An allowed youtube video when viewed, causes other disallowed youtube videos to be accessed and bypasses the content filtering policy to deny traffic when using Google Chrome.
Web Security Service
QUIC is an experimental network transport protocol developed by Google.
Google Chrome supports this protocol, and it is enabled by default. The feature is used when the browser connects to Google web services, such as Google and YouTube.
The traffic between Chrome and these services is sent using UDP on port 443, and in some scenarios, the traffic can bypass the Web Security Service.
There are 2 options to prevent QUIC protocol from bypassing the Web Security Proxy Service:
Ensure to block UDP on port 443 at the firewall level.
Disable QUIC protocol at the client level (Google Chrome).
Disable QUIC protocol manually in Google Chrome
Open Google Chrome
In the address bar, type chrome://flags
Search QUIC on the search bar
Click on "Default" drop-down and select "Disabled"
Disable QUIC protocol via Group Policy
The Google Chrome GPO template can be obtained here.
Create a new GPO policy
Go to User Configuration > Policies > Administrative Templates > Classic Administrative Templates > Google > Google Chrome
Find the setting “Allows QUIC protocol” and set to Disabled
Registry Keys Modification
The following Windows registry key (or Mac/Linux preference) can be used to disable QUIC in Chrome, and can be enforced via GPO or equivalent:
Data type: Windows: REG_DWORD
Windows registry location for Windows clients: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
Mac/Linux preference name: QuicAllowed
Description: If this policy is set to true (or not set), the usage of QUIC is allowed. If the policy is set to false, the usage of QUIC is not allowed.
Mac: <false />
Note: If you are running the Unified Agent and the option to Allow Google QUIC unchecked in the Web Security Service Console,> Services > Mobility > Unified Agent, the agent will block the QUIC protocol by default.
If you have a business requirement or a preference for the highest performance, you can instruct the Web Security Service to bypass QUIC connections. For security reason, be advised that Symantec does not recommend this option as you can run into an issue as the one mention in the article. Because QUIC is UDP-based, these connections are bypassed at the client end-point, which means the traffic is not checked against policy nor is reporting against the Unified Agent possible. Only select this bypass option if the highest performance for these clients supersedes the security requirements.
Any other access method to the Web Security Service can use the steps shown above.