QUIC deny vs drop

Reply
Highlighted
L2 Linker

QUIC deny vs drop

Just curious.

 

The recommended QUIC rules set the action to 'deny', but the first rule is for service udp 80/443 any application. Is there a reason this is a 'deny' and not a 'drop'?

 

Reference

HOW TO BLOCK QUIC PROTOCOL

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC

 

What a difference a Deny makes

https://live.paloaltonetworks.com/t5/Community-Blog/What-a-difference-a-Deny-makes/ba-p/188811

Highlighted
L2 Linker

There isn't a default "Deny Action" on QUIC, as it is (as you note) a UDP-only protocol.  I believe that the default Deny is equivalent to a Drop, unless you check the checkbox on the "Send ICMP Unreachable" option.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/security-policy/security-poli...

 

"For a UDP session with a drop or reset action, if the ICMP Unreachable check box is selected, the firewall sends an ICMP message to the client."

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!