USG Flex 100 Problem with Content Filter, Signature Updates, etc... etc...

stepgilb

Greetings,

I am using the User Guide USG FLEX 100_V5.31.pdf to verify the settings. The unit is registered and licenses are valid:

The App-Patrol Signature update works, the Anti-Malware and IPS cannot be updated???

In Web Content Filter no matter what URL I enter I always get

when testing a URL:

The result is that users wait for every URL a long time (~3-6 seconds)  before seeing a website because of "Action when Category Server is unavailable" = Pass.

How do we resolve these problems???

Other question: do we still need to add the server certificate to the PC's behind the UGS?

stepgilb

OK, got it to work, limited the Source IP to the LAN 2 subnet. L2TP/IPSec and Zywalll Device routing works.

mMontana

First problem: ad a DNS server to system settings of your device.

Second question: if you don't add the device certificate to the PCs, the "s" traffic between USG and computer (HTTPs, POPs, SMTPs, IMAPs) won't be considered valid from the operating system.

stepgilb

Thanks. Set up the DNS as in https://support.zyxel.eu/hc/en-us/articles/360001390854-How-to-setup-DNS-on-a-USG, no changes. Does anuone have the FQDN for the update servers and the content filter category server?

stepgilb

Seems to be a similar problem as this one: https://community.zyxel.com/en/discussion/2519/no-default-dns-for-wan1-on-usg40

mMontana

stepgilb said:

Thanks. Set up the DNS as in https://support.zyxel.eu/hc/en-us/articles/360001390854-How-to-setup-DNS-on-a-USG, no changes. Does anyone have the FQDN for the update servers and the content filter category server?

Did you checked if your device is correcly resolving names via the interface?

Maintenance -> Diagnostic -> Network Tool  (NSLookup IPv4)

stepgilb

Just a moment ago, it is not resolving host names and I am not able to ping anything on the wan interface like the 7590 Fritzbox DNS server 192.168.178.1. The lan1 and 2 IP's are pingable (192.168.2.1 and 1.1). Looks to me like traffic is being blocked. I also tried pings using the CLI, same result. To get L2TP-IPSEC to work I had to add an additional NAT rule for the Outside (FB WAN address), maybe that's the problem?

stepgilb

Zyxel_Cooldia

Hi @stepgilb,

Welcome to Zyxel Community.
We may need to check if it is routing issue or DNS resolve issue.
Could you please draw a brief network topology with interface IP?
(Mask last octet on public IP)

stepgilb

Thanks! L2TP/IPSEC is working perfectly, LAN 2 PCs 100% OK network wise, also concerning DNS

stepgilb

This is ping to one of the Telekom DNS Servers which works fine on LAN 2 but not here:

stepgilb

A ping to the FB Gateway and DNS Server does not work (on LAN 2 it does):