en-US
search-icon

SonicOS 5.9 Admin Guide

Security Services

Managing SonicWall Security Services

SonicWall Security Services

SonicWall, Inc. offers a variety of subscription-based security services to provide layered security for your network. SonicWall security services are designed to integrate seamlessly into your network to provide complete protection.

The following subscription-based security services are listed in Security Services on the SonicWall security appliance’s management interface:

SonicWall Content Filtering Service
SonicWall Client Anti-Virus Enforcement
SonicWall Client CF Enforcement
SonicWall Gateway Anti-Virus*
SonicWall Intrusion Prevention Service*
SonicWall Anti-Spyware*
SonicWall Geo-IP Filter
SonicWall Botnet Filter
* 
NOTE: *Included as part of the SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service unified threat management solution. Also included with SonicWall Client Anti-Virus.
* 
TIP: After you register your SonicWall security appliance, you can try FREE TRIAL versions of SonicWall Content Filtering Service, SonicWall Client Anti-Virus, SonicWall Gateway Anti-Virus, SonicWall Intrusion Prevention Service, and SonicWall Anti-Spyware.

You can activate and manage SonicWall security services directly from the SonicOS management interface or from https://www.MySonicWall.com.

* 
NOTE: For more information on SonicWall security services, please visit http://www.SonicWall.com.

Complete product documentation for SonicWall security services are available on the SonicWall documentation Web site http://www.SonicWall.com/us/Support.html.

Topics:

Security Services > Summary

The Security Services > Summary page consists of several sections:

A brief overview of services available for your SonicWall security appliance.

Synchronize Licenses — see Synchronize Licenses
Security Services Settings — see Security Services Settings
Signature Downloads Through a Proxy Server — see Signature Downloads and Registration Through a Proxy Server
Security Services Information — see Security Services Information
Update signatures manually — see Update Signature Manually

Synchronize Licenses

In the Synchronize Licenses area, you can click the Synchronize button to synchronize licenses on the appliance with MySonicWall.com. Licenses are automatically synchronized at regular intervals, but you may want to do this if you have just purchased a license. This area also provides a direct link to the login page of MySonicWall.com.

At the top of the services overview, you can click the link to the System > Licenses page to view license status and the available SonicWall security services and upgrades for your SonicWall security appliance and access MySonicWall.com for activating services using Activation Keys.

v

On the System > Licenses page, a list of currently available services is displayed in the Security Services Summary table; see Security Services Summary. Subscribed services are displayed with Licensed in the Status column. The service expiration date is displayed in the Expiration column. If the service is limited to a number of users, the number is displayed in the Count column. If the service is not licensed, Not Licensed is displayed in the Status column. If the service license has expired, Expired is displayed in the Status column.

The Manage Security Services Online area is also on the System > Licenses page, below the Security Services Summary table; see Manage Security Services Online. This section of the page allows you to synchronize licenses with MySonicWall.com, and activate or renew security services licenses using Activation Keys. You can manually upgrade your licenses by entering the “keyset” for them, obtained on MySonicWall.com It also provides a link to the login page of MySonicWall.com.

If your SonicWall security appliance is not registered, the System > Licenses page does not include the Services Summary table. Your SonicWall security appliance must be registered to display the Services Summary table.

Using MySonicWall

To activate SonicWall Security Services, you need to have a MySonicWall.com account and your SonicWall security appliance must be registered. Creating a MySonicWall.com account is easy and free. MySonicWall.com delivers a convenient, one-stop resource for registration, activation, and management of your SonicWall products and services. Your MySonicWall.com account provides a single profile to do the following:

Register your SonicWall security appliance
Try free trials of SonicWall security services
Purchase/Activate SonicWall security service licenses
Receive SonicWall firmware and security service updates and alerts
Manage your SonicWall security services
Access SonicWall Technical Support

For more information about creating a MySonicWall.com account and registering your SonicWall security appliance, see the Getting Started Guide for your appliance. For more information about licensing security services, see Manage Security Services Online and Manually Activating, Upgrading, or Renewing for Closed Environments.

Managing Security Services Online

Clicking the link to MySonicWall.com displays the MySonicWall.com Login page for accessing your MySonicWall.com account licensing information. For information about managing Security Services online, see Manage Security Services Online.

