www.youtube.com blocked by zyxel certificate on Flex700?

Carlsap
Carlsap Posts: 23  ZCNE Certified
First Comment Sixth Anniversary ZCNE Security Level 1 Certification - 2019 ZCNE Nebula Level 1 Certification - 2019

We are experiencing difficulties for users to connect to youtube.
Here is an example of the response from a firefox browser:

Can anyone explain why this happens and how to avoid this issue?
We are using a Zyxel Flex 700 device as gateway.

Accepted Solution

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    dnsft.cloud.zyxel.com is our blocked page for the DNS content filter, and the certificate is a content filter certificate that will replace the original cert when accessing a website in the content filter blocked category, resulting in the browser detecting the cert does not correspond to the correct cert, then you will see the message as your screenshot.
    In conclusion, youtube.com is blocked by DNS content filter, please check the content filter settings, and make sure YouTube or streaming websites are not blocked.

All Replies

  • smb_corp_user
    smb_corp_user Posts: 163  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    Seems very odd, the message states that this is Firefox not trusting the site. Is this problem 100% repeatable across multiple computers in the same network? Could this be caused by a bugged filter function or firewall rule to include or exclude certificates? Does this problem only manifest when using a specific Flex700? Is it a result of damaged configuration or incompatible rules?

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    dnsft.cloud.zyxel.com is our blocked page for the DNS content filter, and the certificate is a content filter certificate that will replace the original cert when accessing a website in the content filter blocked category, resulting in the browser detecting the cert does not correspond to the correct cert, then you will see the message as your screenshot.
    In conclusion, youtube.com is blocked by DNS content filter, please check the content filter settings, and make sure YouTube or streaming websites are not blocked.

  • Carlsap
    Carlsap Posts: 23  ZCNE Certified
    First Comment Sixth Anniversary ZCNE Security Level 1 Certification - 2019 ZCNE Nebula Level 1 Certification - 2019

    Youtube is on the allowed list and streaming websites are not blocked.
    Any suggestions of where to look further in the Flex700

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    We can check the monitor log to see which policy rule blocks YouTube.
    Go to Policy Control and enable the log options for the rules with content filter profile, then get blocked again to see which rule is the root cause.

  • Carlsap
    Carlsap Posts: 23  ZCNE Certified
    First Comment Sixth Anniversary ZCNE Security Level 1 Certification - 2019 ZCNE Nebula Level 1 Certification - 2019

    It turned out like this: When I rechecked the settings for Lan to Wan I saw that the content filter profile was turned off for this Flex700. When I turned it on with BPP I got this warning message:

    Which confused me. What does it mean? I clicked on OK but saw nothing further about where to apply dns content filter.
    Now the youtube if working apparently. So we need to have the content filter enabled…….?

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    It's more like a reminder note instead of a warning error.
    For DNS content filter profile, you need to apply it to two security policies to make it work, that is,
    LAN_outgoing: block the DNS query toward to external DNS server. (192.168.1.33 -> 8.8.8.8)
    LAN_to_Device: block the DNS query from host to firewall. If this is not blocked, the host still is able to query the firewall, then the firewall will ask the external DNS server (192.168.1.33 -> 192.168.1.1)

    It seems to be a misconfiguration at first since it works after applying the content filter profile again.

  • Carlsap
    Carlsap Posts: 23  ZCNE Certified
    First Comment Sixth Anniversary ZCNE Security Level 1 Certification - 2019 ZCNE Nebula Level 1 Certification - 2019

    Thanks for the explanations

Security Highlight