ATP100 - HSTS - Youtube

Cava
Cava Posts: 7  Freshman Member
First Comment Second Anniversary
in Security
Hi We have just replaced old usg with a new ATP. When the customer tries to access, for example, at youtube, the site directly redirect to consent.you.... Firefox gave me "key pinning error". I tried to add the *.youtube.com on every whitelist, I tried to disable any rule, I tried to disable http to https  redirect... I don't knot how to search. Our firewall is always an ATP100, I checked the configuration and it's really similar... And we can access without any problem. I don't know what to check.... FW is 5.00 ABPS.2

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,404  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @Cava,

    What security services (App Patrol, Content Filter, ....) are enabled on ATP100?

    Are there any blocked messages of YouTube access in Logs?

    Can you send me the startup-config.conf of ATP100 in private message?



    Untitled Image

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • Cava
    Cava Posts: 7  Freshman Member
    First Comment Second Anniversary
    Hi. I did nothing since I wrote the message (yesterday was holiday here), and this morning it works. I just updated the certificates2 days ago...



  • Zyxel_Emily
    Zyxel_Emily Posts: 1,404  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @Cava,
    Thanks for sharing your test result with us.  :)  
    If the issue happens again, feel free to send the startup-config.conf of ATP100 to me in private message.

    Untitled Image

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • CSCComo
    CSCComo Posts: 16  Freshman Member
    First Comment Third Anniversary
    Hi. Same problem on another customer...
  • CSCComo
    CSCComo Posts: 16  Freshman Member
    First Comment Third Anniversary
    content filter, app patrol enabled. ssl inspection no. It seems like man in the middle...
  • CSCComo
    CSCComo Posts: 16  Freshman Member
    First Comment Third Anniversary
    Hi. I did some checks.... It seems that after installing the firewall (casually?) there is a problem with DNS resolution. The customer has a phisical windows 2016 server with an old, virtualized, SBS 2008 When I trie to resolve www.youtube.com it goes to 52.203.95.96 (United States Ashburn Amazon Technologies Inc. ). Instead from my PC it resolve the address with 142.250.184.110 (Italy Milano Google ). If I replace the DNS on a internal PC with 8.8.8.8 it works. The forward DNS on SBS are 8.8.8.8 and 8.8.4.4. Already tried to flush DNS cash (locally and DNS Server). We have still SBS2011, same firewall, same DNS configuration and no problems
  • MJStar
    MJStar Posts: 37  Freshman Member
    First Answer First Comment Friend Collector Third Anniversary
    edited September 2021
    Hello @CSCComo

    What is your DNS server configuration on Zyxel firewall?
    If it is a DNS resolution issue, you might refer to the following links about Domain Zone Forwarder:

    If you would like to flush DNS cache, you can refer to this discussion:
  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula First Comment Fourth Anniversary
    In our case we have the ATP100 behind an ATT Fiber modem/router.  The ATP was using the ATT device for DNS.  Changed this to an external DNS server (Level3) and it worked.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)