Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tedauction
New Contributor III

QUIC protocol

Hello, we have a large amount of Google Chrome users. I am starting to hear the odd complaint about slow connections to some sites on the internet. As a test I disabled the QUIC protocol (UDP 443) in the web browsers at one site, and the complaints stopped. In addition we also block QUIC on our firewall.

So it would seem that browsers were failing to communicate via QUIC and then either stalling or taking too long to revert to TCP 443.

 

Are any other of you network engineers seeing the same sort of problem ? - I was considering disabling QUIC in all Chrome browsers company-wide. 

3 REPLIES 3
emnoc
Esteemed Contributor III

monitor the chome:net-internals for QUIC but no I never heard of this. Also did you monitor the   firewall policy and  service object?

 

Do you have any TLS inspection going ?  ( iirc   fortiOS still can't inspect DTLS )

 

http://socpuppet.blogspot.com/2016/10/how-to-force-quic-connections-with.html

 

 

BTW: I do not know of one firewall vendor that can decrpyt quic

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
DL
New Contributor

Hi, 

What you may have encountered is excesive traffic on your network.

As far as I know FortiGates cannot perform SSL inspection when traffic uses Quic.

By blocking Quic, Google Chrome does fail over to HTTP/HTTPS which can be inspected and blocked.

 

cacsci
New Contributor

Went through a couple weeks of trying different debug/troubleshooting steps to figure this out with support. Turns out QUIC was triggering UDP Flood DoS policies. When we changed the disabled the UDP Flood DoS setting or adjusted the rate limit to much higher levels (2000 default -> 50000) then we had normal throughput again with QUIC enabled.

 

Test it with the UDP Flood DoS policy disabled and if it works then turn it back on and adjust the final rate limit accordingly.

Labels
Top Kudoed Authors