How to block Google play using CFS 3.0 (SonicOS 5.8.0 and above)
Description
Resolution
Feature/Application:
This KB article describes how to block play.google.com using SonicWall Content Filtering Service (CFS) 3.0. SonicWall CFS 3.0, which was introduced in SonicOS 5.8.0.0, uses HTTPS Content Filtering to block HTTPS sites. The CFS 3.0 implementation uses HTTPS Content Filtering to look up the host name from the Server Name extension in the SSL Client Hello message, if the browser supports SSL Server Name extension, or the Certificate Common Name (CN) in the Server Hello message.
However, this method will not work if 1) the browser does not support Server Name Extension in the Client Hello message 2) the Common Name (CN) in the Certificate message does not correspond to the host name being accessed. You could work around this problem by blocking those SSL / TLS versions not supporting Server Name extension. Refer this KB article to block SSL versions, UTM: How to Block SSL / TLS versions using Application Control Advanced (5.8 onwards). Alternatively, you could use DPI-SSL.
Procedure:
- Login to the SonicWall management GUI.
- Navigate to the Security Services > Content Filter
- Click on the Configure button under Content Filter Service to open the SonicWall Filter Properties window.
- Enable check box Enable HTTPS Content Filtering
- Add play.google.com under Forbidden Domains in the Custom List tab. Depending on the CFS deployment, the host name can also be entered in policy-based Custom List.
Enabling CFS on zones
- Navigate to Network > Zones
- Click on the configure button under the zone you want to enforce CFS.
- Check the box under Enforce Content Filtering Service.
Testing:
From a host behind the SonicWall try to access play.google.com and you will get the following error in the web-browser:
Â
The following message will be logged in the SonicWall under Log > View
Â
Â