This guide is designed to help with the setup of the ZyWALL content filtering feature.
Content filtering allows you to block certain web features, such as cookies and/or block access to specific web sites. It can also block access to specific categories of the web site content (license required). You can create different content filter policies for different addresses, schedules, users or groups.
For example: you can configure a policy that blocks a specific user from web pages related to art and entertainment during the workday and another policy that lets the user access them after work.
ZyWALL 110 – Firmware version 4.20(AAAA.0) and newer
ZyWALL 310 – Firmware version 4.20(AAAB.0) and newer
ZyWALL 1100 – Firmware version 4.20(AAAC.0) and newer
USG40* – Firmware version 4.20(AALA.0) and newer
USG40W* – Firmware version 4.20(AALB.0) and newer
USG60* – Firmware version 4.20(AAKY.0) and newer
USG60W* – Firmware version 4.20(AAKZ.0) and newer
USG110 – Firmware version 4.20(AAPH.0) and newer
USG210 – Firmware version 4.20(AAPI.0) and newer
USG310 – Firmware version 4.20(AAPJ.0) and newer
USG1100 – Firmware version 4.20(AAPK.0) and newer
USG1900 – Firmware version 4.20(AAPL.0) and newer
USG20-VPN* – Firmware version 4.20(ABAQ.0) and newer
USG20W-VPN* – Firmware version 4.20(ABAR.0) and newer
USG2200-VPN – Firmware version 4.20(ABAE.2) and newer
*does not support SSL Inspection (required for Safe Search feature)
Content Filter Profile
To create a content filter profile please access the Zyxel security appliances web configuration screen and go to menu, Configuration → UTM Profile → Content Filter. Check the box to "Enable HTTPS Domain Filter for HTTPS traffic" to allow the content filter engine to filter/block https websites based on category services.
Click the Add button under "Profile Management" to create a filter profile.
- Name – Provide a name for the filter profile
- Description – Provide a description for the filter profile [OPTIONAL]
- Check the box to "Enable Content Filter Category Service", this will activate the Commtouch content filter categories engine
- Choose what you want the filter engine to do with Unsafe Web Pages, Managed Web Pages, Unrated Web Pages, etc. (Options are Pass, Warn or Block)
- Select the categories you wish to block
- Click OK to save the settings
Policy Control Rule
From the WebUI go to Configuration → Security Policy → Policy Control, click the Add button to insert a rule to check against intrusions using the CF profile created on the previous step.
- Name – Provide a name for the rule
- From – Select the packet direction From: LAN1 (Internal Network)
- To – Select the packet direction To: WAN (Internet)
- UTM Profile – Scroll down to the UTM Profile option and check the box next to Content Filter, select the profile you created and whether or not you wish the ZyWALL to log an entry any time this Policy Control rule is tripped.
HTTPS Content Warning
By default there is no warning when the content filter engine blocks an https website.
Activate "Enable Content Filter HTTPS Domain Filter Block/Warn Page" to redirect https request to the block/warn page. This is enabled under Configuration → System → WWW, click the "Show Advanced Setting" button and scroll to the bottom of the screen.
Once this option is enabled, HTTPS domains that are blocked by content filter will be redirected to the block/warn page like the example below.
This feature does have a limitation when redirecting traffic to the block/warn page. If the website uses HTTP Strict Transport Security (HSTS) the browser will consider the redirect (to block/warn page) as a possible attack and will display an HSTS error like the examples below.
The SafeSearch feature on the Zyxel security appliance content filter engine gives network administrators the power to force safe search on most popular search engines. The SafeSearch feature filters any content that has been tagged as inappropriate from search results. This feature is built-in to most search engines and can be enabled or disabled by the user. The content filter SafeSearch feature will force all searches to go through the search engines safe search filters whether the user (person browsing the internet) has this option enabled or not. Enable SafeSearch on a content filter profile by checking the "Enable SafeSearch" checkbox.
SafeSearch requires the use of SSL-Inspection to function please enable and create an SSL-Inspection profile before enabling this function under the content filter profile.
Supported Search Engines: Google, Bing, Yahoo, Yandex
Partial Supported Search Engines: Altavista, Ask, YouTube, Lycos
To setup the SSL Inspection profile to have the Zyxel router decrypt SSL traffic, login to the web configurator and go to menu, Configuration → UTM → SSL Inspection. Click the Add button to insert a profile.
- Name – Provide a name for the profile.
- Description – optional
- CA Certificate – Select the certificate you wish to use for the profile. Out of the box the Zyxel router has one certificate stored, the 'default' certificate. Additional certificates can be created and/or imported to the Zyxel router from the Configuration → Object → Certificate menu.
- Action for connection with * - Select the appropriate action: block, pass or inspect.
- Click OK to save the profile.
Enable the SSL-Inspection option in the Policy Control rule using the content filter profile with safe search enabled.
The certificate selected for the SSL-Inspection policy must be imported as a trusted CA to your computer or browser to allow the SafeSearch function to work properly. The certificate can be downloaded from the Configuration → Object → Certificate menu. Use the steps below, depending on operating system or internet browser, to import the certificate CA.
To access the trusted certificates console and import the certificate, open the RUN dialog box. You can access this by pressing the Windows + R keys on the keyboard.
On the RUN box type "mmc" and click OK or hit the Enter/Return key.
In the mmc console, click on File → Add/Remove Snap-in…
Under "Available snap-ins:" select Certificates and Add > it to the "Selected snap-ins:" list.
Select "Computer account" and hit Next >.
Select "Local computer: (the computer this console is running on)" and hit Finish.
Click OK to save the settings.
Open Certificates (Local Computer) → Trusted Root Certification Authorities and right-click on Certificate → All Tasks → Import.
Run through the certificate import wizard to open the certificate previously created and exported from the USG. [Cert_For_Windows]
To import the certificate on macOS, open the Keychain Access app under Applications → Utilities. Double-click the certificate or drag it over to the Keychain Access app to import.
Once the cert is imported to the Certificate list double-click to change privilege.
- Secure Sockets Layer (SSL) – Always Trust
- X.509 Basic Policy – Always Trust
To import the certificate into Mozilla Firefox, open the browser and access the Preferences/Options menu. This will be different depending on computer operating system version and Firefox browser version. The menu can also be accessed by typing 'about:preferences' on the address bar. Click the "Advanced" menu option on the right pane and select the Certificates tab. Click the View Certificates button to open the browsers cert manager.
On the Certificate Manager window click the Authorities tab to upload/import the trusted CA.
- Click the Import… button to browse the computer for the certificate exported from the Zyxel router.
- Select the Zyxel certificate and open it.
- Select "Trust this CA to identify websites" when prompted.
- Click OK to accept and import the certificate.
Verify the certificate is on the "Authorities" list and click OK to save. Restart the browser and the content filter engine on the Zyxel router will use the certificate imported to the browser to filter encrypted websites based on filter/category settings.