Flex 500 Content Filter doesn't work from Chrome (pornography)

Options
edotadmin
edotadmin Posts: 3
First Anniversary Friend Collector First Comment
edited May 8 in Security

We have just upgraded from a USG210 to a USG Flex 500. The Content Filtering does not work using Chrome to some pornography sites. It works fine using Edge, Safari, and even curl. Using Chrome, some porn sites are blocked and some are not. The porn web-site validates as "Pornography" on the "Configuration" => "Security Service" => "Content Filter" page. The one I test is "pornhub dot com"

I have read the other similar, recent threads on this forum. I have blocked UDP80 and UDP443 with no change for Chrome. If I block ALL udp ports, it does work: porn is blocked in Chrome.

Is there a better solution than blocking ALL UDP ports?

thanks,

Rick

All Replies

  • edotadmin
    edotadmin Posts: 3
    First Anniversary Friend Collector First Comment
    Options

    Update: it appears that blocking all UDP ports does not fully solve the problem. When I block all UDP ports, close down Chrome and reopen Chrome, the first attempt to acces the porn site is blocked, but if I open a new tab in Chrome the page is now visible.

  • PeterUK
    PeterUK Posts: 2,878  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 8
    Options

    Could be to do with this

    https://www.reddit.com/r/sysadmin/comments/1carvpd/chrome_124_breaks_tls_handshake/

    use DNS Content Filter will work if client don't use DNS over HTTPS

    clear browser cache

    and run this in Flex

    debug content-filter https-domain-filter cache flush

  • edotadmin
    edotadmin Posts: 3
    First Anniversary Friend Collector First Comment
    Options

    Thanks, PeterUK,

    I read that thread and changed the setting in my Chrome instance, and it did block the porn. However, that's not a real solution; I can't leave the content filtering up to the individuals in the building to change a setting in Chrome on their personal device. Even if Chrome and the web-sites have an issue because of this flag, the firewall (Zyxel) should still always block any attempt to get to that web-site/URL.

  • PeterUK
    PeterUK Posts: 2,878  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 8
    Options

    I think Zyxel know about and should be able to fix it however at some point may not work due to encrypt client hello which if DNS over HTTPS is used unless Zyxel also add block if no SNI

Security Highlight