Blocking facebook, youtube over HTTPS on Fortigate

A few months back I was in hell over blocking Youtube for one of my clients.

I blocked it on webfilter  with certificate SSL inspection turned on and later even applied application control to it, in the end — the page opened straight away like nothing exists in between.

Later the good old fortinet TAC put me out of misery and showed my how YouTube slid past by the SSL certificate inspection as knife through butter because some of google’s websites now use a very different form of SSL — QUIC.

Look in the lock icon to the left of your address bar to see this:

Says right there the connection uses QUIC.

Fortinet has a nice little doc here on how to block it.

I’d just recommend you make this a part of your base configuration and always disable QUIC. This interferes with not only for webfilter and app control but say you want to do some email filtering, blocking gmail attachments or even stop google drive the traffic will just slip by with QUIC enabled.