Why doesn't Content filter block adobe.com on USG20-VPN?
electsystech
Posts: 47 Freshman Member
in Security
Have a customer with a USG20-VPN with content filter subscription. They have computers on a strict whitelist only policy. There's only 24 websites on their Trusted Websites. Putting *adobe.com and *.adobe.com in the Forbidden sites doesn't block it either. I also setup the same content policy with DNS content and there's no change. We are blocking the QUIC protocol, UDP ports 80 and 443. The only I was able to get it blocked was to do a ping to adobe.com and then setup a policy to block all those ip addresses. I updated the router to the latest 5.31 firmware.
I tested blocking adobe.com on our site here on a VPN 100 router and it blocked it as expected. What's the difference?
I tested blocking adobe.com on our site here on a VPN 100 router and it blocked it as expected. What's the difference?
0
All Replies
-
Hi @electsystech,USG20-VPN with 5.31(ABAQ.0) can block adobe successfully. Here are the configuration and result for your reference. If it is still not working on your USG20-VPN, please share the startup-config.conf with me in private message.
1. Add a new CF profile. Enable "Enable HTTPS Domain Filter for HTTPS traffic".
2. In Custom Service, add adobe in forbidden web sites. Enable the option "Enable Custom Service".
3. Apply the profile to security policy rule. In this example, we apply this profile to the rule LAN1_Outgoing.
Test Result:See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0 -
PM sent with config file.0
-
Maybe DNS over HTTPS?
0 -
Hi @electsystech,In your configuration file, "adobe" is not on the list of forbidden list no matter in Custom Service of profile or Common Forbidden Web Sites.Actually, your CF profile blocks almost all internet access. I also tried to access adobe.com and it is blocked. Could you check the configuration again?
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0 -
That's the point, it's supposed to be blocking all internet access. I setup another policy like your screenshot shows and it's still working. I had to add more ips to the blocked ip range to get adobe blocked. It needs to be blocked by domain name not ip because the ips will keep changing.
0 -
When I last checked there is a bug where Content filter breaks
https://community.zyxel.com/en/discussion/14055/break-https-domain-filter-for-https-traffic
do not put in like
adobe.com
AND any other entries like that
put in
*.adobe*.com
and reboot
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight