How to Configure CFS with App Rules

Description

How to Configure CFS with App Rules

Resolution

NOTE:  CFS 4.0 does not allow usage of CFS Via App rules. This article applies only to CFS 3.0

1.  Navigate to the Security Services | Content Filter.

2.  Change CFS Policy Assignment to Via App Rules and click on Accept to save the change.
3.  Click on Configure under Content Filter Service

Image

4.  Under the CFS tab, enable the check boxes under Enable HTTPS Content Filtering and Enable CFS Server Failover.
 Note: If DPI-SSL Client Inspection is enabled with Content Filter, Enable HTTPS Content Filtering must be unchecked.
5.  Click on OK

Image

6.  Navigate to the Users | Settings 

This SonicWall has been set up for LDAP and SSO authentication. For a KB article on how to configure LDAP and SSO Authentication, read the sections on LDAP and SSO in Using Multiple Custom content Filter policies with LDAP and SSO to restrict Internet access (CFS + LDAP + SSO)

Image

7.  Go to the Users | Local Groups

Shown here are two user groups imported from LDAP, Teachers Group and Students Group. 
Image

For this KB article, we use the following scenario:

  • Create Two CFS Rules - Teachers and Students .
  • The Teachers Policy must be the least restrictive with only a few categories blocked.
  • The Students Policy must have all categories blocked except Education and Email.

    Note:  The default action will be to provide all machines with the Students policy unless a teacher is logged in. 
    Technically, the Students group is not required to be imported to the firewall in this scenario.


8.  Create Student List Match Object
 

  • Click on Add New Match Object again
  • Let's call this Students List
  • Set Match Object Type as CFS Category List
  • Enable the check box Select All Categories and uncheck Education and Email
  • Click on OK to save
Image
9.  Create Teachers List Match Object

 

  • Click on Add New Match Object again
  • Let's call this Teachers List
  • In the CFS Category List check categories 1 to 12 and then categories 48 and 58. 
  • Click on OK to save.
Image

Let us now create Match Objects for the Allowed and Forbidden domains.

10.  Create Students Allowed Domains

  • Click on Add New Match Object
  • Under Name, enter Students - Allowed Domains.
  • Set Match Object Type to CFS Allow/Forbidden List.
  • Under  Content, enter google.com and click on Add.
  • Click on OK to save.

Image


11.  Create Students Allowed Domains
 

  • Click on Add New Match Object
  • Under Name, enter Teachers - Allowed Domains.
  • Under Match Object Type, select CFS Allow/Forbidden List.
  • Set Match Type to Partial Match
  • Under Content, enter youtube.com and click on Add.
  • Enter ytimg.com and click on Add.
  • Click on OK to save.
Image
12. Create a Match Object to block a website for both user groups.

 

  • Click on Add New Match Object
  • Under Name, enter All - Blocked Domains.
  • Set Match Object Type to CFS Allow/Forbidden List.
  • Under Content, enter microsoft.com,ecomm.co.uk and wellsfargo.com and click on Add after each
  • Click on OK to save.
Image

Create App Rules policies

13.  Create Students Policy
 

  • Click on Add New Policy
  • Under Policy Name, enter Students Policy
  • Set Policy Type to CFS
  • Under Match Object, select Students List.
  • Set Action Object to CFS Block Page.
  • Under Users/Groups, select Any under Included.
  • Under Users/Groups select Teachers-Group under Excluded
  • Set the Zone field to Any.  Note: CFS using App Rules is not required to be enabled on the zones page because the zone can be selected here under the Zone field.
  • Under CFS Allow/Excluded List, select Students - Allowed Domains
  • Under CFS Forbidden/Included List, select All - Blocked Domains
Leave the remaining options as it is and click on OK to create this policy
Image


14.  Create Teachers Policy
 

  • Now let's create another Policy
  • Under Policy Name, enter Teachers Policy
  • Set Policy Type to CFS
  • Under Match Object, select Teachers List
  • Set Action Object as CFS Block Page
  • Under Users/Groups, select Teachers Group
  • Under CFS Allow/Excluded List, select Teachers - Allowed Domains
  • Under CFS Forbidden/Included List, select All - Blocked Domains
Image

This concludes the configuration of CFS using App Rules.

Test the configuration

Login to a host as a user in the Teachers group.

  • Try to access a website under a category allowed for this user, like com
  • Try to access a website in the Social Networking category, which is blocked for this user, like facebook.com.
  • Try to access the sites under the Forbidden List, microsoft.com, ecomm.co.uk, wellsfargo.com

Login to a host as a user in the Students group.

  • Try to access a website under Education category which is allowed for this user, like stanford.edu.
  • Try to access a website in the Social Networking category, like facebook.com, which is blocked for this user,
  • Try to access the sites under the Forbidden List, microsoft.com, ecomm.co.uk, wellsfargo.com

When accessing a website over HTTPS, CFS will block it but will not display a block page, unless DPI-SSL Client Inspection is enabled.

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community