Chrome Quic SSL proxy / deep inspection

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Chrome Quic SSL proxy / deep inspection

L4 Transporter



WOndering when / if PA's will handle QUIC the same way it handles web-browsing / ssl ?




Accepted Solutions

I agree with the point about some (basic) things. Some of them are silly bugs and some of them features that would be nice. 

PA and Gpogle have some sort relationship with the deployment of paloalto firewalls in the google cloud, but with Quic I think Google simply does not really care. Their goal is to make browsing fast and secure. A Man-in-the-middle per definition isn't that 😛

But about Quic itself, I personally don't think this will rapidly grow (it made 0.2% in the last 8 months). Yes, quic does speed up browsing and adds also some other features, but almost the same you will get with http/2 (official benchmarks show that browsing with http/2 AND TLS encryption is faster than http 1.1 without encryption). And http/2 is already at 28.9%.

One really big thing(/problem) for Paloalto will be TLS1.3 ...

View solution in original post


L3 Networker

As far as I'm aware the PA can not decrypt QUIC. I have a Chrome group policy on my environement disabling QUIC in the browser and I block QUIC high up in my rules which would causes Chrome to fail back to SSL.


Cyber Elite
Cyber Elite


There are technical limitations in decrypting QUIC traffic due to the use of multiplexed connections and proprietery encryption methods. Visibility into this traffic is therefore limited and does not allow the firewall to decrypt this traffic. 

My suggestion would be to block QUIC if you need visibility into the traffic. Since QUIC is still technically in development it would additionally be recommend that you create one rule that blocks application 'quic' on service 'application-default'; and then block udp-443 and udp-80 depending on your requirements. If Google updates QUIC it may be that the app-id drops back to unknown-udp, depending on your logging/security requirements this may/maynot be acceptable to you. 


We block it without any issues. PAN also says block it:



In Security policy, block Quick UDP Internet Connections (QUIC) protocol unless for business reasons, you want to allow encrypted browser traffic. Chrome and some other browsers establish sessions using QUIC instead of TLS/SSL, but QUIC uses proprietary encryption that the firewall can’t decrypt, so potentially dangerous traffic may enter the network as encrypted traffic. Blocking QUIC forces the browser to fall back to TLS/SSL and enables the firewall to decrypt the traffic.




Yes I know that, but i would have presumed over this time PA might have spent some time to do inspection. Its an open spec ?



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!