en-US
search-icon

Knowledge Base

Content Filtering Service (CFS) 4.0 Overview - SonicOS 6.2.6 and above

Description

Starting with Sonic OS 6.2.6 SonicWall firewalls introduce Content Filtering Service 4.0. In this new version CFS is optimized and enhanced by including framework and workflow redesign, UI ease of use, improved filtering options, handling smaller packet sizes, etc. 

This article describes all aspects of configuring Content Filtering Service 4.0.

Resolution

Content Filter page

On the Security Services | Content Filter page, users are given a choice to select the Content Filter type between SonicWall CFS and Websense Enterprise. By default the type is SonicWall CFS.

800

Global Settings

Unlike previous CFS versions CFS4.0 is implemented by CFS Policies. Hence the options in SonicWall Filter Properties window are moved to Content Filter page and optimized under Global Settings section. The option Enable Content Filtering Service is added to enable/disable CFS globally.

CFS Objects

To make the configurations reusable and easy to manage, three objects are introduced in CFS. They are URI List Objects, CFS Action Objects and CFS Profile Objects. You can navigate to Firewall | Content Filter Objects page to configure them.

URI List Objects

With this object, users can add the domains, URIs into the list, and set this list as custom Allowed or Forbidden. The lists will have higher priority than the category. CFS will check the lists before checking for the category for an URI. And wildcard character "*" is supported in the URI string, for instance *.google.com.

The URL List Object will be used by a CFS Profile Object.

CFS Action Objects

This object defines how CFS will deal with the packet after it is filtered.

Wipe Cookies: The cookies inside the HTTP request will the removed to protect privacy.

Note: If Wipe Cookies is enabled, it may break the Safe Search Enforcement function for some search engines.

Enable Safe Search enforcement: When searching from these websites www.google.com, www.yahoo.com, www.bing.com, www.dogpile.com, www.lycos.com, www.ask.com, Safe Search will be turned on. 

Enable YouTube for Schools with ID: When accessing to YouTube, student can only view the video predefined by the school administrator. If enabling this option, user will need to provide a valid school ID. 

Enable YouTube Safety Enforcement: YouTube provides a new feature on the web site to screen out videos that may contain inappropriate content flagged by users and other signals. When this option is enabled, accessing to YouTube will be always on Safety mode.

Note: All these options only support for the HTTP request. For the HTTPS request, DPI-SSL needs to be used cooperatively.

There are four actions supported in CFS: 

Block: Users can define the blocking page to display if the connection is blocked.
Passphrase: Users can define the passphrase page to display and the password needed before continue.
Confirm: Users can define the confirm page to display.
BWM: Users can configure "Bandwidth Aggregation Method" as Per Policy or Per Action. Users can also configure the detailed BWM status and objects for "Egress Bandwidth Management" and "Ingress Bandwidth Management". 

The Action Objects will be used by CFS Policy.

CFS Profile Objects

CFS Profile Object defines what kind of operation will be triggered for each HTTP/HTTPS connections and will be used by CFS Policy.

URI List Searching Order: When searching the URL inside Allowed/Forbidden URL lists, we will start the searching from which one. 
Category Configuration: For each category, users can define the operation for it if the URI is belonged to the category. By default, the operation for category 1 ~ 12 is blocked, the operation for other categories is allowed.

Enable Smart Filtering for Embedded URI: Google Translate https://translate.google.com provides the capability to translate one site from one language to another. Because the website to be translated is embedded inside Google Translate URI, user can bypass CFS with it. With this new feature, if users want CFS to detect the embedded URI inside Google Translate, users can enable this option and then the embedded URI will be filtered. 

CFS Policies

Users are able to define matching conditions to hit a CFS Policy: Enabled, Source Zone, Destination Zone, Address Object, Users/Groups, Schedule, CFS Profile, and CFS Action. 

If a packet is detected and all these conditions are matched, it will be filtered by the corresponding CFS Profile. Then the CFS Action will be invoked after filtering. 
There is priority for each CFS Policy. The matched CFS Policy with higher priority will always be checked earlier. 

CFS Customer Category

Users can customize the ratings for certain URI. When CFS checks the ratings for one URI, it will check the user ratings first, then check for the ratings from backend. When users try to add/edit a custom category, they will need to input a valid URI, and select up to 4 kinds of categories for this URI. 


Websense Enterprise

Comparing with the previous version, CFS 4.0 separates the websense configuration from SonicWall CFS. This is to avoid confusion between the two Content Filter Types.

Enhancements

  • An option added to enable/disable CFS globally.
  • Define URI List object, Profile object and Action object, which can be reused in multiple policies.
  • Merge via Zones mode and via App Rules mode into one.
  • Support wildcard "*" matching for URI List.
  • Introduce Passphrase and Confirm operations in CFS action object. 
  • Support more commands in html page editing, which including GET, HEAD, POST, PUT, CONNECT, OPTIONS, DELETE, REPORT, COPY and MOVE.
  • Support BWM.
  • Consent feature is per policy.

