This is an example of using a ZyWALL/USG UTM Profile in a Security Policy to block access to a specific social network service. You can use Content Filter, SSL Inspection and Policy Control to make sure that a certain web page cannot be accessed through both HTTP and HTTPS protocols. Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG310 (Firmware Version: ZLD 4.13).
Please note that this tutorial refers to older USG firmware - for newer firmware versions and respective tutorials, please check our Knowledgebase or step into direct contact with our Support Staff!
Set Up the Content Filter on the ZyWALL/USG
1. In the ZyWALL/USG, go to CONFIGURATION > UTM Profile> Content Filter > Profile Management > Add Filter File > Custom Service. Configure a Name for you to identify the Content Filter Profile and select Enable Custom Service.
2. Scroll down to the Blocked URL Keywords section, click Add and use "*" as a wildcard to match any string in trusted/forbidden web sites and blocked URL keywords (*.facebook*.com in this example). Click OK.
Set Up the SSL Inspection on the ZyWALL/USG.
1. In the ZyWALL/USG, go to CONFIGURATION > UTM Profile > SSL Inspection > Add rule, configure a Name for you to identify the SSL Inspection profile.
Then, select the CA Certificate to be the certificate used in this profile. Select Block to Action for Connection with SSL v2 and select Log type to be log alert. Leave other actions as default settings.
Set Up the Security Policy on the ZyWALL/USG
1. In the ZyWALL/USG, go to CONFIGURATION > Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Select the Schedule that defines when the policy applies (Facebook_Block in this example).
Scroll down to UTM Profile, select Content Filter and select a profile from the list box (Facebook_Block in this example). Then, select SSL Inspection and select a profile from the list box (Facebook_Block in this example).
Export Certificate from ZyWALL/USG and Import it to Windows 7 Operation System
1. When SSL inspection is enabled and an access website does not trust the ZyWALL/USG certificate, the browser will display a warning page of security certificate problems.
2. Go to ZyWALL/USG CONFIGURATION > Object > Certificate > default > Edit to export default certificate from ZyWALL/USG with Private Key (zyx123 in this example).
3. Save default certificate as *.p12 file to Windows 7 Operation System.
4. In Windows 7 Operating System Start Menu > Search Box, type mmc and press Enter.
5. In the mmc console window, click File > Add/Remove Snap-in...
6. In the Available snap-ins, select the Certificates and click Add button. Select Computer account > Local Computer. Then, click Finished and OK to close the Snap-ins window.
7. In the mmc console window, open the Certificates (Local Computer) > Trusted Root Certification Authorities, right click Certificate > All Tasks > Import…
8. Click Next. Then, Browse..., and locate the .p12 file you downloaded earlier. Then, click Next.
9. Click Next, type zyx123 in the Password field and click Next again
10. Select Place all certificates in the following store and then click Browse and find Trusted Root Certification Authorities. Click Next, then click Finish.
Note: Each ZyWALL/USG device has its own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is erased, and a new self-signed certificate will be created when the ZyWALL/USG boots the next time.
Test the Result
1. Type http://www.facebook.com/ or https://www.facebook.com/ into the browser, the error message occurs.
2. Go to the ZyWALL/USG Monitor > Log, you will see [alert] log message such as below.
What Can Go Wrong?
1. If you are not be able to configure any Content Filter policies or it’s not working, there are two possible reasons:
a) You have not subscribed for the Content Filter service
b) You have subscribed for the Content Filter service but the license is expired.
You can click the link from the CONFIGURATION > Licensing > Registration screen of your ZyXEL device’s Web Configurator or click the myZyXEL.com 2.0 icon from the portal page (https://portal.myzyxel.com/) to register or extend your Content Filter license.