ATP100 - HSTS - Youtube

Cava
Cava Posts: 7
First Anniversary First Comment
Hi We have just replaced old usg with a new ATP. When the customer tries to access, for example, at youtube, the site directly redirect to consent.you.... Firefox gave me "key pinning error". I tried to add the *.youtube.com on every whitelist, I tried to disable any rule, I tried to disable http to https  redirect... I don't knot how to search. Our firewall is always an ATP100, I checked the configuration and it's really similar... And we can access without any problem. I don't know what to check.... FW is 5.00 ABPS.2

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Cava,

    What security services (App Patrol, Content Filter, ....) are enabled on ATP100?

    Are there any blocked messages of YouTube access in Logs?

    Can you send me the startup-config.conf of ATP100 in private message?



  • Cava
    Cava Posts: 7
    First Anniversary First Comment
    Hi. I did nothing since I wrote the message (yesterday was holiday here), and this morning it works. I just updated the certificates2 days ago...



  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Cava,
    Thanks for sharing your test result with us.  :)  
    If the issue happens again, feel free to send the startup-config.conf of ATP100 to me in private message.

  • CSCComo
    CSCComo Posts: 16  Freshman Member
    First Anniversary 10 Comments
    Hi. Same problem on another customer...
  • CSCComo
    CSCComo Posts: 16  Freshman Member
    First Anniversary 10 Comments
    content filter, app patrol enabled. ssl inspection no. It seems like man in the middle...
  • CSCComo
    CSCComo Posts: 16  Freshman Member
    First Anniversary 10 Comments
    Hi. I did some checks.... It seems that after installing the firewall (casually?) there is a problem with DNS resolution. The customer has a phisical windows 2016 server with an old, virtualized, SBS 2008 When I trie to resolve www.youtube.com it goes to 52.203.95.96 (United States Ashburn Amazon Technologies Inc. ). Instead from my PC it resolve the address with 142.250.184.110 (Italy Milano Google ). If I replace the DNS on a internal PC with 8.8.8.8 it works. The forward DNS on SBS are 8.8.8.8 and 8.8.4.4. Already tried to flush DNS cash (locally and DNS Server). We have still SBS2011, same firewall, same DNS configuration and no problems
  • MJStar
    MJStar Posts: 34  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited September 2021
    Hello @CSCComo

    What is your DNS server configuration on Zyxel firewall?
    If it is a DNS resolution issue, you might refer to the following links about Domain Zone Forwarder:

    If you would like to flush DNS cache, you can refer to this discussion:
  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    First Anniversary 10 Comments Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula
    In our case we have the ATP100 behind an ATT Fiber modem/router.  The ATP was using the ATT device for DNS.  Changed this to an external DNS server (Level3) and it worked.

Security Highlight