Resolution for SonicOS 6.5 and Later

SonicOS 6.5 was released September 2017. This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 and later firmware.

Content Filter page

On the Manage > Security Configuration > Security Services > Content Filter page, users are given a choice to select the Content Filter type between SonicWall CFS and Websense Enterprise. By default the type is SonicWall CFS.

Image

Global Settings

Unlike previous CFS versions CFS4.0 is implemented by CFS Policies. Hence the options in SonicWall Filter Properties window are moved to Content Filter page and optimized under Global Settings section. The option Enable Content Filtering Service is added to enable/disable CFS globally.

Image

CFS Objects

To make the configurations reusable and easy to manage, three objects are introduced in CFS. They are URI List Objects, CFS Action Objects and CFS Profile Objects. You can navigate to Manage > Policies > Objects > Content Filter Objects page to configure them.

Image

URI List Objects

With this object, users can add the domains, URIs into the list, and set this list as custom Allowed or Forbidden. The lists will have higher priority than the category. CFS will check the lists before checking for the category for an URI. And wildcard character "*" is supported in the URI string, for instance *.google.com.

The URL List Object will be used by a CFS Profile Object.

Image

CFS Action Objects

This object defines how CFS will deal with the packet after it is filtered.

Image

Wipe Cookies: The cookies inside the HTTP request will the removed to protect privacy.

Note: If Wipe Cookies is enabled, it may break the Safe Search Enforcement function for some search engines.

There are five actions supported in CFS: 

Block: Users can define the blocking page to display if the connection is blocked.
Passphrase: Users can define the passphrase page to display and the password needed before continue.
Confirm: Users can define the confirm page to display.
BWM: Users can configure "Bandwidth Aggregation Method" as Per Policy or Per Action. Users can also configure the detailed BWM status and objects for "Egress Bandwidth Management" and "Ingress Bandwidth Management".

Threat API: Shows Threat API Block page message.

The Action Objects will be used by CFS Policy.

CFS Profile Objects

CFS Profile Object defines what kind of operation will be triggered for each HTTP/HTTPS connections and will be used by CFS Policy.

Image

URI List Searching Order: When searching the URL inside Allowed/Forbidden URL lists, we will start the searching from which one. 
Category Configuration: For each category, users can define the operation for it if the URI is belonged to the category. By default, the operation for category 1 ~ 12 is blocked, the operation for other categories is allowed.

Image

Enable Smart Filtering for Embedded URI: Google Translate https://translate.google.com provides the capability to translate one site from one language to another. Because the website to be translated is embedded inside Google Translate URI, user can bypass CFS with it. With this new feature, if users want CFS to detect the embedded URI inside Google Translate, users can enable this option and then the embedded URI will be filtered. 

Enable Safe Search enforcement: When searching from these websites www.google.com, www.yahoo.com, www.bing.com, www.dogpile.com, www.lycos.com, www.ask.com, Safe Search will be turned on.

Enable YouTube Restrict Mode: When accessing to YouTube, student can only view the video predefined by the school administrator. If enabling this option, user will need to provide a valid school ID.

Note: All these options only support for the HTTP request. For the HTTPS request, DPI-SSL needs to be used cooperatively.

CFS Policies

Users are able to define matching conditions to hit a CFS Policy: Enabled, Source Zone, Destination Zone, Address Object, Users/Groups, Schedule, CFS Profile, and CFS Action. 

Image

If a packet is detected and all these conditions are matched, it will be filtered by the corresponding CFS Profile. Then the CFS Action will be invoked after filtering. 
There is priority for each CFS Policy. The matched CFS Policy with higher priority will always be checked earlier. 

Image

CFS Customer Category

Users can customize the ratings for certain URI. When CFS checks the ratings for one URI, it will check the user ratings first, then check for the ratings from backend. When users try to add/edit a custom category, they will need to input a valid URI, and select up to 4 kinds of categories for this URI. 

Image

Image


Websense Enterprise

Comparing with the previous version, CFS 4.0 separates the websense configuration from SonicWall CFS. This is to avoid confusion between the two Content Filter Types.

Image

Enhancements

  • An option added to enable/disable CFS globally.
  • Define URI List object, Profile object and Action object, which can be reused in multiple policies.
  • Merge via Zones mode and via App Rules mode into one.
  • Support wildcard "*" matching for URI List.
  • Introduce Passphrase and Confirm operations in CFS action object. 
  • Support more commands in html page editing, which including GET, HEAD, POST, PUT, CONNECT, OPTIONS, DELETE, REPORT, COPY and MOVE.
  • Support BWM.
  • Consent feature is per policy.