USG Flex 200 blocking website?

Hakandenende · January 15

Hello, can a USG Flex200 suddenly block a website resulting in browsertext: "Access denied" ? There is no other text in the browser. I can´t find anyting in the log. There is no problem accessing the site from other connections. It´s also possible to access the site site directly in the fiberbox (on other public IP via DHCP).

Zyxel_Barry · January 15

Hi @Hakandenende,

Yes, a USG Flex 200 can indeed block a website, even if it appears to happen "suddenly," and display an "Access denied" message in the browser. There are several reasons why this might occur, and the lack of a clear log entry can make troubleshooting challenging.

Here are some steps to investigate this issue:

Review Security Policies and Services:
- Content Filtering: Check your Content Filtering profiles to see if the website's category or specific URL has been inadvertently blocked. Note that Content Filtering does not block traffic through DNS but checks the SNI in the TCP Client Hello. For HTTPS traffic, ensure "Enable HTTPS Domain Filter for HTTPS traffic" is checked and consider enabling SSL Inspection for more comprehensive filtering.
- DNS Content Filter: If you are using DNS Content Filter, verify its configuration. It can enhance blocking effectiveness, especially with Encrypted SNI (ESNI).
- Threat Detection/Prevention: While you haven't found specific logs, ensure that Intrusion Detection and Prevention (IDP) or other security features are not mistakenly flagging legitimate traffic to the website.
- Firewall Rules: Review your firewall rules for any explicit deny rules that might be affecting access to the specific website or its IP address.
- Geo-IP Blocking: Check if Geo-IP blocking is enabled and if the website's server IP address is located in a blocked region.
Firmware Version: Ensure your USG Flex 200 is running the latest firmware version. Browser updates with new protocols like TLS 1.3 Kyber can sometimes interfere with web content filtering if the firmware is outdated.
DNS Resolution:
- The USG Flex performs DNS lookups. There could be an issue with how the USG Flex is resolving the domain name of the blocked website.
- If disabling Wi-Fi on a mobile device and accessing the site works, it points to an issue within the USG Flex network for that specific domain.

To help us further diagnose the problem, please provide the following information:

USG Flex 200 Firmware Version: This can be found in the device's web interface.
Screenshots of relevant configurations:
- Content Filtering profiles.
- Firewall rules that might be applicable.
- DNS settings on the USG Flex.
The specific website URL that is being blocked.
Network Topology Map: A simple diagram showing how your USG Flex 200 is connected to your network and the internet.
Troubleshooting Steps Taken: Any specific configurations you've already tried.