04-08-2016 10:17 AM
I had two firewall rules in the following order:
With a "decrypt" profile on web based email which is allowed by the URL filtering profile on the first rule, but blocked by the second rule.
If I open my browser on my PC and go to Gmail with both rules in place, I look at my Gmail in the browser, and it is not using the PAN certs, and in the PAN logs I see the traffic is not decrypted, and the app shows as QUIC and is allowed using the second rule.
If I change the second rule to:
And repeat the Gmail test, now Gmail shows the PAN certificate and in the PAN logs the traffic is decrypted and is allowed using the first rule.
In the initial scenario, why didn't the first rule apply?
I'm using 7.0.6
Thanks
04-08-2016 11:11 AM
Hi...I am assuming that you are testing with Chrome browser since QUIC was detected.
Case 1 - the browser negotiated with Gmail using QUIC which is UDP so it is not matching tcp 80 or 443 for rule1. QUIC will match rule2.
Case 2 - Both rule1 and rule2 only match tcp 80 or 443. QUIC does not match and it is blocked. The browser then negotiated with Gmail over standard SSL/TLS and the decryption policy is triggered on SSL. At this point, the decrypted traffic is running on port tcp 443 so it matches rule 1.
Hope that helps. Thanks.
04-11-2016 06:13 AM
Rules are always matched from top to bottom.
In case 1 QUIC shouldn't match any of those 2 rules as web-browsing is only on tcp 80 if application default is selected according to Aplipedia. And even if web-browsing was allowed on all ports the traffic recognised as QUIC still shouldn't go through (as you're only allowing web-browsing app).
On the other hand QUIC uses only UDP 80 and 443 so it shouldn't go through first rule either.
Case 2 makes more sense, QUIC probably didn't go through so Gmail used SSL on TCP 443 which was allowed on first rule whcih has decrypt rule.
04-11-2016 06:15 AM
Why would QUIC match rule 2? Is it sub-application of web-browsing? Are UDP ports added to default ports for web-browsing?
04-11-2016 06:20 AM
I'm being daft, rule 2 was "browser based" so it would include QUIC but the URL filter on that rule wouldn't apply as it's UDP traffic is my assumption?
04-11-2016 06:40 AM
Yeah, maybe. Maybe URL filtering can only find GET, POST, CONNECT... on TCP traffic.
I really don't know how this QUIC protocol works. But you made me want to capture this quic traffic and analyze it 🙂 Tomorrow tho...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
