Does whitelist work after content filter demo expires?

ozarktech
ozarktech Posts: 9  Freshman Member
First Comment
edited April 2021 in Security
On the 4.2 firmware, there is now an option to filter https traffic. We have some users that have there own internet content filter proxy server that routes traffic through port 6502. Therefore they don't need a content filter subscription because they have there own content filter. We want to force users to use the proxy and so we block port 80 and 443, so if the proxy setting is disabled on their computer, they can't get unfiltered internet. We also use the trusted web sites whitelist to add sites that can go out direct, like windows updates and office, that do not follow the proxy. This works as long as the content filter demo is active, but will it work once it expires? We know it does not work to setup on a usg router after the content filter demo has expired

Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    Hello ozarktech,
    The content filter will not work once the license expired, so the profile you added on trusted web sites whitelist will be disable as well.
    Charlie
  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi,
    From my test on my ZyWALL110 with 4.25 firmware.  And the trial license already expired.
    The balcklist and whitelist of content filter still work for HTTP web sites.
    But the HTTPs Domain filter will not work.
     
  • CHS
    CHS Posts: 181  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    In my test result if you would like to block HTTPS traffic by forbidden web site without CF license, you have to enable SSL inspection together
  • Johan
    Johan Posts: 26  Freshman Member
    First Comment Friend Collector
    Off-topic:
    Have you blocked VPN traffic as well to avoid the users by-passing your limit by hiding in a VPN?

    Did you block all-traffic except the ones that should be allowed or did you specifically block only the ones you do not wish them to use?
  • CHS
    CHS Posts: 181  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    I guess you are talking about some of applications(UltraSurf or Tor) will pass traffic to proxy server.
    Because the traffic already been encrypted, so the only way is drop that by App Patrol.(license required) 
  • ozarktech
    ozarktech Posts: 9  Freshman Member
    First Comment
    Ian31, i believe that's what we found, http sites are blocked, https are not. Which is the problem since most sites these days are secure and therefore aren't blocked. VPN is not an issue. I think we tried SSL inspection but that didn't work. I'll have to double check that. Does the usg20vpn have ssl inspection? I didn't see it listed, but maybe I'm not looking in the right place.
  • CHS
    CHS Posts: 181  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    I guess "Enable HTTPS Domain Filter for HTTPS traffic" function is able blocking HTTPS web site.
    But the Content-Filter license is required.

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    edited October 2017
    Hello ozarktech,
    If you want to use HTTPS Domain Filter for HTTPS traffic, the Content-Filter license is required.
    Moreover, the SSL Inspection support on Zywall110 or above.
    Here is the datasheet as your reference. 
    Link: ftp://ftp2.zyxel.com/USG20-VPN/datasheet/USG20-VPN_6.pdf
    Charlie

  • ozarktech
    ozarktech Posts: 9  Freshman Member
    First Comment
    I did verify that whitelist works in the 110 with SSL Inspection turned on and no content filter subscription. All other internet traffic is routed through a proxy server content filter so it doesn't need double filtering. 

Security Highlight