Flex 500 Content Filter doesn't work from Chrome (pornography)
Freshman Member
We have just upgraded from a USG210 to a USG Flex 500. The Content Filtering does not work using Chrome to some pornography sites. It works fine using Edge, Safari, and even curl. Using Chrome, some porn sites are blocked and some are not. The porn web-site validates as "Pornography" on the "Configuration" => "Security Service" => "Content Filter" page. The one I test is "pornhub dot com"
I have read the other similar, recent threads on this forum. I have blocked UDP80 and UDP443 with no change for Chrome. If I block ALL udp ports, it does work: porn is blocked in Chrome.
Is there a better solution than blocking ALL UDP ports?
thanks,
Rick
All Replies
-
Update: it appears that blocking all UDP ports does not fully solve the problem. When I block all UDP ports, close down Chrome and reopen Chrome, the first attempt to acces the porn site is blocked, but if I open a new tab in Chrome the page is now visible.
0 -
Could be to do with this
https://www.reddit.com/r/sysadmin/comments/1carvpd/chrome_124_breaks_tls_handshake/
use DNS Content Filter will work if client don't use DNS over HTTPS
clear browser cache
and run this in Flex
debug content-filter https-domain-filter cache flush
1 -
Thanks, PeterUK,
I read that thread and changed the setting in my Chrome instance, and it did block the porn. However, that's not a real solution; I can't leave the content filtering up to the individuals in the building to change a setting in Chrome on their personal device. Even if Chrome and the web-sites have an issue because of this flag, the firewall (Zyxel) should still always block any attempt to get to that web-site/URL.
0 -
I think Zyxel know about and should be able to fix it however at some point may not work due to encrypt client hello which if DNS over HTTPS is used unless Zyxel also add block if no SNI
0 -
Does anyone know if a fix for this bug / issue has been release? I got two USG FLEX 500 with the same issue. Worst part I need content filter running due to nature of business my client do.
0 -
You need to install the datecode firmware patch from here.
Hopefully, it goes from datecode to production very soon.
0 -
Hi @netadminbze,
You can also use WK25 firmware.
Zyxel Melen
Don't miss this great chance to upgrade your Nebula org. for free!
0
Guru Member
Zyxel Employee
Categories
- All Categories
- 414 Beta Program
- 2.2K Nebula
- 130 Nebula Ideas
- 88 Nebula Status and Incidents
- 5.4K Security
- 166 USG FLEX H Series
- 255 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 999 Wireless
- 36 Wireless Ideas
- 6.2K Consumer Product
- 233 Service & License
- 370 News and Release
- 77 Security Advisories
- 24 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 80 About Community
- 69 Security Highlight
