How to check Content Filter service when it is not working as expected

Zyxel_Kevin
Zyxel_Kevin Posts: 885  Zyxel Employee
Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
edited September 2022 in Security Service
The device has valid content filter license and content filter service is enabled.. However, you find some sites still bypass the inspection and are not being blocked when they should be. The article explains how to troubleshoot when Content Filter is not working as expected.

Web Content Filtering Process

1. A user enters a URL into their web browser.

2. The user’s computer sends a DNS query for the URL

3. The DNS server returns an IP addresses for the URL.

4. The user’s web browser connects to the IP address.

5. The Web Content Filter detects an HTTP connection, and inspects the website send using Server Name Indication (SNI).

6. If the website contains prohibited material, the HTTP request is redirected to a block page.

Checking Flow

1. Check if you have blocked QUIC Protocol (UDP443) and put in the higher priority.


2. Check if the URL can be classified. If not, make sure firewall has the internet access or contact Zyxel Support.


3.  Check if the option “Enable HTTPS Domain Filter for HTTPS traffic” is enabled.Select this check box to have the Zyxel Device block HTTPS web pages using the cloud category service. In an HTTPS connection, the Zyxel Device can extract the Server Name Indication (SNI) from a client request, check if it matches a category in the cloud content filter and then take appropriate action. The keyword match is for the domain name only.

 

4. Make sure you have disabled the Proxy setting on the endpoint such as OS, antivirus software and the browser. Please note that some browsers have their own proxy settings.


5. Capture the packets to check there is SNI which you want to manage.



Tagged: