Verify QUIC inspection settings on Secure SD-WAN Engine

From Forcepoint Secure SD-WAN Engine version 7.0 onwards QUIC protocol is always inspected and, by default, is matched for web traffic rules.

However, while upgrading from any previous versions if you observe in the logs that QUIC traffic is discarded by "inspection" facility, the following Secure SD-WAN configurations allow setting the QUIC protocol to match to the web traffic rules or not, and whether to discard QUIC traffic when TLS inspection rules require decryption for the traffic.

Decryption of QUIC traffic is not supported but discarding the QUIC traffic causes most of the standard web clients fall back to earlier versions of HTTP, for which decryption by TLS inspection is supported.

Dialog box	Verification steps
Engine Editor > Add-Ons > QUIC Inspection For more information, see the section Engine Editor > Add-Ons > QUIC Inspection.	Make sure that the following options are selected in the Engine properties, based on your requirements: Include QUIC ports for Web Traffic This option determines if the QUIC port 443/UDP should be matched to the access rules for web traffic (for example, URL Categories/Lists, Network Applications). Note: If you unselect this option, then access rules allowing or blocking URL Categories/Lists, or Network Applications will not be matched for QUIC traffic. Discard QUIC if TLS inspection is required by access policy If you select this option, then any TLS inspection rules matching the web traffic, causes QUIC traffic to be discarded. As a result, most web browsers fall back to earlier versions of HTTP, which can be decrypted.
UDP Service Group Properties dialog box For more information, see the section Working with Service elements > Create Service Group elements > UDP Service Group Properties dialog box	In UDP Service element, make sure that QUIC service parameter is selected in the Protocols Parameters tab and Discard QUIC if TLS inspection is required by access policy field is set to "No". Note: For networks that do not support QUIC inspection, the Discard QUIC if TLS inspection is required by access policy field is set to "Yes".
TCP Service Group Properties dialog box For more information, see the section Working with Service elements > Create Service Group elements > TCP Service Group Properties dialog box	As QUIC decryption is currently not supported, it is not recommended for decrypted TLS traffic to use QUIC. In such scenario, you can set the Strip QUIC support from server replies option to "Yes" in the Protocols Parameters tab for HTTPS Service.
Network Application Properties dialog box and URL List Application Properties dialog box For more information, see the following sections: Using Network Application elements > Getting started with Network Application elements > Default elements for network applications > Network Application Properties dialog box Filtering URLs > Add URL List Applications to block or allow URLs > URL List Application Properties dialog box	While creating a new custom Network Application or URL List Application, if QUIC is selected in the Protocol list, access rules containing URL lists, URL categories, and Network Applications inspect the QUIC traffic in a similar manner as HTTP/2 and HTTP/1.1 traffic.