTP3

Verify QUIC is Blocked

After implementing firewall rules:

1. Use the testing methods above
2. You should see protocols fall back to “h2” (HTTP/2 over TCP) or “https”
3. Check firewall logs for denied UDP 443/80 traffic
4. Confirm Cyfin is now capturing full URL information for Google services

Impact on User Experience

Performance Considerations

Google and other proponents claim QUIC reduces latency and improves page load times. However:

• The general consensus is there is no noticeable difference for average users when QUIC is disabled
• Websites will continue to function normally via standard HTTPS
• Security and visibility benefits far outweigh minimal performance differences

User Communication

When deploying QUIC blocking:

• Most users will not notice any change
• Web pages continue to load normally
• All services (YouTube, Gmail, etc.) remain fully functional
• No user action required

Benefits of Blocking QUIC

Once QUIC is blocked and traffic falls back to standard HTTPS:

Security Benefits

✓ Full deep packet inspection restored
✓ Malware scanning active on all web traffic
✓ Content filtering policies enforced
✓ Web usage policies properly applied
✓ Compliance requirements met

Cyfin Reporting Benefits

✓ Complete URL logging restored
✓ Accurate web category reporting
✓ Full user activity visibility
✓ Search term monitoring enabled
✓ YouTube video tracking operational
✓ Bandwidth reporting accuracy improved
✓ User productivity reports complete

Best Practices

1. Block at the firewall, not just the browser
   • Firewall-level blocking is centralized and cannot be bypassed
   • Browser settings can be changed by users
2. Test before full deployment
   • Implement in a test environment first
   • Verify no impact to legitimate UDP services
   • Confirm Cyfin reporting shows expected improvement
3. Document the change
   • Record which rules block QUIC
   • Note the date of implementation
   • Document any exceptions needed
4. Monitor after implementation
   • Watch for any blocked legitimate traffic
   • Verify Cyfin reports show improved visibility
   • Check for any user complaints
5. Keep informed about QUIC support
   • Monitor your firewall vendor for QUIC inspection support
   • When proper QUIC support is available, you may be able to unblock and inspect instead
   • Subscribe to vendor security advisories

Troubleshooting

QUIC Still Active After Blocking

Issue: Testing shows QUIC is still being used

Solutions:

• Verify firewall rule is positioned correctly (higher priority than allow rules)
• Confirm rule includes both UDP ports 80 AND 443
• Check that rule applies to correct source/destination zones
• Ensure browser cache is cleared (Ctrl+F5)
• Restart browser completely
• Test from a different device

Cyfin Still Missing Google Traffic

Issue: Reports still don’t show full Google traffic details

Solutions:

• Allow 24-48 hours for logs to accumulate after blocking QUIC
• Verify firewall is logging web traffic properly
• Confirm Cyfin is receiving syslog/logs from firewall
• Check that HTTPS decryption/inspection is enabled on firewall
• Verify Content Filtering Service (CFS) is active on firewall

Legitimate Services Broken

Issue: Some applications stopped working after blocking UDP 443

Solutions:

• Identify which applications are affected
• Check if they use UDP 443 for legitimate purposes (VPNs, etc.)
• Create exception rules for specific source/destination IPs
• Consider blocking QUIC by application signature instead of port-based blocking

Summary

QUIC is a modern protocol designed to make the web faster, but it creates significant security and reporting challenges. For organizations using Cyfin to monitor and report on web activity, QUIC represents a blind spot that can hide inappropriate usage, malware, and policy violations.

Key Takeaways:

• QUIC bypasses traditional firewall inspection and web filtering
• Cyfin cannot report on QUIC traffic accurately
• Blocking QUIC forces automatic fallback to inspectable HTTPS
• Users experience no functional impact when QUIC is blocked
• Security and visibility benefits far outweigh minor performance differences

Recommendation: Block QUIC protocol at your firewall until vendors provide full inspection capabilities. This ensures comprehensive security protection and complete visibility in your Cyfin reports.

Additional Resources

Cyfin Support

• Contact Cyfin support for assistance with reporting issues
• Verify your Cyfin configuration is optimized for your firewall

Firewall Vendor Resources

• Consult your firewall vendor’s documentation for latest QUIC blocking guidance
• Check for firmware updates that may include QUIC inspection features
• Subscribe to security bulletins for updates on QUIC support

Further Reading

• IETF QUIC Working Group
• Chromium QUIC Documentation
• Understanding HTTP/3 and QUIC protocol specifications

---

Document Version: 1.0
Last Updated: November 2025
Applies To: Cyfin Web Reporting and all supported firewall platforms