An allowed youtube video when viewed, causes other disallowed youtube videos to be accessed and bypasses the content filtering policy to deny traffic when using Google Chrome.

QUIC is an experimental network transport protocol developed by Google.

Google Chrome supports this protocol, and it is enabled by default. The feature is used when the browser connects to Google web services, such as Google and YouTube.

The traffic between Chrome and these services is sent using UDP on port 443, and in some scenarios, the traffic can bypass the Web Security Service.

Web Security Service

There are 2 options to prevent QUIC protocol from bypassing the Web Security Proxy Service:

1. Ensure to block UDP on port 443 at the firewall level.
2. Disable QUIC protocol at the client level (Google Chrome).

Disable QUIC protocol manually in Google Chrome

1. Open Google Chrome
2. In the address bar, type chrome://flags
3. Search QUIC on the search bar
4. Click on "Default" drop-down and select "Disabled"

Disable QUIC protocol via Group Policy

The Google Chrome GPO template can be obtained here.

1. Create a new GPO policy
2. Go to User Configuration > Policies > Administrative Templates > Classic Administrative Templates > Google > Google Chrome
3. Find the setting “Allows QUIC protocol” and set to Disabled

Registry Keys Modification

The following Windows registry key (or Mac/Linux preference) can be used to disable QUIC in Chrome, and can be enforced via GPO or equivalent:

• Data type: Windows: REG_DWORD
• Windows registry location for Windows clients: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
• Mac/Linux preference name: QuicAllowed
• Description: If this policy is set to true (or not set), the usage of QUIC is allowed. If the policy is set to false, the usage of QUIC is not allowed.
• Recommended Value:
  • Windows: 0x00000000,
  • Linux: false
  • Mac: <false />

Note: If you are running the Unified Agent and the option to Allow Google QUIC unchecked in the Web Security Service Console,> Services > Mobility > Unified Agent, the agent will block the QUIC protocol by default.

If you have a business requirement or a preference for the highest performance, you can instruct the Web Security Service to bypass QUIC connections. For security reason, be advised that Symantec does not recommend this option as you can run into an issue as the one mention in the article. Because QUIC is UDP-based, these connections are bypassed at the client end-point, which means the traffic is not checked against policy nor is reporting against the Unified Agent possible. Only select this bypass option if the highest performance for these clients supersedes the security requirements.

Any other access method to the Web Security Service can use the steps shown above.

Group Policy Reference: