Content filter question
Ally Member
Hello, please can you explain me this question ...see first photo ContentFilter.jpg
: TEST result "URL is sexualy explicit" , but on Firefox is "Cannot display page". see Firefox.jpg
Why I dont see classic message "Web access is restricted. Please contact the administrator. (Pornography/Sexually Explicit)" - Firefoxhttp.jpg
Second question ... I must have Enabled "Enable HTTPS Domain Filter for HTTPS traffic" for detect https porn pages - is this correct ? If i have .pornhub. on Forbidden Web sites but doesnt help me for https ...
Thanks for answer ...
All Replies
-
Check Log message to realize the filter is working or not.
As my scenario, I block Porn websites locally. Enable Https domain Filter, and
safe search with some categories. Also, add some URL on Forbidden list.
Sometimes, the session was kept, try to use incognito mode.
0 -
Hi thanks for answer,
i start testing and check logs ... I have two question ...
1-Why Forbidden Websites does not work in some cases, for example: I add records to Forbidden websites and Profile-Forbidden websites without effects : .thepirate-bay.
Enable Custom service - selected in profile settings
Browser on stations show piratebay web ...
2-Is true than most priority is Fobidden website than "Profile-Fobidden website"
I add images on zip for better explanation problem
Thanks for help. Vaclav
0 -
Hi @kyssling ,
To block the website "thepirate-bay.org"
1.Here is the example of the Forbidden Web Sites settings
In Content Filter Forbidden Web Sites, the rule set “ *thepirate-bay.* “
Enable the Content Filter Category Service & Enable Log all web pages
Enable Custom Service and Enable the Check Common Trusted/Forbidden list
Add “ *thepirate-bay.* into the Forbidden Web Sites list
However, some website are encrypted web sites, Content Filter is not able to detect it unless enable the SSL inspection.
If the websites is encrypted web sites, try to enable SSL Inspection,
Go to Configuration > UTM Profile > SSL Inspection > Profile > Add the rule
![2020-02-24 10_16_01-[zywall-110] (10.214.48.29) - .__ Welcome to 'ZyWALL 110' __..png](https://us.v-cdn.net/6029482/uploads/972/AGI5W1DBDSXL.png)
Go to Configuration > Object > Certificate > My Certificate > select the default certificate and download the certificate
After downloading the certificate of the device, import the certificate into the client.
Then, add the Content Filter & SSL inspection into the LAN1 rule
Go to Configuration > Security Policy > Policy Control > select LAN1 rule > Edit
![2020-02-24 11_01_51-[zywall-110] (10.214.48.29) - .__ Welcome to 'ZyWALL 110' __..png](https://us.v-cdn.net/6029482/uploads/742/IVX9BMZ7AWD9.png)
Test result
2.The priority of the Forbidden Web Site is higher than "Profile-Forbidden Web Sites"
0 -
Hello, thanks for answer
I have already set the first options you mentioned, we have also created our own certificate and imported in the device.
That is, if I want to disable pirate-bay, I have to install our certificate on ALL computers on the network ?!!
Do I understand it correctly ??
Can someone who uses Content Filter write here, whether him works block "pirate-bay" ?
Thank you for the information
0 -
Hi @kyssling
You can block “ thepirate-bay.org” by using Category Service
Here is the step to block the “thepirate-bay.org” without SSL Inspection
Go to Configuration > UTM Profile > Content Filter > Profile > Add a rule
Enable Content Filter Category
then go to Custom Service to enable Customer Service
At the bottom of the Custom service, there is a Test Web Site Category for checking the URL
Check the category of https://thepirate-bay.org
The https://thepirate-bay.org URL is categorized as Download Sites
Block the Download Sites
Add the Profile into firewall rule.
Test result
0 -
This is crazy !
So after settings :
https://www.thepiratebay.org/ Blocked
https://thepiratebay.org/ STILL running
What's now ?
0 -
Is Firefox using DNS over HTTPS, bypassing your content filter? Also in earlier examples you had thepirate-bay.org but in the above post you have thepiratebay.org?
0 -
You are agree, my foul ...
when i delete cache and erase offlinecontent now is OK.
And second agree : first time i write about thepirate-bay and now thepiratebay ... No comment please :-) (but this is same web).
---
So last question : Why not working Forbidden Website for this web : thepirate-bay or thepiratebay (for example) ?
-
0 -
I don't think DoH will bypass the content filter.
As I know, Zyxel USG content filter is inspect the HTTP request and SNI in HTTPs TLS client hello message. Not using DNS filter technology like Cisco OpenDNS.
But Chrome browser using QUIC protocol can bypass the control. So that add a firewall rule to block outgoing UDP 443 traffic can avoid QUIC traffic.
0
Master Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
