Why the enable website filter checklist doesn't work?

Created: Feb 22, 2020 05:58:30Latest reply: Feb 22, 2020 06:40:53 103 6 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hi.. why the enable websit filter checklist in parental control doesn't work?

Attachment: You need to log in to download or view. No account? Register
  • x
  • convention:

Featured Answers
wissal
MVE Created Feb 22, 2020 06:17:47 Helpful(0) Helpful(0)

Hello,
The function(SSL-encrypted traffic detection) takes effect only after the content security group license is valid and the content security component package is loaded dynamically. If the license and component package are not loaded, this function is unavailable on the web UI and cannot be configured on the CLI.

please check this 

Limitations and Precautions for SSL-encrypted traffic detection

This section describes limitations and precautions for SSL-encrypted traffic detection.

Restrictions

  • In bidirectional verification mode, a server requires to verify the client certificate. For example, when you access websites involving personal privacy such as banks or social security, generally, the server requires to verify the client certificate. The FW blocks or transparently transmits the traffic.
  • If a client accepts only trusted certificates, you need to import certificates or configure the SSL whitelist. Otherwise, services are abnormal.
  • When checking the content security of decrypted traffic, the FW does not support attack forensics on in attack packets or virus packets.
  • The SSL-encrypted traffic detection function employs the proxy mode and does not apply to scenarios where interactive traffic information of the two ends cannot be obtained, such as scenarios of off-line deployment, one-way traffic, active/active deployment, and inconsistent forward and reverse paths.
  • If the same flow passes through the FW multiple times and matches the SSL-encrypted traffic detection policy, the SSL-encrypted traffic detection becomes abnormal. To avoid this situation, ensure that the flow passes through different VLANs or VSYSs on the firewall during deployment.
  • SSL-encrypted traffic detection does not support IPv6.
  • For clients running Android 7.0 or later, an insecurity alarm may be reported or services are interrupted. even if the SSL decryption certificate of the firewall is installed on the browser. Determine whether to enable SSL-encrypted traffic detection based on the site requirements.

Precautions

  • For the USG9500application security service processing subcards must be in position to ensure the availability of the function. For details on application security service processing subcards, see Application Security Service Processing Card (SPC-APPSEC-FW)Application Security Service Processing Card (SPC-IPS-20)Enhanced Application Security Service Processing Card A (SPCA-APPSEC-FW) or Enhanced Application Security Service Processing Card B (SPCB-APPSEC-FW).

  • The function takes effect only after the content security group license is valid and the content security component package is loaded dynamically. If the license and component package are not loaded, this function is unavailable on the web UI and cannot be configured on the CLI.

  • Certain applications such as Windows Update of the Microsoft perform deep check on certificates. However, certificates sent by the FW to the client are re-issued based on the server certificate instead of a true server certificate. This causes server certificate verification failure, and therefore affecting normal use. For such websites, you can configure whitelisted SSL host names to avoid verification failures.

  • Because SSL-encrypted traffic detection needs to perform a large number of encryption and decryption operations on traffic, it affects the forwarding performance of the device to a certain extent. Therefore, refine matching conditions when configuring SSL-encrypted traffic detection policies, so that the system decrypts only SSL-encrypted traffic that really requires content security check.
  • In the server protection scenario, intranet servers that clients access are considered to be safe and reliable. Therefore, it is unnecessary to provide the URL classification function in this scenario. Therefore, if matching conditions of SSL-encrypted traffic detection policies are configured in this scenario, URL classification does not take effect.
More detail

  • x
  • convention:

I%20would%20like%20to%20share%20with%20you%20my%20experience%2C%20I'm%20telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.%3Cbr%2F%3EAt%20the%20same%20time%2C%20I%20give%20courses%20in%20universities%20as%20a%20temporary%2C%20to%20bring%20the%20operational%20side%20of%20telecommunication%20technologies%20to%20students%2C%20for%20network%20supervision%20systems%2C%20mobile%20radio%20networks%20and%20access%20networks%20etc.
All Answers
wissal
wissal MVE Created Feb 22, 2020 06:17:47 Helpful(0) Helpful(0)

Hello,
The function(SSL-encrypted traffic detection) takes effect only after the content security group license is valid and the content security component package is loaded dynamically. If the license and component package are not loaded, this function is unavailable on the web UI and cannot be configured on the CLI.

please check this 

Limitations and Precautions for SSL-encrypted traffic detection

This section describes limitations and precautions for SSL-encrypted traffic detection.

