USG Flex 100 Problem with Content Filter, Signature Updates, etc... etc...

stepgilb · September 2022

Greetings,

I am using the User Guide USG FLEX 100_V5.31.pdf to verify the settings. The unit is registered and licenses are valid:

Image: https://us.v-cdn.net/6029482/uploads/editor/u3/39c4k93o6lv0.png

The App-Patrol Signature update works, the Anti-Malware and IPS cannot be updated???

Image: https://us.v-cdn.net/6029482/uploads/editor/vs/ylw6ccmv485n.png

Image: https://us.v-cdn.net/6029482/uploads/editor/9n/fnza9ufvpjp6.png

In Web Content Filter no matter what URL I enter I always get

when testing a URL:

Image: https://us.v-cdn.net/6029482/uploads/editor/2c/dvhwrhtgoapm.png

The result is that users wait for every URL a long time (~3-6 seconds) before seeing a website because of "Action when Category Server is unavailable" = Pass.

How do we resolve these problems???

Other question: do we still need to add the server certificate to the PC's behind the UGS?

stepgilb · September 2022

OK, got it to work, limited the Source IP to the LAN 2 subnet. L2TP/IPSec and Zywalll Device routing works.

mMontana · September 2022

First problem: ad a DNS server to system settings of your device.

Second question: if you don't add the device certificate to the PCs, the "s" traffic between USG and computer (HTTPs, POPs, SMTPs, IMAPs) won't be considered valid from the operating system.

stepgilb · September 2022

Thanks. Set up the DNS as in https://support.zyxel.eu/hc/en-us/articles/360001390854-How-to-setup-DNS-on-a-USG, no changes. Does anuone have the FQDN for the update servers and the content filter category server?

stepgilb · September 2022

Seems to be a similar problem as this one: https://community.zyxel.com/en/discussion/2519/no-default-dns-for-wan1-on-usg40

mMontana · September 2022

stepgilb said:

Thanks. Set up the DNS as in https://support.zyxel.eu/hc/en-us/articles/360001390854-How-to-setup-DNS-on-a-USG, no changes. Does anyone have the FQDN for the update servers and the content filter category server?

Did you checked if your device is correcly resolving names via the interface?

Maintenance -> Diagnostic -> Network Tool (NSLookup IPv4)

stepgilb · September 2022

Just a moment ago, it is not resolving host names and I am not able to ping anything on the wan interface like the 7590 Fritzbox DNS server 192.168.178.1. The lan1 and 2 IP's are pingable (192.168.2.1 and 1.1). Looks to me like traffic is being blocked. I also tried pings using the CLI, same result. To get L2TP-IPSEC to work I had to add an additional NAT rule for the Outside (FB WAN address), maybe that's the problem?

stepgilb · September 2022

Image: https://us.v-cdn.net/6029482/uploads/editor/34/8dkemldylaoq.png

Zyxel_Cooldia · September 2022

Hi @stepgilb,

Welcome to Zyxel Community.

We may need to check if it is routing issue or DNS resolve issue.
Could you please draw a brief network topology with interface IP?
(Mask last octet on public IP)

stepgilb · September 2022

Thanks! L2TP/IPSEC is working perfectly, LAN 2 PCs 100% OK network wise, also concerning DNS

Image: https://us.v-cdn.net/6029482/uploads/editor/7e/ng0vwjccuhhz.jpg

stepgilb · September 2022

This is ping to one of the Telekom DNS Servers which works fine on LAN 2 but not here:

Image: https://us.v-cdn.net/6029482/uploads/editor/zt/eko9rtsd0jqr.png

stepgilb · September 2022

A ping to the FB Gateway and DNS Server does not work (on LAN 2 it does):

USG Flex 100 Problem with Content Filter, Signature Updates, etc... etc...

Accepted Solution

All Replies

Categories

Security Help Center