How to set USG to block an HTTPS website?

Zyxel_Charlie
Zyxel_Charlie Posts: 1,034
50 Answers 500 Comments Friend Collector Fourth Anniversary
 Guru Member
edited June 29 in Other Topics
SCENARIO DESCRIPTION:

Since the Content filter can't filter HTTPS websites, how to set USG to block an HTTPS website?

SETUP/STEP BY STEP PROCEDURE:

 

There are two ways how the USG can block an HTTPS website:

 

Method 1. Please set up a firewall rule to block an HTTPS website:

Please add firewall rule with source:any; destination: https site's IP; Access: reject.

The USG will block all https access to the site.

Please refer to the picture below to set up the firewall rule on the USG:


 

Method 2. Please change the DNS server record to block the HTTPS website:

If IP addresses of websites are dynamic, you can also use the work-around of changing the DNS server address record to prevent access to the HTTPs websites.

Please add a DNS address record with FQDN, ex: *.facebook.com

Set its IP Address to: 0.0.0.0.

This can prevent computers from locating the websites via the DNS server. The method allows the USG to effectively block HTTPs websites.

Please refer to the picture below to set DNS server address record on the USG:


However, this work-around will fail if users locate the HTTPS website’s real IP by accessing an external DNS server.

Although this work-around may present some security risks, since the content filter can't filter HTTPS websites,

Setting up a firewall rule and changing the DNS address record are the only ways to block HTTPs websites.

 

VERIFICATION:

 

Setting up a firewall rule and changing the DNS address record are the only ways to block HTTPs websites.

As a result, the following page will be shown to users accessing HTTPS websites:


Tagged: