LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the three properties that make QUIC different from TCP+TLS, and why does each create a problem for traditional firewalls?

QUIC uses UDP, encrypts handshake metadata, and supports 0-RTT — all of which break classical FW visibility.

Connection-setup latency in round trips: TCP 1-RTT, TCP+TLS 2-3 RTT, QUIC 0-1 RTT.

* Setup latency: QUIC reaches 0-1 RTT versus TCP+TLS at 2-3. *

QUIC property What it does for users Why FW hates it
Runs over UDP Less overhead, no TCP handshake TCP-stateful FW logic doesn't apply; many FWs treat as generic UDP
Encryption integrated into transport TLS 1.3 baked in, less plaintext leakage FW can't see SNI / hostname / app metadata
0-RTT (Zero Round Trip Time) Page loads start with the very first packet Less time to inspect; cached crypto state means FW missed the handshake

Layer-7 features broken or degraded by QUIC:

  • URL filtering, content inspection, malware scanning, application identification.

Mitigations:

  1. Block QUIC entirely → forces TCP fallback. Recommended by Palo Alto KB.
  2. Wait for FW vendor catch-up — QUIC inspection is improving but still spotty.
  3. Decrypt QUIC if/when supported (as of the FS26 source window, native QUIC decryption on most firewalls was still rare).

Tip: QUIC was designed by Google to make the web faster — middlebox vendors weren't consulted. They've been catching up ever since.

Go deeper:

  • doc QUIC (Wikipedia) — UDP transport, integrated TLS 1.3, 0-RTT, HTTP/3, and IETF standardization in RFC 9000 (May 2021).

From Quiz: INTROL / Firewall Advanced Lab (Lab 6) | Updated: Jul 14, 2026