Restrictions

  • In bidirectional verification mode, a server requires to verify the client certificate. For example, when you access websites involving personal privacy such as banks or social security, generally, the server requires to verify the client certificate. The FW blocks or transparently transmits the traffic.
  • If a client accepts only trusted certificates, you need to import certificates or configure the SSL whitelist. Otherwise, services are abnormal.
  • When checking the content security of decrypted traffic, the FW does not support attack forensics on in attack packets or virus packets.
  • The SSL-encrypted traffic detection function employs the proxy mode and does not apply to scenarios where interactive traffic information of the two ends cannot be obtained, such as scenarios of off-line deployment, one-way traffic, active/active deployment, and inconsistent forward and reverse paths.
  • If the same flow passes through the FW multiple times and matches the SSL-encrypted traffic detection policy, the SSL-encrypted traffic detection becomes abnormal. To avoid this situation, ensure that the flow passes through different VLANs or VSYSs on the firewall during deployment.
  • SSL-encrypted traffic detection does not support IPv6.
  • For clients running Android 7.0 or later, an insecurity alarm may be reported or services are interrupted. even if the SSL decryption certificate of the firewall is installed on the browser. Determine whether to enable SSL-encrypted traffic detection based on the site requirements.

Precautions

  • For the USG9500application security service processing subcards must be in position to ensure the availability of the function. For details on application security service processing subcards, see Application Security Service Processing Card (SPC-APPSEC-FW)Application Security Service Processing Card (SPC-IPS-20)Enhanced Application Security Service Processing Card A (SPCA-APPSEC-FW) or Enhanced Application Security Service Processing Card B (SPCB-APPSEC-FW).

  • The function takes effect only after the content security group license is valid and the content security component package is loaded dynamically. If the license and component package are not loaded, this function is unavailable on the web UI and cannot be configured on the CLI.

  • Certain applications such as Windows Update of the Microsoft perform deep check on certificates. However, certificates sent by the FW to the client are re-issued based on the server certificate instead of a true server certificate. This causes server certificate verification failure, and therefore affecting normal use. For such websites, you can configure whitelisted SSL host names to avoid verification failures.

  • Because SSL-encrypted traffic detection needs to perform a large number of encryption and decryption operations on traffic, it affects the forwarding performance of the device to a certain extent. Therefore, refine matching conditions when configuring SSL-encrypted traffic detection policies, so that the system decrypts only SSL-encrypted traffic that really requires content security check.
  • In the server protection scenario, intranet servers that clients access are considered to be safe and reliable. Therefore, it is unnecessary to provide the URL classification function in this scenario. Therefore, if matching conditions of SSL-encrypted traffic detection policies are configured in this scenario, URL classification does not take effect.
More detail

  • x
  • convention:

I%20would%20like%20to%20share%20with%20you%20my%20experience%2C%20I'm%20telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.%3Cbr%2F%3EAt%20the%20same%20time%2C%20I%20give%20courses%20in%20universities%20as%20a%20temporary%2C%20to%20bring%20the%20operational%20side%20of%20telecommunication%20technologies%20to%20students%2C%20for%20network%20supervision%20systems%2C%20mobile%20radio%20networks%20and%20access%20networks%20etc.
Ghazlan
Ghazlan Created Feb 22, 2020 06:20:36 Helpful(0) Helpful(0)

already check the link.. Page doesn't exist
  • x
  • convention:

wissal
wissal Created Feb 22, 2020 06:24:10
Please try now, the page exist  
Ghazlan
Ghazlan Created Feb 22, 2020 06:26:52 Helpful(0) Helpful(0)

thank you for your answer...
I've tried the link
but the page said... Page does not exist.. Why the enable website filter checklist doesn't work?-3227500-1
  • x
  • convention:

Ghazlan
Ghazlan Created Feb 22, 2020 06:28:08 Helpful(0) Helpful(0)

i use HG8245H5 model
  • x
  • convention:

wissal
wissal MVE Created Feb 22, 2020 06:40:53 Helpful(0) Helpful(0)

1. Is your user permission too low?
2. If your device is provided by the local carrier, only the carrier can perform the operation.
If you have high permissions but cannot change the configuration, please contact the carrier to obtain the support.
  • x
  • convention:

I%20would%20like%20to%20share%20with%20you%20my%20experience%2C%20I'm%20telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.%3Cbr%2F%3EAt%20the%20same%20time%2C%20I%20give%20courses%20in%20universities%20as%20a%20temporary%2C%20to%20bring%20the%20operational%20side%20of%20telecommunication%20technologies%20to%20students%2C%20for%20network%20supervision%20systems%2C%20mobile%20radio%20networks%20and%20access%20networks%20etc.

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login