https://live.paloaltonetworks.com/t5/general-topics/quic-deny-vs-drop/m-p/237586#M68072 <P>Just curious.</P><P>&nbsp;</P><P>The recommended QUIC rules set the action to 'deny', but the first rule is for service udp 80/443 any application. Is there a reason this is a 'deny' and not a 'drop'?</P><P>&nbsp;</P><P>Reference</P><P><SPAN>HOW TO BLOCK QUIC PROTOCOL</SPAN></P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC</A></P><P>&nbsp;</P><P><SPAN>What a difference a Deny makes</SPAN></P><P><SPAN><A href="https://live.paloaltonetworks.com/t5/Community-Blog/What-a-difference-a-Deny-makes/ba-p/188811" target="_blank">https://live.paloaltonetworks.com/t5/Community-Blog/What-a-difference-a-Deny-makes/ba-p/188811</A></SPAN></P> Mon, 29 Oct 2018 14:25:10 GMT mike406 2018-10-29T14:25:10Z https://live.paloaltonetworks.com/t5/general-topics/quic-deny-vs-drop/m-p/237586#M68072 <P>Just curious.</P><P>&nbsp;</P><P>The recommended QUIC rules set the action to 'deny', but the first rule is for service udp 80/443 any application. Is there a reason this is a 'deny' and not a 'drop'?</P><P>&nbsp;</P><P>Reference</P><P><SPAN>HOW TO BLOCK QUIC PROTOCOL</SPAN></P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC</A></P><P>&nbsp;</P><P><SPAN>What a difference a Deny makes</SPAN></P><P><SPAN><A href="https://live.paloaltonetworks.com/t5/Community-Blog/What-a-difference-a-Deny-makes/ba-p/188811" target="_blank">https://live.paloaltonetworks.com/t5/Community-Blog/What-a-difference-a-Deny-makes/ba-p/188811</A></SPAN></P> Mon, 29 Oct 2018 14:25:10 GMT https://live.paloaltonetworks.com/t5/general-topics/quic-deny-vs-drop/m-p/237586#M68072 mike406 2018-10-29T14:25:10Z https://live.paloaltonetworks.com/t5/general-topics/quic-deny-vs-drop/m-p/237608#M68080 <P>There isn't a default "Deny Action" on QUIC, as it is (as you note) a UDP-only protocol.&nbsp; I believe that the default Deny is equivalent to a Drop, unless you check the checkbox on the "Send ICMP Unreachable" option.</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/security-policy/security-policy-actions" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/security-policy/security-policy-actions</A></P><P>&nbsp;</P><P>"<EM>For a UDP session with a drop or reset action, if the ICMP Unreachable check box is selected, the firewall sends an ICMP message to the client.</EM>"</P> Mon, 29 Oct 2018 15:12:46 GMT https://live.paloaltonetworks.com/t5/general-topics/quic-deny-vs-drop/m-p/237608#M68080 JW6224 2018-10-29T15:12:46Z