Quiz Entry - updated: 2026.07.14
What are the three properties that make QUIC different from TCP+TLS, and why does each create a problem for traditional firewalls?
QUIC uses UDP, encrypts handshake metadata, and supports 0-RTT — all of which break classical FW visibility.
* Setup latency: QUIC reaches 0-1 RTT versus TCP+TLS at 2-3. *
| QUIC property | What it does for users | Why FW hates it |
|---|---|---|
| Runs over UDP | Less overhead, no TCP handshake | TCP-stateful FW logic doesn't apply; many FWs treat as generic UDP |
| Encryption integrated into transport | TLS 1.3 baked in, less plaintext leakage | FW can't see SNI / hostname / app metadata |
| 0-RTT (Zero Round Trip Time) | Page loads start with the very first packet | Less time to inspect; cached crypto state means FW missed the handshake |
Layer-7 features broken or degraded by QUIC:
- URL filtering, content inspection, malware scanning, application identification.
Mitigations:
- Block QUIC entirely → forces TCP fallback. Recommended by Palo Alto KB.
- Wait for FW vendor catch-up — QUIC inspection is improving but still spotty.
- Decrypt QUIC if/when supported (as of the FS26 source window, native QUIC decryption on most firewalls was still rare).
Tip: QUIC was designed by Google to make the web faster — middlebox vendors weren't consulted. They've been catching up ever since.
Go deeper:
QUIC (Wikipedia) — UDP transport, integrated TLS 1.3, 0-RTT, HTTP/3, and IETF standardization in RFC 9000 (May 2021).