Zyxel USG Flex 50 Content Filter not applying to Chromebooks

electsystech
electsystech Posts: 47  Freshman Member
First Answer First Comment Friend Collector Fifth Anniversary

We have a customer with a USG Flex 50 router with the latest 5.39 firmware on it. They have 5 Chromebooks and we just discovered that the content filter policy on the router does not apply to them. The windows computers are filtered properly. DNS filter is setup. I also added a firewall rule to block QUIC ports 80 and 443. What's the solution for this?

Accepted Solution

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,200  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    edited October 14 Answer ✓

    Hi @electsystech

    The Content Filtering feature on the USG FLEX 50 works by inspecting the URLs from HTTPS packets. However, if DNS over HTTPS (DoH) or similar secure protocols are enabled, the firewall may be unable to capture and filter the content effectively.

    To troubleshoot, please try the following steps:

    1. Clear the browser cache on all Chromebooks.
    2. Reboot the Chromebooks and check if the content filter starts working.

    If the issue persists, we kindly ask you to capture packets for further analysis. Here's how:

    1. Go to MAINTENANCE > Diagnostic > Packet Capture in the local GUI.
    2. Select the LAN interface connected to the Chromebooks.
    3. Click Capture to start.
    4. Visit a website that should be filtered.
    5. Stop the capture and download the packet files from the Files tab.

    After collecting the packets, please send them to us via private message, and kindly provide the IP address of the PC used during the test. We'll investigate the issue further.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

All Replies

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    if they have a VPN extension they can get around the filter 

  • electsystech
    electsystech Posts: 47  Freshman Member
    First Answer First Comment Friend Collector Fifth Anniversary

    I'm quite certain there's no vpn on the chromebooks.

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    Maybe a "private DNS" option on ChromeOS?

    If content filtering is acting on DNS…

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,200  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    edited October 14 Answer ✓

    Hi @electsystech

    The Content Filtering feature on the USG FLEX 50 works by inspecting the URLs from HTTPS packets. However, if DNS over HTTPS (DoH) or similar secure protocols are enabled, the firewall may be unable to capture and filter the content effectively.

    To troubleshoot, please try the following steps:

    1. Clear the browser cache on all Chromebooks.
    2. Reboot the Chromebooks and check if the content filter starts working.

    If the issue persists, we kindly ask you to capture packets for further analysis. Here's how:

    1. Go to MAINTENANCE > Diagnostic > Packet Capture in the local GUI.
    2. Select the LAN interface connected to the Chromebooks.
    3. Click Capture to start.
    4. Visit a website that should be filtered.
    5. Stop the capture and download the packet files from the Files tab.

    After collecting the packets, please send them to us via private message, and kindly provide the IP address of the PC used during the test. We'll investigate the issue further.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • electsystech
    electsystech Posts: 47  Freshman Member
    First Answer First Comment Friend Collector Fifth Anniversary

    We setup a DNS content filter policy from Lan to Zywall, source, Ips of chromebooks and that seems to have solved it.

Security Highlight