Why doesn't Content filter block adobe.com on USG20-VPN?

electsystech
electsystech Posts: 21  Freshman Member
First Anniversary 10 Comments Friend Collector
Have a customer with a USG20-VPN with content filter subscription. They have computers on a strict whitelist only policy. There's only 24 websites on their Trusted Websites. Putting *adobe.com and *.adobe.com in the Forbidden sites doesn't block it either. I also setup the same content policy with DNS content and there's no change. We are blocking the QUIC protocol, UDP ports 80 and 443. The only I was able to get it blocked was to do a ping to adobe.com and then setup a policy to block all those ip addresses. I updated the router to the latest 5.31 firmware.

I tested blocking adobe.com on our site here on a VPN 100 router and it blocked it as expected. What's the difference?

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited September 2022
    USG20-VPN with 5.31(ABAQ.0) can block adobe successfully. Here are the configuration and result for your reference. If it is still not working on your USG20-VPN, please share the startup-config.conf with me in private message.  :)

    1. Add a new CF profile. Enable "Enable HTTPS Domain Filter for HTTPS traffic".

    2. In Custom Service, add adobe in forbidden web sites. Enable the option "Enable Custom Service".

    3. Apply the profile to security policy rule. In this example, we apply this profile to the rule LAN1_Outgoing.


    Test Result:


  • electsystech
    electsystech Posts: 21  Freshman Member
    First Anniversary 10 Comments Friend Collector
    PM sent with config file.
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Maybe DNS over HTTPS?


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    In your configuration file, "adobe" is not on the list of forbidden list no matter in Custom Service of profile or Common Forbidden Web Sites.
    Actually, your CF profile blocks almost all internet access. I also tried to access adobe.com and it is blocked. Could you check the configuration again?  :)
  • electsystech
    electsystech Posts: 21  Freshman Member
    First Anniversary 10 Comments Friend Collector
    That's the point, it's supposed to be blocking all internet access. I setup another policy like your screenshot shows and it's still working. I had to add more ips to the blocked ip range to get adobe blocked. It needs to be blocked by domain name not ip because the ips will keep changing.

  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2022

    When I last checked there is a bug where Content filter breaks

    https://community.zyxel.com/en/discussion/14055/break-https-domain-filter-for-https-traffic

    do not put in like

    adobe.com

    AND any other entries like that 

    put in

    *.adobe*.com

    and reboot


Security Highlight