In the Watchguard Firebox:
DASHBOARD > TRAFFIC-MONITOR
2025-01-20 06:48:22 Deny 192.168.22.189 23.222.17.170 https/udp 59576 443 Trusted-Bridge External 1 GB Denied 1278 126 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" geo_dst="CAN" duration="0" sent_bytes="1278" rcvd_bytes="0"
from: 192.168.22.189
to: 23.222.17.170
service: https
protocol: udp
source-port: 59576
dest-port: 443
packet-length: 1278
ttl: 126
This is port 443 but it is UDP traffic. This is the Google QUIC protocol. Blocking QUIC will retransmit over TCP and let the application be identified properly.
To double-check on the system, the following will output a list of all listening sockets, all open connections, and the ports/protocols/addresses they're bound to:
netstat -ano
======================================
Internal team findings show that traffic should just be TCP traffic on port 443 & port 80.
The external customer has a cybersecurity team that is monitoring traffic from their systems to our SAAS. It is possible the methodology used from customer networks is that they used a firewall to capture the traffic from the desktop/laptop being used to access our SAAS. As a result, the firewall will pick up all communication on the desktop/laptop; not just the traffic to/from our SAAS.
Applications on the system including background-applications, browsers and browser-extensions will reach out on various port to various locations.
Some applications, browser-traffic and browser-extension-traffic that have been attributed our SAAS include, but not limited to, the following:
Google
Google-owned urls may show because the client systems are using chrome. Chrome will automatically try to fill in the username/password. So in this scenario, the content-autofill will show along with other Google-owned urls:
content-autofill.googleapis.com
encrypted-tbn0.gstatic.com
lh5.googleusercontent.com
update.googleapis.com
etc,
Firefox
In the same manner, if they use Firefox, the firewall will produce results to Mozilla-owned urls:
mozilla.com
mozilla.net
etc.
Onedrive
If the client systems have OneDrive installed and it is trying to reach out to a personal onedrive/sharepoint storage, the Microsoft-owned urls may show:
storage.live.com
{tenant-name}.sharepoint.com
etc.
Google QUIC (UDP443)
If the client systems have Google-doc extension, the Google-owned may show UDP traffic on port 443. This is the Google QUIC protocol. Blocking QUIC will retransmit over TCP and let the application be identified properly. This is recommended by PaloAlto:
KB: kA10g000000ClarCAC (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC)
Microsoft (TCP7680)
Microsoft WUDO-delivery-optimization. The client systems are set to receive/send updates to either other systems on the LAN or on the WAN. Swarm protocol (receive Windows Updates from other system on LAN/WAN), but could be any swarm protocol. (deep-dive: https://www.sygnia.co/blog/chapter-2-black-box-research/)
Microsoft (TCP3544)
Microsoft XBOX app-x packets are XBOX-LIVE & XBOX-CONSOLE-COMPANION.
Apple (UDP5353):
Apple Bonjour / mDNS to 224.0.0.251. The client system has Bonjour installed. (https://learningnetwork.cisco.com/s/question/0D53i00000Kt67JCAR/22400251)