Flex 500 Content Filter doesn't work from Chrome (pornography)

edotadmin
edotadmin Posts: 8  Freshman Member
First Comment Friend Collector Second Anniversary
edited May 8 in Security

We have just upgraded from a USG210 to a USG Flex 500. The Content Filtering does not work using Chrome to some pornography sites. It works fine using Edge, Safari, and even curl. Using Chrome, some porn sites are blocked and some are not. The porn web-site validates as "Pornography" on the "Configuration" => "Security Service" => "Content Filter" page. The one I test is "pornhub dot com"

I have read the other similar, recent threads on this forum. I have blocked UDP80 and UDP443 with no change for Chrome. If I block ALL udp ports, it does work: porn is blocked in Chrome.

Is there a better solution than blocking ALL UDP ports?

thanks,

Rick

Best Answers

All Replies

  • edotadmin
    edotadmin Posts: 8  Freshman Member
    First Comment Friend Collector Second Anniversary

    Update: it appears that blocking all UDP ports does not fully solve the problem. When I block all UDP ports, close down Chrome and reopen Chrome, the first attempt to acces the porn site is blocked, but if I open a new tab in Chrome the page is now visible.

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 8

    Could be to do with this

    https://www.reddit.com/r/sysadmin/comments/1carvpd/chrome_124_breaks_tls_handshake/

    use DNS Content Filter will work if client don't use DNS over HTTPS

    clear browser cache

    and run this in Flex

    debug content-filter https-domain-filter cache flush

  • edotadmin
    edotadmin Posts: 8  Freshman Member
    First Comment Friend Collector Second Anniversary

    Thanks, PeterUK,

    I read that thread and changed the setting in my Chrome instance, and it did block the porn. However, that's not a real solution; I can't leave the content filtering up to the individuals in the building to change a setting in Chrome on their personal device. Even if Chrome and the web-sites have an issue because of this flag, the firewall (Zyxel) should still always block any attempt to get to that web-site/URL.

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 8

    I think Zyxel know about and should be able to fix it however at some point may not work due to encrypt client hello which if DNS over HTTPS is used unless Zyxel also add block if no SNI

  • netadminbze
    netadminbze Posts: 1
    First Comment

    Does anyone know if a fix for this bug / issue has been release? I got two USG FLEX 500 with the same issue. Worst part I need content filter running due to nature of business my client do.

  • electsystech
    electsystech Posts: 47  Freshman Member
    First Answer First Comment Friend Collector Fifth Anniversary
    Answer ✓

    You need to install the datecode firmware patch from here.

    Hopefully, it goes from datecode to production very soon.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,574  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

Security Highlight