Configuring Security Services

The following sections describe global configurations that are performed on the Security Services > Summary page:

Security Services Settings

The Security Services Settings section provides the following options for fine-tuning SonicWall security services:

Security Services Settings - This drop-down menu specifies whether SonicWall security services are applied to maximize security or to maximize performance:
Maximum Security (Recommended) - Inspect all content with any threat probability (high/medium/low). For additional performance capacity in this maximum security setting, utilize SonicOS Clustering.
Performance Optimized - Inspect all content with a high or medium threat probability. Consider this performance optimized security setting for bandwidth or CPU intensive gateway deployments or utilize SonicOS DPI Clustering.

The Maximum Security setting provides maximum protection. The Performance Optimized setting utilizes knowledge of the currently known threats to provide high protection against active threats in the threat landscape.

Reduce Anti-Virus traffic for ISDN connections - Select this feature to enable the SonicWall Anti-Virus to check only once a day (every 24 hours) for updates and reduce the frequency of outbound traffic for users who do not have an “always on” Internet connection.
Drop all packets while IPS, GAV and Anti-Spyware database is reloading - Select this option to instruct the SonicWall security appliance to drop all packets whenever the IPS, GAV, and Anti-Sypware database is updating.
HTTP Clientless Notification Timeout for Gateway AntiVirus and AntiSpyware - Set the timeout duration, in seconds, after which the SonicWall security appliance notifies users when GAV or Anti-Spyware detects an incoming threat from an HTTP server. The default timeout is one day (86400 seconds), the minimum time is 10 seconds, and the maximum time is 2147483647 seconds .

Signature Downloads and Registration Through a Proxy Server

This section provides the ability for SonicWall security appliances that operate in networks where they must access the Internet through a proxy server to download signatures. This feature also allows for registration of SonicWall security appliances through a proxy server without compromising privacy.

* 
CAUTION: By design, the SonicWall License Manager cannot be configured to use a third party proxy server. Networks that direct all HTTP and HTTPS traffic through a third party proxy server may experience License Manager issues.
To enable signature download or appliance registration through a proxy server:
1
Select the Download Signatures through a Proxy Server check box.

2
In the Proxy Server Name or IP Address field, enter the hostname or IP address of the proxy server.
3
In the Proxy Server Port field, enter the port number used to connect to the proxy server.
4
Select the This Proxy Server requires Authentication check box if the proxy server requires a username and password.
5
If the appliance has not been registered with MySonicWall.com, two additional fields are displayed:
Username - Enter the username for the MySonicWall.com account that the appliance is to be registered to.
Password - Enter the MySonicWall.com account password.
6
Click Accept at the top of the page.

Security Services Information

This section previously displayed the brief overview of services available for your SonicWall security appliance, which is now displayed at the top of the page.

Update Signature Manually

The Manual Signature Update feature is intended for networks where reliable, broadband Internet connectivity is either not possible or not desirable (for security reasons). The Manual Signature Update feature provides a method to update the latest signatures at the network administrator’s discretion. You first download the signatures from http://www.MySonicWall.com to a separate computer, a USB drive, or other media. Then, you upload the signatures to the SonicWall security appliance. The same signature update file can be used to all SonicWall security appliances that meet the following requirements:

Devices that are registered to the same MySonicWall.com account
Devices that belong to the same class of SonicWall security appliances.
To manually update signature files:
1
On the Security Services > Summary page, scroll to the Update signatures manually heading at the bottom of the page. Note the Signature File ID for the device.

2
Click the link to http://www.MySonicWall.com to log on using the MySonicWall.com account that was used to register the SonicWall security appliance.
* 
NOTE: The signature file can only be used on SonicWall security appliances that are registered to the MySonicWall.com account that downloaded the signature file.
3
Click on Download Signatures under the Downloads heading.
4
In the drop-down menu next to Signature ID:, select the appropriate SFID for your SonicWall security appliance.
5
Download the signature update file by clicking on Click here to download the Signature file.
* 
NOTE: The remaining steps can be performed while disconnected from the Internet.
6
Return to the Security Services > Summary page on the SonicWall security appliance GUI.
7
Click on the Import Signatures button. The Import Signatures dialog displays.

8
Click the Browse button, and navigate to the location of the signature update file.
9
Click Import. The signatures are uploaded for the security services that are enabled on the SonicWall security appliance.

Update Geo-IP Database Manually

The Geo-IP Filter feature allows administrators to block connections to or from a geographic location based. The / SonicWall network security appliance uses IP address to determine to the location of the connection. To use this feature, you must download the Geo-IP database to the appliance.

