Options

Support Quic and gRPC or at least detect and bypass of non-http

RolfRolf
in Firebox - Product Enhancements

We more often see use of non-HTTP over tcp/80 and tcp/443

This requires some exclusion, like;
from specific source, packet filter http, to some dest (ip or dns) or any-external

As more use of these protocols arises, I would prefer;

  • A tickbox in HTTP proxy to make it accept non-http traffic
  • HTTP/2, HTTP/3 support in Proxy
  • Inclusion of UDP for Quic

The term HTTP is maybe outdated, should be considered "Webtraffic" in order to put settings for http, quic, grpc etc in same proxy setting. More stuff that uses tcp/80 and tcp/443, which does adhere to protocols being used but are not HTTP.

Comments

  • Options
    TestingTesterTestingTester

    We block QUIC on all devices, period. (udp 80 and 443). Many of the features of the UTM packages do not support scanning of it...and, I have yet to find a website that requires it and only it (as opposed to TCP).

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Rolf
    -If you're looking for protocol detection, I'd suggest using the TCP/UDP proxy.

    -The HTTP and HTTPS proxies are designed to be strict proxies. If an application attempts to use these ports for protocols other than HTTP/HTTPS, the proxy will deny it by design.

    -Google has not finalized the spec for QUIC (going as far as to refer to it as experimental in their own browser.) Under most circumstances, we suggest making a policy to deny QUIC.

    -HTTP/2 and 3 support is covered under feature request FBX-4348.

    -There is a feature request to make allowing or denying QUIC easier (currently you must create a custom packet filter to deny it,) this is FBX-6272. At this current point in time we have no plans to implement a QUIC proxy. Customers wishing to proxy this traffic should deny QUIC traffic and proxy standard HTTP/S traffic.

    -James Carson
    WatchGuard Customer Support

  • Options
    engineeringvirtueengineeringvirtue

    I see QUIC is now detectable in Application Control, I assume that is now the suggested way to block? Any changes in Watchguard's recommendations or proxy support since the last reply?

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    @engineeringvirtue I would still suggest just blocking it by rule -- for application control to work, the traffic has to start traversing the proxy and be detected as such to be stopped.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.