Edge SWG support for "QUIC" protocol and "HTTP/3 or H3"
search cancel

Edge SWG support for "QUIC" protocol and "HTTP/3 or H3"

book

Article ID: 168616

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

QUIC (Quick UDP Internet Connections) is a modern, encrypted, multiplexed transport protocol built on top of UDP.  HTTP/3 (H3) is the latest version of the Hypertext Transfer Protocol, designed for faster, more efficient, and secure web communication. H3 is built on the QUIC transport protocol instead of TCP. Full support for QUIC and H3 interception is currently unavailable for the Edge SWG appliance.

 

Resolution

You can block QUIC/HTTP3 traffic on the Edge SWG appliance by using the UDP tunnel service. Using this service causes clients to fall back to HTTP/1.1 or HTTP/2, which the appliance can intercept and proxy. To block QUIC/HTTP3 traffic, do one of the following options:

Option 1: Update Action for Default UDP

Update the action for the Default UDP service under proxy-services to reject. In the CLI, enter the following commands: 

#(config)proxy-services

#(config proxy-services)edit "Default UDP"

#(config Default UDP)reject

This configuration rejects all UDP traffic, including QUIC and HTTP/3. To bypass any UDP applications based on their ports, use separate service listeners. For example, to let RDP traffic pass through, create a UDP listener for port 3389 in bypass mode.

   

Option 2: Create Separate UDP Listeners for QUIC and H3

Create separate UDP listeners for QUIC and H3 by using the common QUIC/H3 port 443. This option is best used with a router or firewall blocking QUIC traffic on other ports, such as when an Edge SWG appliance is virtually inline with a router that decides which traffic to forward to the proxy.

If the router only forwards TCP port 443 and blocks all QUIC UDP traffic (regardless of port), then no additional changes on the Edge SWG appliance are needed. However, if the router forwards both TCP & UDP on port 443 to the proxy but blocks other ports, block UDP port 443 on the proxy. To block the port, in the CLI, enter the following commands:

#(config)proxy-services

#(config proxy-services)create udp-tunnel service_name service_group

#(config proxy-services)edit service_name

#(config service_name)add all all 443 reject

For explicit proxy deployments, add a firewall rule that blocks all direct HTTP traffic (all versions of HTTP using both TCP and UDP) from clients attempting to go directly to the Internet. This rule allows for only HTTP traffic that comes from the proxy.

Additional Information

Powered by Wolken Software