To update the Geo-IP database manually:
1
Go to the Security Services > Summary page.
2
Scroll down to the Update Geo-IP Database Manually section.
3
Click the Import Geo-IP Database button. The Import Geo-IP Database dialog displays.
4
Browse and select the Geo-IP database that you want.
5
Click Import.

Update Botnet Database Manually

The Botnet Filtering feature allows administrators to block connections to or from Botnet command and control servers. To use this feature, you must download the Botnet database to the appliance.

To update the Botnet database manually:
1
Go to the Security Services > Summary page.
2
Scroll down to the Update Botnet Database Manually section.
3
Click the Import Botnet Database button. The Import Botnet Database dialog displays.
4
Browse and select the Botnet database that you want.
5
Click Import.

DPI Clustering

Deep Packet Inspection (DPI) - Clustering consists of two SonicWall NSA series appliances setup in series to pass traffic through both units. The first appliance is configured in NAT mode, and takes care of GAV and inbound Anti-Spyware. The second appliance is configured as an L2 Bridge, and runs IPS and outbound Anti-Spyware. This allows for improved performance by splitting up security services amongst the two appliances. The appliances are configured as follows:

SonicWall Appliance 1:
IPS: Global enabled
GAV: Global Disabled
Anti-Spyware: Global enabled, Outbound Anti-Spyware enabled, All of HTTP/POP3/SMTP/FTP/IMAP is Disabled
SonicWall Appliance 2:
IPS: Global Disabled
GAV: Global enabled (all protocols can be enabled or just the default ones)
Anti-Spyware: Global enabled, Outbound Anti-Spyware is Disabled, Some or all of HTTP/POP3/SMTP/FTP/IMAP is Enabled

Activating Security Services

To activate a SonicWall Security Service, refer to the specific Security Service chapter.

Configuring SonicWall Content Filtering Service

Security Services > Content Filter

The Security Services > Content Filter page allows you to configure the Restrict Web Features and Trusted Domains settings, which are included with SonicOS. You can activate and configure SonicWall Content Filtering Service ( SonicWall CFS) as well as a third-party Content Filtering product from the Security Services > Content Filter page.

* 
NOTE: SonicWall Content Filtering Service is a subscription service upgrade. You can try a FREE TRIAL of SonicWall directly from your SonicOS management interface. See Activating a SonicWall CFS FREE TRIAL.
Topics:

Restrictions and Limitations

* 
NOTE: Content Filtering Service (CFS) consent is not supported in Wire Mode.

Size limitations and maximums for CFS are as follows:

A maximum of 64 CFS policies are allowed.
Each policy can have a custom allowed/forbidden/keyword list that is either global (with max of 1024 entries) or local to the policy (with max of 100 entries). The effective maximum for each policy is 1024.

Each of these allowed/forbidden list are stored as a tree, and domain names are searched against the tree.

Each domain is searched through these trees in order: the allowed list, the forbidden list, the keyword list, then the three lists are searched in order again if there are user/group specific policies configured.

A maximum of 500 domains/entries across all custom categories are allowed.
Each URL can have a maximum of 80 characters.
A maximum of 100 keywords are allowed for each allowed/forbidden list.
Each keyword can have a maximum of 16 characters.

SonicWall CFS Implementation with Application Control

The latest iteration of the CFS feature allows you to use the power of SonicWall’s Application Control feature to create a more powerful and flexible solution.

* 
NOTE: While the new Application Control method of CFS management offers more control and flexibility, you can still choose the previous user/zone management method to perform content filtering.

Features for CFS Management Using Application Control

The CFS feature allows you to use the power of SonicWall’s App Rules feature to increase create a more powerful and flexible solution.

* 
NOTE: While the App Rules method of CFS management offers more control and flexibility, you can still choose the previous user/zone management method to perform content filtering.
Application Control - App Rules is included as part of the CFS rule creation process to implement more granular, flexible and powerful content filter policy control, by creating CFS Allowed/Forbidden domain lists within Match Objects in the App Rules framework. An App Rules policy can be enforced according to a schedule.
Application Objects - users/groups, address objects and zones can be assigned for individual CFS policies.
Bandwidth Management - CFS specifications can be included in bandwidth management policies based on CFS website categories. This also allows use of ‘Bandwidth Aggregation’ by adding a per-action bandwidth aggregation method.

