Zyxel USG FLEX H Series [Firewall] - How to Block HTTPS Websites Using Content Filtering and SSL Inspection

Created - Updated
Serhii Boiarynov
Print Friendly and PDF
Have more questions? Submit a request

This guide demonstrates how to effectively block HTTPS websites using Zyxel USG FLEX H Series by leveraging Content Filtering, SSL Inspection, and Security Policy rules. The approach targets malicious or non-business-related content (e.g., streaming media, social media, etc.).

Note: This article uses all network IP addresses and subnet masks as examples. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG FLEX 500H (Firmware Version: uOS 1.32).

Set Up Content Filtering

Create a new profile, enable log for block actions, and choose categories to block (e.g., "Streaming Media").

  • Navigate to: Security Service > Content Filtering
  • Click Add to create a content filtering profile in Profile Management.
  • Type profile name and enable log for block action in General Settings.
  • Tick Streaming Media category in Managed Categories, and click Apply.

After creating the profile, it must be linked to the appropriate security policy. Without this step, the profile will not be activated or impact the system's security.  But we'll do that later after setting up the profile for the SSL inspector. Click “Ok” and move on to the next item.

Set Up SSL Inspection

Go to Security Service > SSL inspection > profile > Profile Management, and click Add to create profile
 

  • Use a custom CA certificate -  although we use the default certificate in our example, it is recommended to use (preferably signed internally or by a trusted internal CA). Avoid using the default one in production.
  • Set the minimum TLS version to TLS 1.2, unless legacy systems require older versions.
  • Enable logging — always log inspected traffic and exceptions for visibility and troubleshooting.

Unsupported Suit

  • Сhange Action to Block, if possible, to prevent unsafe or deprecated cipher use.
  • Enable logging to monitor what’s being bypassed and make informed adjustments later.

Untrusted Certificate Chains

  • Change Action to Block — Allowing untrusted certificates can let malicious traffic through.
  • Enable logging for full visibility into attempted untrusted connections.

Other Important Tips

  • Distribute the CA certificate to all client devices and install it under "Trusted Root Certification Authorities" to avoid SSL warnings.
  • Exclude sensitive apps (e.g., banking, government services, etc.) using "Do Not Inspect List", as SSL inspection can break their functionality or violate compliance.
  • Regularly monitor SSL logs and stats under Security Statistics > SSL Inspection
  • Keep firmware updated to benefit from performance and security enhancements related to SSL inspection.
  • Avoid inspecting internal traffic (e.g., LAN-to-LAN), unless specifically needed.

Set Up the Security Policy

After creating the profile, it must be linked to the appropriate security policy. Without this step, the profile will not be activated and will have no impact on the system's security.

  • Go to Security Policy > Policy control. Edit LAN_Outgoing, and scroll down to the profile section.
  • Select Content Filtering, and SSL Inspection. Click Apply to save.

Export and Install Certificate

When SSL Inspection is enabled on the Zyxel USG FLEX H Series, and a website does not recognize or trust the device's default certificate, web browsers will display a security warning indicating certificate issues.

To prevent this, you need to export the default certificate from the FLEX device and install it on client machines (e.g., Windows OS) as a trusted root certificate.

Go to System > Certificate > My Certificates to export the default certificate from USG FLEX H.

Installing the Certificate

After downloading the certificate file (e.g., default.crt), double-click it.

  • In the certificate window, click "Open".
  • In the certificate window, click "Install Certificate…".
  • In the Certificate Import Wizard, choose:

In the Certificate Import Wizard, choose:

  • "Current User" – if you're installing the certificate just for your user account (no admin rights required in most cases).
  • "Local Machine" – if the certificate should apply to all users on the computer (administrator rights required).

Select "Place all certificates in the following store" on the next screen.

Click "Browse", then choose "Trusted Root Certification Authorities".

Complete the wizard and confirm the installation.

Note: Once the certificate is installed, browsers will trust the FLEX device during SSL inspection, and security warnings will no longer appear for HTTPS traffic.

Test the Result

Use a Web Browser to access YouTube. The gateway will redirect you to a blocked page.

Go to Log & Report > Log/Events and select Content Filtering to check the logs.

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful
Share