Inconsistent Google Gatelets Logging
Article ID: 234158
Updated On:
Products
Issue/Introduction
The customer has Google Drive and Gmail Gatelets are enabled. The CASB tenant is integrated with a Full WSS (Cloud SWG) tenant.
The WSS Agent is being used for traffic steering. All other Gatelets are working properly. However, not all of the expected Google Suite activities are showing up in CASB Investigate.
Cause
Google has a proprietary protocol "QUIC" that sends traffic over UDP ports and it is on by default in Google Chrome. A variety of Google websites such as Gmail, Google Drive use this protocol.
On Full WSS tenant, the Cloud Firewall Service is enabled. The WSS agent is configured to forward traffic from all ports to WSS. This could cause some traffic to not be forwarded to CloudSOC (CASB) GW and thus result in some missing traffic
Resolution
In WSS (Cloud SWG), Go to WSS Agent Setup and Configuration in the Connectivity tab. Check if the Cloud Firewall Service forwarding ports have the Forward traffic from all ports to the WSS option. If so, change it to "Only forward traffic from selected ports":
Additional Information
- QUIC (HTTP/3) is a UDP-based protocol used by Google services and is enabled by default in Chromium-based browsers.
- When WSS Agent is configured with Cloud Firewall Service, it may allow QUIC traffic directly, bypassing Cloud SWG.
- This results in:
- Traffic not being inspected
- No policy enforcement
- No visibility in CloudSOC (CASB)
🔧 Recommended Actions:
-
Disable QUIC in Cloud SWG Console:
- Navigate to:
Connectivity > WSS Agent > WSS Agent Configuration - Uncheck the option: Allow HTTP/3
- Navigate to:
-
Block UDP/443 in WSS Policy:
-
- Create a rule to block UDP port 443 to force fallback to HTTPS.
-
-
Disable QUIC in Chrome (Client-Side):
- Via Chrome Flags:
chrome://flags/#enable-quic → Disabled - Via Group Policy or Registry:
[HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome]"QuicAllowed"=dword:00000000
- Via Chrome Flags:
Feedback
