topic Re: Quic protocol in Firewall and Security Management

Quic protocol

rafish — Thu, 29 Sep 2022 06:59:20 GMT

Hello,

I have cluster active/standby 23800 appliances the version is Gaia R80.40

My problem is that QUIC protocol is not working,

The Checkpoint cluster is perimeter firewall, which means all my Internet traffic goes via the checkpoint.

Google sites work with QUIC ,

The issue is when I'm surfing to Google from my organization I can only see that the connection authentication use TLS 1.3 and not QUIC authentication'

I configured rule with QUIC protocol service but still the connection authentication use TLS 1.3

Any idea ?

Regards

Rafi

Re: Quic protocol

_Val_ — Thu, 29 Sep 2022 07:42:45 GMT

Do you have HTTPS Inspection enabled?

Re: Quic protocol

rafish — Thu, 29 Sep 2022 08:54:41 GMT

Sorry forgot to mention,

No, I don't have HTTPS Inspection

Re: Quic protocol

_Val_ — Thu, 29 Sep 2022 10:04:03 GMT

Without HTTPSi we do not interfere with Quic, it should normally work. Are you sure this is FW that is causing the issues?

Re: Quic protocol

rafish — Thu, 29 Sep 2022 11:03:33 GMT

I done some tests that lead me to to checkpoint,

I will check again

Re: Quic protocol

_Val_ — Thu, 29 Sep 2022 11:10:07 GMT

@rafish Just to be sure, if you believe this is a firewall, check for drops of quic traffic on the GW. If you see some, looking at them might help you to understand what to do.

Re: Quic protocol

rafish — Thu, 29 Sep 2022 12:50:04 GMT

I found the problem,

I have application rule that allow "Google Ads" which include service udp 443,

I added to specific application rule "Quic protocol" and when I surf to google site with chrome I can see that the encrypted and authenticated using QUIC

Thank you very much

Re: Quic protocol

Sorin_Gogean — Fri, 30 Sep 2022 08:54:04 GMT

hey,

good to know, but if I may ask, why are you looking into allowing quick protocol?

I'm just asking, because there are some recommendations for dropping that traffic ( not only from CheckPoint side) and currently I don't see many reasons why would you do that.

Also another one that we're dropping, is DNS over HTTPS (DoH) , as it would overcome DNS security settings that you would have set in your environment.

Ty,

Re: Quic protocol

PointOfChecking — Mon, 27 Mar 2023 13:43:22 GMT

Hi _Val_,

Is Checkpoint able to inspect Quic traffic now? As another commenter mentioned, I've been advised that Quic should be disabled to force the client to failback to TCP traffic.

Quic is not inspected, so traffic that is normally blocked cannot be blocked?

Re: Quic protocol

Chris_Atkinson — Mon, 27 Mar 2023 14:21:14 GMT

QUIC inspection is on the roadmap planned for a future release.

If a browser cannot talk via QUIC it will generally failback to traditional protocols. Provided Https inspection is enabled then inspection on the subsequent connection is possible.

Re: Quic protocol

PointOfChecking — Mon, 27 Mar 2023 13:50:13 GMT

Thanks Chris, that's the advice I received previously, so I blocked Quic on the FW. However, I'm recently getting a lot of complaints that various websites are not loading. When I reenable Quic again, the websites load Ok again.

We have HTTPS enabled and working with no problems.

Something I could be doing wrong?

Re: Quic protocol

Chris_Atkinson — Mon, 27 Mar 2023 14:20:01 GMT

Which gateway version and JHF?

Regarding your Https inspection config is the trusted CAs list updated and are you bypassing known troublesome sites using the updatable objects provided?

Re: Quic protocol

PointOfChecking — Mon, 27 Mar 2023 14:38:25 GMT

using 4800s on latest R80.40 JHF

CAs updated automatically.

Not using updateable objects for troublesome sites. Any guides on this?

Also, if I'm bypassing sites, then it's a lot of sites to bypass. People were calling constantly when it was blocked.

Re: Quic protocol

Chris_Atkinson — Mon, 27 Mar 2023 15:15:04 GMT

Please see sk163595 for more information on the bypass list objects.

Moreover please ensure OCSP traffic is allowed if not already.

If the problem persists please engage with TAC to discuss/diagnose the issue further.

Re: Quic protocol

PointOfChecking — Tue, 28 Mar 2023 05:40:36 GMT

HI,

The original problem is Quic traffic is not inspected. Which is why we block Quic to force it to failback to TCP.

If I bypass inspection of the traffic using updateable objects, I may as well allow Quic traffic?

Re: Quic protocol

Chris_Atkinson — Wed, 29 Mar 2023 01:08:24 GMT

No this isn't the correct logic, not all HTTPS traffic can be inspected for example pinned certificates and various other factors may require some sites/categories to be bypassed e.g. banking & healthcare sites for privacy reasons. From time to time compatibility and cipher issues may also arise...

So the idea is to minimize user impact and inspect what you can to provide an appropriate level of security.

Re: Quic protocol

PointOfChecking — Tue, 28 Mar 2023 05:48:50 GMT

Sorry, let me check if I understand correctly.

Quic traffic CAN be inspected? Just that not all Quic traffic can be inspected? It's those that cannot be inspected that are failing?

I should allow Quic traffic and create updateable objects to bypass inspection of Quic traffic that is failing?

Re: Quic protocol

Sorin_Gogean — Tue, 28 Mar 2023 06:57:43 GMT

Hello @PointOfChecking ,

As @Chris_Atkinson was stating above "QUIC inspection is on the roadmap planned for a future release." so it's not inspected right now by HTTPS Inspection.

Another confusion you do, is that you got the recommendation to Block Quick protocol, in order to FORCE traffic to go over TCP/443 as that can be inspected, and in order to respect "GOOD Practice" you're recommended to set HTTPS Inspection rules to bypass "HTTPS services - recommended bypass" and "HTTPS services - optional bypass" (from sk163595) and if you can, use Updatable Objects and not be static here. Still I don't remember those objects being available in R80.40 in old days (like 2-3 years ago).

Now, on your problem, you say that you blocked Quick protocol, and some of your users are still facing issues, and complain to you. Can you give more details on that, like what are those sites, what were the issues faced by the end-users?

We have Quick dropped since couple of years, and I don't remember hearing complains.

Thank you,

Re: Quic protocol

PointOfChecking — Tue, 28 Mar 2023 07:21:59 GMT

Thanks for your reply.

This is the part that I can't understand. If checkpoint cannot inspect quic and I already dropped quic, why do I need to bypass anything because checkpoint can inspect TCP HTTPS, so no need to bypass?

If I allow quic and checkpoint cannot inspect anyway, again why do I need to bypass?

When I allow quic, then the website loads for the users.

When I block quic, then the website fails to load.

Many websites failed, but I can't remember which one they were (as this was a few weeks ago).

As soon as I allowed quic, then all sites were working again.

Re: Quic protocol

_Val_ — Tue, 28 Mar 2023 07:49:14 GMT

@PointOfChecking HTTPSi enforcement happens before your regular Network Security Policy rulebase filtering. You want to bypass anything you do not wish to enforce, otherwise, your GW will spend (and fail in the case of QUIC) a significant effort to decrypt traffic that will be later dropped anyway.

I hope this makes more sense to you now.