search cancel

HTTP/3 aka QUIC protocol bypasses Cloud SWG Agents

book

Article ID: 173741

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

HTTP/3 aka QUIC is an experimental network transport protocol developed by Google.

Any chromium-based browser supports this protocol, and it is enabled by default. The feature is used when the browser connects to Google web services, such as Google and YouTube.

The POST traffic between chromium-based browsers and these services is sent using UDP on port 443, and in some scenarios, the traffic can bypass the Cloud Secure Web Gateway (SWG)

Environment

Cloud SWG Agent

SEP Tunnel Mode

SESC Tunnel Mode

Cause

If you are running the Cloud SWG Agent, SEP Tunnel Mode and SESC Tunnel Mode with the option to Allow HTTP/3 checked.

The agent will allow the QUIC or HTTP/3 protocol DIRECT and it will bypass Cloud SWG and its policy.

Resolution

You will need to remove the check mark under Allow HTTP/3 in the Cloud SWG Console under Connectivity > WSS Agent > WSS Agent Configuration.

The agent will block the QUIC or HTTP/3 protocol and the browser will default to use the HTTPS protocol.

If you have a business requirement or a preference for the highest performance, you can instruct the Web Security Service to bypass QUIC connections. For security reasons, be advised that Symantec does not recommend this option as you can run into an issue like the one mentioned in the article. Because QUIC is UDP-based, these connections are bypassed at the client end-point, which means the traffic is not checked against policy nor is reporting against the Unified Agent possible. Only select this bypass option if the highest performance for these clients supersedes the security requirements.

Any other access method to the Cloud SWG can use the steps shown below.

  1. Disable QUIC protocol at the client level (Google Chrome).

Disable QUIC protocol manually in Google Chrome

  1. Open Google Chrome
  2. In the address bar, type chrome://flags
  3. Search QUIC on the search bar
  4. Click on "Default" drop-down and select "Disabled"

Disable QUIC protocol via Group Policy

The Google Chrome GPO template can be obtained here.

  1. Create a new GPO policy
  2. Go to User Configuration > Policies > Administrative Templates > Classic Administrative Templates > Google > Google Chrome
  3. Find the setting “Allows QUIC protocol” and set to Disabled

Registry Keys Modification

The following Windows registry key (or Mac/Linux preference) can be used to disable QUIC in Chrome, and can be enforced via GPO or equivalent:

  • Data type: Windows: REG_DWORD
  • Windows registry location for Windows clients: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
  • Mac/Linux preference name: QuicAllowed
  • Description: If this policy is set to true (or not set), the usage of QUIC is allowed. If the policy is set to false, the usage of QUIC is not allowed.
  • Recommended Value:
    • Windows: 0x00000000,
    • Linux: false
    • Mac: <false />

Additional Information

Group Policy Reference:

Attachments