Verify QUIC inspection settings on NGFW Engine
From Forcepoint NGFW Engine version 7.0 onwards QUIC protocol is always inspected and, by default, is matched for web traffic rules.
However, while upgrading from any previous versions if you observe in the logs that QUIC traffic is discarded by "inspection" facility, the following NGFW configurations allow setting the QUIC protocol to match to the web traffic rules or not, and whether to discard QUIC traffic when TLS inspection rules require decryption for the traffic.
Decryption of QUIC traffic is not supported but discarding the QUIC traffic causes most of the standard web clients fall back to earlier versions of HTTP, for which decryption by TLS inspection is supported.
Dialog box | Verification steps |
---|---|
Engine Editor > Add-Ons > QUIC Inspection For more information, see the section Engine Editor > Add-Ons > QUIC Inspection. |
Make sure that the following options are selected in the Engine properties, based on your requirements:
|
UDP Service Group Properties dialog box For more information, see the section Working with Service elements > Create Service Group elements > UDP Service Group Properties dialog box |
In UDP Service element, make sure that QUIC service parameter is selected in the Protocols Parameters tab and Discard QUIC if TLS inspection is required by
access policy field is set to "No". Note: For networks that do not support QUIC inspection, the Discard QUIC if TLS inspection is required by access policy field is set to "Yes". |
TCP Service Group Properties dialog box For more information, see the section Working with Service elements > Create Service Group elements > TCP Service Group Properties dialog box |
As QUIC decryption is currently not supported, it is not recommended for decrypted TLS traffic to use QUIC. In such scenario, you can set the Strip QUIC support from server replies option to "Yes" in the Protocols Parameters tab for HTTPS Service. |
Network Application Properties dialog box and URL List Application Properties dialog box For more information, see the following sections:
|
While creating a new custom Network Application or URL List Application, if QUIC is selected in the Protocol list, access rules containing URL lists, URL categories, and Network Applications inspect the QUIC traffic in a similar manner as HTTP/2 and HTTP/1.1 traffic. |