Why does the firewall show “Category Query Fail-Open” even after changing DNS?
Options
Zyxel_Stanley
Posts: 1,481 
Zyxel Employee
Zyxel Employee
Question:
Why does the firewall show “Category Query Fail-Open” even after changing DNS?
Answer:
Please troubleshoot in this order:
- Check DNS settings: confirm the firewall can correctly resolve
"gti-trellix.api.cloud.zyxel.com". - Check server reachability: verify connectivity to "gti-trellix.api.cloud.zyxel.com".
- Check packet flow (both directions): confirm traffic is not only outbound but also has return packets (TCP handshake must complete).
If outbound works but no return traffic, review upstream NAT/router security inspection/filtering and allow bi-directional traffic to/from the server.
0
Categories
- All Categories
- 442 Beta Program
- 3K Nebula
- 229 Nebula Ideas
- 130 Nebula Status and Incidents
- 6.6K Security
- 661 USG FLEX H Series
- 359 Security Ideas
- 1.8K Switch
- 86 Switch Ideas
- 1.4K Wireless
- 56 Wireless Ideas
- 7.1K Consumer Product
- 305 Service & License
- 497 News and Release
- 95 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 5K FAQ
- 34 Documents
- 89 About Community
- 110 Security Highlight