How to block HTTPS websites using Content Filtering and SSL Inspection?
This is an example of using a ZyWALL/USG Content Filtering, SSL Inspection and Security Policy to block access to malicious or not business-related websites.
Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13).
SETUP/STEP BY STEP PROCEDURE:
SETUP/STEP BY STEP PROCEDURE:
Set Up the Content Filter on the ZyWALL/USG
1. In the ZyWALL/USG, go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Category Service. Configure aName for you to identify the Content Filter Profile and select Enable Custom Service.
2. Scroll down to the Security Threat (unsafe) section and select all categories of web pages that are known to pose a threat to your computers.
3. Scroll down to the Managed Categories section and select the categories that are not business-related. Click OK.
4. If you are not sure which category a web page belongs to, you can enter a web site URL in the text box of Test Web Site Category.
Set Up SSL Inspection on the ZyWALL/USG
1. In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > SSL Inspection > Add rule, and configure a Name for you to identify the SSL Inspectionprofile.
Then, select the CA Certificate to be the certificate used in this profile. Select to pass or block SSLv2/unsupported suit/untrusted cert chain traffic that matches traffic bound to this policy here.
Select desired Log type whether to have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches this policy.
Set Up the Security Policy on the ZyWALL/USG
1. In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For Fromand To policies, select the direction of travel of packets to which the policy applies.
Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Office_profile in this example). Then, select SSL Inspection and select a profile from the list box (Office_Control in this example).
Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System
1. When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems.
2. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from
ZyWALL/USG with Private Key (zyx123 in this example).
3. Save default certificate as *.p12 file to Windows 7 Operation System.
4. In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter.
5. In the mmc console window, click File > Add/Remove Snap-in...
6. In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window.
7. In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import…
8. Click Next. Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next.
9. Click Next, type zyx123 in the Password field and click Next again
10. Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish.
Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Test the Result
1. Type http://www.bittorrent.com/ or http://us.battle.net/d3/en/ into the browser. The error message occurs.
2. Go to the ZyWALL/USG Monitor > Log to see [alert] log message such as below.
What Can Go Wrong?
1. If you are not be able to configure any Content Filter policies or it’s not working, there are two possible reasons:
a. You have not subscribed for the Content Filter service.
b. You have subscribed for the Content Filter service but the license is expired.
You can click the link from the CONFIGURATION > Licensing > Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/) to register or extend your Content Filter license.