How to block certain Keywords on SonicOSX 7.0?

Learn how to block specific keywords on SonicOSX 7.0 using App Control. Follow this guide to restrict access based on keyword filtering.

A URI List Object uses its URI List to match URIs when scanning web traffic. It uses a token-based match algorithm, which means torrent.com does not match seedtorrent.com. The Keyword List makes URI matching more flexible, allowing the URI List Object to match traffic by matching other portions of a URI.
If a web traffic URI string (host+path+queryString) has any sub-string in the keyword list, the URI List Object gets a match. For example, if "sports" and "news" are in the keywords list, the URI List Object can match www.extremsports.com, news.google.com/news/headlines?ned=us&hl=en, or www.yahoo.com/?q=sports.

Keyword and Keyword List requirements:

• Each keyword can contain up to 255 printable ASCII characters.
• The maximum combined length of keywords in one Keyword List is limited to 1024 * 2, including one character for each new line (carriage return) between the keywords.

We would need to create the following to block certain keywords through the firewall on SonicOSX 7.0.

1. Creating a decryption policy
2. Creating Security Policies

NOTE: Since the search is done on the URI and the keyword might not be present on the SNI, common name fields, etc while using HTTPS, it is essential to have a decryption policy that can look at the exact URI requested by the end machine and perform keyword matching and block if necessary.

Creating a decryption policy:

Decryption policy matches the traffic and the only two actions we can take are decrypt and bypass. With decryption, we get more visibility to the data helping us in performing better matches and applying the right security policy.

1. Make sure that Client DPI SSL is enabled globally based on the KB: How to create a Decryption Policy on SonicOSX 7.0?
2. Navigate to Policy | Rules and Policies | Decryption Policy tab and click on Top at the bottom of the screen. If you have multiple policies it is very important to choose the right priority to make sure that the decryption policy is getting applied to the necessary traffic.
   
   
   
   
3. Select the appropriate source/destination/service or you can leave it all on Any to decrypt all traffic. Make sure that the action is set to Decrypt and the policy is enabled. 
   
   
   
   
4. On the URL tab, you can perform this specific to a web category or the URI list group created earlier as well. In this example, they are left on Any. Click Save.
   
   
   
   

Creating a Security Policy

Security Policy ties together the Keyword list object, Security Rule Action so that we know what action needs to be taken for a specific match. Before an HTTP/HTTPS connection can be made, the end machine would need to perform DNS resolution of the URL. Since we have an implicit deny rule, DNS traffic needs to be allowed as well.

To create the DNS related Security Policy

1. Navigate to Policy | Rules and Policies | Security policy tab and click on Top at the bottom of the screen. This adds the new Policy at the top of the list. You might need to adjust its priority based on other rules you have.
   
   
   
   
2. Mention a relevant name and in the Source/Destination tab, you can select many fields like source/destination zones, address, services, and also user, geolocation settings. Select the destination Port/Services as 'DNS(Name Service)'.
   
   
   
   
3. Under App/URL/Custom Match tab leave everything on defaults.
4. Select the Default Profile as the Security rule action. Make sure that the Action is set to Allow and the policy is in enable state. Click Add.
   
   
   NOTE: This policy can also be created using the DNS protocol application signature, DNS service is used in this example.

To create the block keyword related Security Policy

1. Navigate to Policy | Rules and Policies | Security policy tab and click on Bottom at the bottom of the screen. This adds the new Policy at the bottom of the list. You might need to adjust its priority based on other rules you have.
   
   
   
   

2. 
   

   Mention a relevant name and in the Source/Destination tab, you can select many fields like source/destination zones, address, services and also user, geo-location settings.
   
   
   
   

3. 
   

   Under App/URL/Custom Match, use the radio button for 'Match Operation' as OR. Also, select the pencil icon to add a new URI List object.
   
   
   
4. Give a relevant name to the list and select the Type as Keyword. Click on Add to add the keywords manually. You can also choose to import a list of keywords from a TXT file using the Import button.
   
   
   
   

5. 
   

   Add all the keywords one by one that you wish to block and click OK.
   
   
   
6. Under Security rule action dropdown, select Default action.
7. On the Security Policy, make sure that the Action is set to Deny and the policy is in enable state. Click Add.
   

You would be now able to see the URLs containing those keywords getting blocked and the SonicWall block page shows up to indicate the same. A google or bing search for those keywords will also result in the block page.

1. While visiting news.google.com
   
   
   
2. While performing a google search for news.
   

NOTE: Note: Google Chrome browser uses a new protocol called QUIC (Quick UDP Internet Connection) that makes the searches faster but uses UDP 443 in the background. With QUIC enabled on the browser, the blocks might not work.

TIP: You can perform the following to tackle this:

1. Use another browser to test
2. Disable QUIC on the browser
3. Create a security policy to block Google QUIC either as an application or as a service on port UDP 443 on the firewall. Refer to the KB: How to block Google QUIC Protocol on SonicOSX 7.0? for more details on these security rules.