Features Applicable to All CFS Management Methods

SSL Certificate Common Name - HTTPS Content Filtering is significantly improved by the ability to use an SSL certificate common name, in addition to server IP addresses.
New CFS Categories - Multimedia, Social Networking, Malware, and Internet Watch Foundation CAIC are included in the CFS list.

SonicWall Legacy Content Filtering Service

SonicWall Content Filtering Service (CFS) enforces protection and productivity policies for businesses, schools and libraries to reduce legal and privacy risks while minimizing administration overhead. SonicWall CFS utilizes a dynamic database of millions of URLs, IP addresses and domains to block objectionable, inappropriate or unproductive Web content. At the core of SonicWall CFS is an innovative rating architecture that cross references all Web sites against the database at worldwide SonicWall co-location facilities. A rating is returned to the SonicWall security appliance and then compared to the content filtering policy established by you. Almost instantaneously, the Web site request is either allowed through or a Web page is generated by the SonicWall security appliance informing the user that the site has been blocked according to policy.

With SonicWall CFS, you have a flexible tool to provide comprehensive filtering based on keywords, time of day, trusted and forbidden domain designations, and file types such as Cookies, Java™ and ActiveX® for privacy. SonicWall CFS automatically updates the filters, making maintenance substantially simpler and less time consuming.

SonicWall CFS can also be customized to add or remove specific URLs from the blocked list and to block specific keywords. When a user attempts to access a site that is blocked by the SonicWall security appliance, a customized message is displayed on the user’s screen. SonicWall security appliance can also be configured to log attempts to access sites on the SonicWall Content Filtering Service database, on a custom URL list, and on a keyword list to monitor Internet usage before putting new usage restrictions in place.

SonicWall CFS Premium blocks 56 categories of objectionable, inappropriate or unproductive Web content. SonicWall CFS Premium provides you with greater control by automatically and transparently enforces acceptable use policies. It gives you the flexibility to enforce custom content filtering policies for groups of users on the network. For example, a school can create one policy for teachers and another for students.

YouTube for Schools and SonicWall Content Filtering Service

YouTube for Schools is a service that allows for customized YouTube access for students, teachers, and administrators. YouTube Education (YouTube EDU) provides schools access to hundreds of thousands of free educational videos. These videos come from a number of respected organizations.

School administrators and teachers can log in and watch any video, but students cannot log in and can only watch YouTube EDU videos or videos their school has added. All comments and related videos are disabled and search is limited to YouTube EDU videos.

You can customize the content available in your school. All schools get access to all of the YouTube EDU content, but teachers and administrators can also create playlists of videos that are viewable only within their school's network.

YouTube.com/Teachers has hundreds of playlists of videos that align with common educational standards, organized by subject and grade. These playlists were created by teachers for teachers so you can spend more time teaching and less time searching.

Configuring YouTube for Schools

To configure YouTube for Schools:
1
Before configuring your SonicWall security appliance for YouTube for Schools, you must first sign up at www.youtube.com/schools. You will need a YouTube account to manage YouTube for your school.
2
Once you have registered, click on the Manage my account button or go to
www.youtube.com/account_school

3
Scroll down to Step 1 to locate your YouTube for Schools ID. It is the string at the end of the X-YouTube-Edu-Filter: line, as shown below. Copy this School ID to you clipboard.

4
Now go to the management interface for yourSonicWall security appliance. The configuration process varies depending on whether you are using CFS 3.0 or Legacy CFS. For configuration information, see the appropriate example:
5
Configure access to videos and video playlists at www.youtube.com/account_school.

CFS Policy Management Overview

When a CFS policy assignment is implemented using the Application Control method, it is controlled by Application Control CFS policies in the Firewall > App Rules page instead of by Users and Zones.

While the new Application Control method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering.

Topics:

The CFS App Control Policy Settings Dialog

There are multiple changes/additions to the CFS policy creation dialog when used in conjunction with Application Control. The table and image in this section provide information on Application Control interface for CFS.

To access the App Control Policy Settings dialog:
1
Go to Firewall > App Rules.
2
Click the Add New Policy button. The Edit App Control Policy dialog displays.

* 
NOTE: The maximum number of policy entries is 64.
3
Populate the fields in the App Control Policy Settings dialog as indicated in the following table.
 

App Control Policy Settings

Feature

Function

Policy Name

A friendly name for the policy. If applying a single policy to multiple groups, it is often a good idea to include the group name in this field. The minimum length is 0 characters and the maximum is 96 characters.

