This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Google QUIC Disconnects

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Google QUIC Disconnects

cosx
L2 Linker

‎11-11-2015 01:18 PM

We started getting complaints from users that various Google services were showing intermittent disconnects. I think we've tracked it down to the QUIC protocol not being accurately identified by the PAN firewalls and getting blocked. I see 443/udp traffic from the hosts in question getting dropped as "unidentified-udp" mixed in with the allowed "quic" traffic on the same ports to the same general set of Google servers. Google has been rolling out QUIC for a while now, but we only recently allowed it in the firewall. It's been since then that we've seen the Google issues start.

 

I am considering adding a rule allowing "any" application out on 443/udp as a workaround. Has anyone else seen similar problems? That is, do you allow "quic" out to the Internet, but otherwise would drop 443/udp and see or not see this issue? Did you implement a workaround like this or something else? (BTW, I am not overly concerned about the security implications. PAN firewalls don't understand the QUIC traffic like HTTPS to guess at the Google "applications" inside.)

0 Likes Likes
2 REPLIES 2

OtakarKlier
Cyber Elite
Cyber Elite

‎11-11-2015 01:43 PM

Not sure which version of software and/or dynamic updates you are on, however our PAN does see the quic traffic but we dont see any of the unidentified-udp. We currently are blocking quic but that is mainly because no one has complained about it. We dont use many google apps, maily search and mail for some users.

0 Likes Likes

cosx
L2 Linker
In response to OtakarKlier

‎11-12-2015 04:51 PM

Running 6.1.2 and keep up-to-date with the application-threat updates.

 

Yeah, it all worked fine when we weren't allowing quic. We didn't start seeing problems until we expressly allowed it.

0 Likes Likes
  • 2627 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks