Content filter question

kyssling Posts: 68  Ally Member
edited April 14 in Security

Hello, please can you explain me this question ...see first photo ContentFilter.jpg

: TEST result "URL is sexualy explicit" , but on Firefox is "Cannot display page". see Firefox.jpg

Why I dont see classic message "Web access is restricted. Please contact the administrator. (Pornography/Sexually Explicit)" - Firefoxhttp.jpg

Second question ... I must have Enabled "Enable HTTPS Domain Filter for HTTPS traffic" for detect https porn pages - is this correct ? If i have .pornhub. on Forbidden Web sites but doesnt help me for https ...

Thanks for answer ...


  • Jeremylin
    Jeremylin Posts: 166  Master Member

    Check Log message to realize the filter is working or not.

    As my scenario, I block Porn websites locally. Enable Https domain Filter, and

    safe search with some categories. Also, add some URL on Forbidden list.

    Sometimes, the session was kept, try to use incognito mode.

  • kyssling
    kyssling Posts: 68  Ally Member

    Hi thanks for answer,

    i start testing and check logs ... I have two question ...

    1-Why Forbidden Websites does not work in some cases, for example: I add records to Forbidden websites and Profile-Forbidden websites without effects : .thepirate-bay.

    Enable Custom service - selected in profile settings

    Browser on stations show piratebay web ...

    2-Is true than most priority is Fobidden website than "Profile-Fobidden website"

    I add images on zip for better explanation problem

    Thanks for help. Vaclav

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 495  Zyxel Employee

    Hi @kyssling ,

    To block the website ""

    1.Here is the example of the Forbidden Web Sites settings

    In Content Filter Forbidden Web Sites, the rule set “ *thepirate-bay.* “

    Enable the Content Filter Category Service & Enable Log all web pages

    Enable Custom Service and Enable the Check Common Trusted/Forbidden list

    Add “ *thepirate-bay.* into the Forbidden Web Sites list

    However, some website are encrypted web sites, Content Filter is not able to detect it unless enable the SSL inspection.

    If the websites is encrypted web sites, try to enable SSL Inspection,

    Go to Configuration > UTM Profile > SSL Inspection > Profile > Add the rule 

    Go to Configuration > Object > Certificate > My Certificate > select the default certificate and download the certificate

    After downloading the certificate of the device, import the certificate into the client.

    Then, add the Content Filter & SSL inspection into the LAN1 rule

    Go to Configuration > Security Policy > Policy Control > select LAN1 rule > Edit

    Test result

    2.The priority of the Forbidden Web Site is higher than "Profile-Forbidden Web Sites"

  • kyssling
    kyssling Posts: 68  Ally Member

    Hello, thanks for answer

    I have already set the first options you mentioned, we have also created our own certificate and imported in the device.

    That is, if I want to disable pirate-bay, I have to install our certificate on ALL computers on the network ?!!

    Do I understand it correctly ??

    Can someone who uses Content Filter write here, whether him works block "pirate-bay" ?

    Thank you for the information

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 495  Zyxel Employee

    Hi @kyssling

    You can block “” by using Category Service

    Here is the step to block the “” without SSL Inspection

    Go to Configuration > UTM Profile > Content Filter > Profile > Add a rule

    Enable Content Filter Category 

    then go to Custom Service to enable Customer Service

    At the bottom of the Custom service, there is a Test Web Site Category for checking the URL

    Check the category of

    The URL is categorized as Download Sites

    Block the Download Sites

    Add the Profile into firewall rule.

    Test result 

  • kyssling
    kyssling Posts: 68  Ally Member

    This is crazy !

    So after settings :  Blocked      STILL running

    What's now ?

  • itxnc
    itxnc Posts: 65  Ally Member

    Is Firefox using DNS over HTTPS, bypassing your content filter? Also in earlier examples you had but in the above post you have

  • kyssling
    kyssling Posts: 68  Ally Member
    edited February 2020

    You are agree, my foul ...

    when i delete cache and erase offlinecontent now is OK.

    And second agree : first time i write about thepirate-bay and now thepiratebay ... No comment please :-) (but this is same web).


    So last question : Why not working Forbidden Website for this web : thepirate-bay or thepiratebay (for example) ?


  • zyman2008
    zyman2008 Posts: 120  Ally Member

    I don't think DoH will bypass the content filter.

    As I know, Zyxel USG content filter is inspect the HTTP request and SNI in HTTPs TLS client hello message. Not using DNS filter technology like Cisco OpenDNS.

    But Chrome browser using QUIC protocol can bypass the control. So that add a firewall rule to block outgoing UDP 443 traffic can avoid QUIC traffic.

Security Highlight