On the Barracuda CloudGen Firewall, rule BOX-BLOCK-UDP443 blocks UDP port 443 (QUIC) per default in order to force browsers to use TCP. However, this does not apply for units connected to SecureEdge over pvpn84. For security inspection to work on connected SecureEdge Access clients, traffic must be blocked by a manually created rule in order to force SecureEdge Access client browsers to use TCP instead of QUIC on UDP port 443.
Block QUIC for Browsers
Create a DENY rule on the Barracuda CloudGen Firewall and place it on top of the cloud-maintained/autogenerated rules.
Step 1. Create a Rule Section
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- Click Lock.
- In the Access Rules window, either click the plus icon (+) at the top right of the ruleset, or right-click the ruleset and select New > Section.
- As the Name for the section, enter
PRE-END. The section should be shown on top of the rules window.
Step 2. Create a Rule to Block UDP Port 443
On top of the new section, create an access rule to block UDP port 443
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- Click Lock.
- Either click the plus icon (+) at the top right of the ruleset, or right-click the ruleset and select New > Rule.
- Select Deny as the action.
- Enter a Name for the rule, e.g.:
MY-RAC-ZTNA-BLOCK-UDP-443 - Specify the following settings to match your web traffic:
- Source – Select <explicit> and chose the service object for pvpn84.
- Service – Select <explicit> and create or select the service object for UDP 443.
For more information, see How to Create Service Objects in the CloudGen Firewall documentation. - Destination – Select Any.
- Click OK.
- Make sure that the access rule is placed above the section
PRE-ENDcreated in Step 1. - Click Send Changes and Activate.
The rule is now displayed in the list, and all SecureEdge Access client browsers are forced to use TCP instead of QUIC on UDP port 443.
