QUIC on PAN FW

[Marlon Yu]

Hi,

 

Just checking those schools which have migrated to PAN FW … have you had major issues with QUIC?

 

Curious how you dealt with it … did you just allow QUIC on the Palo Alto or went to the pain of disabling it on all student BYODs (via the Google Workspace Admin console and disabling QUIC and DoH from under Devices > Chrome > Settings > User and browser settings)?

 

Marlon

 

[Jonathan Churton]

Hi Marlon,

Running PAN-OS and it's currently blocked for us, and we haven't had any reported issues. We can clearly see the block happening within Strata Cloud Manager.

N4L has a "Global Block Apps" rule applied towards the top of the policy rule list to block QUIC. "I believe" this is applied to all schools by default.

Cheers,

Jonathan.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/SY8PR01MB8997EF9B9AE0AA30A322DEB8B865A%40SY8PR01MB8997.ausprd01.prod.outlook.com.

[Clayton Hubbard]

Hi All,

That is correct, we block QUIC by default which forces a downgrade back to TCP therefore allowing filtering to take place. Normally it is also recommended to block UDP/80 and UDP/443 for unidentified applications using these ports.

Regards,

Clayton

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJQKwAXw9KraCgUN2rXLZRF-rNddxgjK40iza2K5OzBzaeQyuA%40mail.gmail.com.

DISCLAIMER:

This email, including attachments, may contain information which is confidential or privileged material. If you are not the intended recipient, please notify us immediately and then delete this email from your system. Email communications are not secure and are not guaranteed by The Network for Learning to be free of unauthorised interference, error or virus. Anyone who communicates with us by email is taken to accept this risk. Anything in this email which does not relate to the official business of The Network for Learning is neither given nor endorsed by The Network for Learning.

[Marlon Yu]

Yes, that’s how we see it too (global block). However, we’re seeing issues which the N4L engineer working on the problem seems to think is because users are using QUIC.

 

The symptom (and this only affects students) is when they go to a website (say nz.pinterest.com or rnz.co.nz), the browser times out saying DNS failure. Press the reload/refresh button and the page loads up.

 

And FWIW, I’ve already set QUIC to disabled in Google Workspace (of course that doesn’t help those that use Firefox and Edge and Safari).

 

To me, that doesn’t seem like a QUIC issue hence me asking if anyone else is experiencing problems.

 

Marlon

 

From: 'Clayton Hubbard' via Techies for schools <techies-f...@googlegroups.com>
Sent: Tuesday, February 10, 2026 10:58 AM
To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] QUIC on PAN FW

 

CAUTION: This email originated from outside of Rangitoto College. Be careful about clicking on links or opening attachments. If in doubt, ask IT.

 

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJAn3VbquOPWmV%3D61rsnJ2P8vKFXvZz0k7sdmbnqwZU%2BTcH8Jw%40mail.gmail.com.

[Vern Dempster- Mahu]

Hi

I too have a job at N4L about this Quic issue and was talking to the engineer just as this email came through :-)

Our symptoms were clicking on a link in Apple mail which went to safari then took 45-50 secs to load the link with the urldefence in the link 

A Mail issue we had been hassling with for 15 months where google Email would not download normally in Apple Mail but was viewable in Google Chrome gmail and in Apple Mail on iPhone was also found to be related to the same issue. Using ChatGPT  is was able to develop a script that turned QUIC off on my mac and what used to take 45 secs was instantaneous.

The link in Firefox and Chrome was always instantaneous as well so the issues only appeared to affect Apple Mail accessing Google mail and links from mail opening in safari.

Once I used this script on a staff members computer, mail loaded all the waiting mail (over an hour late) instantly and I was able to send a video of this to support showing this.

I remembered I was having this issue before I developed the script but hadn't seen it while I was suing the script and it took working with the staff member for me to put the two issues together. :-(.  

As a result of this issue a few staff members have lost confidence in Apple Mail and I had to find a similar App called Mimestream written by and ex-apple engineer that runs like Apple Mail but didnt have the issues with google mail.

My assistant ran the script which made it work well at school but she found if she left the script running at home, her mail didnt display the images - interesting :-) Not.

It would be great to finally sort this. seems to get better over the day as I only notice the slowness in the morning email rush 

Anyway  we are working on this with an engineer and I have got QUIC enabled now to see if things show up in the logs :-)

my two halfpennys worth 

Ngā mihi nui

Vern

[d.keen...@gc.ac.nz]

It is a bit interesting, though, as this is essentially a block on the current HTTP3 standard: https://en.wikipedia.org/wiki/HTTP/3
So, a bit more than just QUIC on its own; it can only worsen as systems continue to move from HTTP v2 to v3.

Regards,

David Keenleyside, BSc CS & IS, CTech

ITP Associate

EFF Member

ICT Technician

Glenfield College

PO Box 40176 (Kaipatiki Rd)

Glenfield, Auckland City 0629

Ph:       +64 9 444 9066 ext 677

DDI: +64 9 441 9779

Email:    d.keen...@gc.ac.nz

https://itp.nz/CTech/NZ160799

https://www.linkedin.com/in/david-keenleyside-626871/

The Three O’s of Backup: Online, Offline, Off-site.

The Three RA’s of Cloud: Run Anywhere, Run Anytime, Run Agnostic.

“When you're working as part of a team, one of the things to expect is that you should share information freely with your colleagues and that they'll share information freely with you.” - Google

[Pete Mundy]

My spidey-senses reckon this sounds like the browser may be trying to use "secure DNS" (aka DoH) and perhaps the engineer is conflating that with QUIC?

Try disabling secure DNS :)

Pete

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/SY8PR01MB89974C5519F0D6DE8D2735F0B865A%40SY8PR01MB8997.ausprd01.prod.outlook.com.

[Marlon Yu]

Sadly, no. Even with QUIC and Secure DNS disabled on the browser, the problem surfaces.

 

I suspected as much because we had QUIC blocked on the FG as well since 2018/2019 I think and we never had a problem like this.

 

Marlon

 

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJtKfy5fAPk%3DXR%2BSBg-%2Bspq-Lqvd7UXfUc0%2BxF8HJ4%2Bbd4sj5w%40mail.gmail.com.