Check whether the security
policy that blocks the application is above the pass policy. If the interface
uses VRF, a new security policy should also be created, referencing VRF and
blocking the application.
Click the Activate button via
[Objects->APP Security->Advanced Setting], and test again to see if it is
being blocked.
If it still cannot be blocked,
the application may be using the QUIC protocol. If it is a web-based
application, you can disable the QUIC protocol in the browser.
How to disable the QUIC
protocol when using chrome browser
Visit the
chrome://flags/#enable-quic page in the chrome browser and set the Experimental
QUIC protocol status to Disable.
How to disable the QUIC
protocol when using the Microsoft Edge browser.
Visit the
edge://flags/#enable-quic page in the Microsoft Edge browser and set the
Experimental QUIC protocol status to Disable.
Disabling the QUIC protocol
will have the following two limitations:
1) The QUIC protocol is based
on UDP transmission. After disabling QUIC, the transmission is based on TCP,
which may cause the speed of opening web pages to slow down.
2) For web pages that only
support the QUIC protocol, they cannot be opened.
If the APP application cannot
disable the QUIC protocol, you can confirm by the following method.
First, locally ping the
domain name of the application that cannot be blocked to confirm the IP
address.
If the client does not have
the conditions for pinging, you can ping the firewall device on the
System->Diagnosis Center->ping page.
Then, use the IP address as
the destination IP to configure the ACL on the WEB page. Create a new ACL via[Objects->ACL->IPv4
ACL]
Then, via[system->Diagnosis
Center->Packet Capture], click Start to capture packets, select the
interface and the ACL configured in the previous step.
Open the packet and check if
there is any QUIC protocol in the captured content. If there is, it is because
of the QUIC protocol that it is not being blocked.
