Does whitelist work after content filter demo expires?
Freshman Member
On the 4.2 firmware, there is now an option to filter https traffic. We have some users that have there own internet content filter proxy server that routes traffic through port 6502. Therefore they don't need a content filter subscription because they have there own content filter. We want to force users to use the proxy and so we block port 80 and 443, so if the proxy setting is disabled on their computer, they can't get unfiltered internet. We also use the trusted web sites whitelist to add sites that can go out direct, like windows updates and office, that do not follow the proxy. This works as long as the content filter demo is active, but will it work once it expires? We know it does not work to setup on a usg router after the content filter demo has expired
0
Comments
-
Hello ozarktech,
The content filter will not work once the license expired, so the profile you added on trusted web sites whitelist will be disable as well.
Charlie0 -
Hi,
From my test on my ZyWALL110 with 4.25 firmware. And the trial license already expired.
The balcklist and whitelist of content filter still work for HTTP web sites.
But the HTTPs Domain filter will not work.
0 -
In my test result if you would like to block HTTPS traffic by forbidden web site without CF license, you have to enable SSL inspection together
0 -
Off-topic:
Have you blocked VPN traffic as well to avoid the users by-passing your limit by hiding in a VPN?
Did you block all-traffic except the ones that should be allowed or did you specifically block only the ones you do not wish them to use?
0 -
I guess you are talking about some of applications(UltraSurf or Tor) will pass traffic to proxy server.
Because the traffic already been encrypted, so the only way is drop that by App Patrol.(license required)0 -
Ian31, i believe that's what we found, http sites are blocked, https are not. Which is the problem since most sites these days are secure and therefore aren't blocked. VPN is not an issue. I think we tried SSL inspection but that didn't work. I'll have to double check that. Does the usg20vpn have ssl inspection? I didn't see it listed, but maybe I'm not looking in the right place.0
-
I guess "Enable HTTPS Domain Filter for HTTPS traffic" function is able blocking HTTPS web site.
But the Content-Filter license is required.
0 -
Hello ozarktech,
If you want to use HTTPS Domain Filter for HTTPS traffic, the Content-Filter license is required.
Moreover, the SSL Inspection support on Zywall110 or above.
Here is the datasheet as your reference.
Link: ftp://ftp2.zyxel.com/USG20-VPN/datasheet/USG20-VPN_6.pdf
Charlie
0 -
I did verify that whitelist works in the 110 with SSL Inspection turned on and no content filter subscription. All other internet traffic is routed through a proxy server content filter so it doesn't need double filtering.0
Zyxel Employee
Master Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
