Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 9536 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

YouTube UDP Port 443

shred

I have a firewall rule setup for all of my computers and mobile devices with "Block Google QUIC" selected. This firewall rule also has specific services setup (HTTPS, NTP, SMTPS, etc.). Below that, I have another firewall rule that allows all outbound traffic with logging enabled (firewall rule #14) but "Block Google QUIC" is not selected.

When I watch a video on Youtube, I notice a bunch of traffic being blocked on UDP Port 443 (destination port):

2019-03-31 13:02:31Firewallmessageid="00002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="14" policy_type="1" user="" user_group="" web_policy_id="12" ips_policy_id="12" appfilter_policy_id="10" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1" out_interface="" src_mac="e0:33:8e:38:c1:e4" src_ip="26XX:8XXX:7XXX:6XX:e1XX:4XXX:1XXX:4XXX" src_country="" dst_ip="2620:11a:a02a::1e" dst_country="" protocol="UDP" src_port="50479" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

As you can see in the entry, the in_interface is "Port1" but the out_interface is blank.

If I add a custom service I call "QUIC" for UDP Port 443 (destination), these entries no longer appear in my firewall logs.

 

So I'm a bit confused. If I have "Block Google QUIC" selected, but the traffic/connection applies to this firewall rule, shouldn't it just block it and not assess any firewall rules below it? How come it seems to be moving down to the next firewall rule (firewall rule #14) and appears to be blocked there, even though I don't have "Block Google QUIC" enabled on that firewall rule? 

A more simple question - if I enable "Block Google QUIC" on a firewall rule does it automatically add UDP Port 443 as a service that firewall rule is "looking" for (i.e. same as me adding a custom created QUIC service for UDP 443)? Or do I still have to add it as a service.

I remember reading about this in the past but I can't seem to find the thread. Something weird about firewall entries with a blank "Out Interface".

 



This thread was automatically locked due to age.
  • +1
    My understanding is:
     
    First it uses the IP address and Service (TCP/UDP and Src/Dst Port) to choose a firewall rule.  You can look in Hosts and Services at the definition for HTTPS = TCP (1:65535) / (443).
    So (most likely) your first rule does not match.  The Block QUIC setting does not apply.
     
    The you have a later rule 14 where you says "all outbound traffic".  So it is service Any?  If so then it matches this rule.
    Why the traffic is then blocked by rule 14, I don't know.
     
    What happens if you go to policy tester and put in this?
    udp://www.youtube.com:443
     
  • 0 in reply to Michael Dunn

    Ah, okay. I think that’s probably why. I recently setup IPv6 on my network and on the firewall rule for all my iOS devices, I forgot to add the custom “QUIC” service I created which is for UDP (1:655535) / (443). I added it to the firewall rule and I don’t see the blocked traffic in my firewall logs but I’ll keep an eye on it.

    The later rule (14) I had that allows all outbound traffic did have service set to “Any” with the Block QUIC setting enabled, so I’m assuming that’s why it was pairing with this firewall rule (logging is also enabled which is why it was showing up in the logs).

    Bottom line, if you enable “Block Google QUIC” under “Web malware and content scanning”, you still need to make sure you have the QUIC service (which you’ll have to create) as a part of that firewall rule. For some reason, I was under the assumption if I enabled “Block Google QUIC”, the firewall rule would automatically add QUIC as a service.