Policy Type

Select CFS from the drop-down menu to show the content filtering options. The CFS policy type allows creation of policies for content filtering.

Address

Address or address group to which this policy is applied. The default value is Any, which is also the most common selection for CFS policies.

Exclusion Address

Address or address group to exclude from this policy. The default value is None, which is also the most common selection for CFS policies.

Match Object

Select the relevant application object; this object dictates the type of content that will trigger the policy to be enforced. These objects are you create in the Firewall > Match Objects page.

Action Object

Select the action to perform. These can be pre-defined actions such as CFS block page, or custom actions which you may define in the Firewall > Action Objects window. The default is No Action.

Users/Groups

Choose individual users or groups from the Included (default: All) or Excluded (default: None) drop-down menu for this policy.

Schedule

Select a specific schedule to dictate when this policy is to be enforced. The default value is Always on.

Enable flow reporting

Select to enable reporting for local internal flow reporting, AppFlow Server external flow reporting, and the IPFIX collector. This option is not selected by default.

Enable Logging

Select to enable logging of any actions taken on behalf of this policy. This option is selected by default.

Log Using CFS Message Format

Select to use the legacy CFS logging format. This option is not selected by default.

Log Redundancy Filter (seconds)

Dictates the sensitivity of the log-redundancy filter. Select to use the Global Log Redundancy Filter setting from the Firewall > App Rules page. The Use Global Settings field becomes dimmed. This option is selected by default.

To enter your own per-policy setting, uncheck the Log Redundancy Filter checkbox and enter the duration, in seconds, in the field. The default is 1.

Zone

Select a specific zone on which this policy is to be enforced. The default value is Any.

CFS Allow/Excluded List

Select a custom allow list to allow selected resources. The default value is None.

CFS Forbidden/Included List

Select a custom forbidden list to deny selected resources. The default value is None.

Enable Safe Search Environment

Select this option to require the strictest filtering on all searches on search engines like Google and Yahoo that offer some form of safe-search filtering for preventing adult or potentially offensive content from appearing in search results. This option is not selected by default.

Enable YouTube for Schools

Select this option to enable YouTube for Schools filtering. This option is not selected by default.

School ID

If you checked the Enable YouTube for Schools checkbox, enter your YouTube for Schools ID.

4
Click OK.

Choosing CFS Policy Management Type

The choice of which policy management method to use – Via User and Zone Screens or Via Application Control – is made in the Security Services > Content Filter page.

* 
NOTE: While the new Application Control method of CFS management offers more control and flexibility, you can still choose the previous user/zone management method to perform content filtering.

If you schedule through Application Control (Firewall > App Rules), but the Application Control is blocked in Firewall > App Control Advanced, the Application Control schedule is ignored because App Control Advanced is evaluated first.

Enabling Application Control and CFS

Before the services begin to filter content, you must enable them:
1
Navigate to the Security Services > Content Filter page.
2
Select Via App Rules from the CFS Policy Assignment drop-down menu.

3
Click the Accept button to apply the change.
4
Navigate to the Firewall > App Rules page.

5
Select the Enable App Rules checkbox.

Bandwidth Management Methods

The Bandwidth Management feature can be implemented in two separate ways:

Per Policy Method
The bandwidth limit specified in a policy is applied individually to each policy
Example: two policies each have an independent limit of 500kb/s, the total possible bandwidth between those two rules is 1000kb/s

Per Action Aggregate Method
The bandwidth limit action is applied (shared) across all policies to which it is applied
Example: two policies share a BWM limit of 500kb/s, limiting the total bandwidth between the two policies to 500kb/s:

Bandwidth Aggregation Method is selected from the Firewall > Action Objects page, as described in Configuring BWM in an Action Object, and the Bandwidth Management Type is set to Advanced on the Firewall Settings > BWM page. For more information about the Bandwidth Management Type settings, see the Bandwidth Management Overview.

Policies and Precedence: How Policies are Enforced

This section provides an overview of policy enforcement mechanism in CFS 3.0 to help you create a streamlined set of rules without unnecessary redundancy or conflicting rule logic enforcement.

Each allowed/forbidden list is stored as a tree, and domain names are searched against the tree. Each domain is searched through these trees in order: the allowed list, the forbidden list, the keyword list, then the three lists again if there are user-/group-specific policies configured.

Topics:
Policy Enforcement Across Different Groups

The basic default behavior for CFS policies assigned to different groups is to follow standard most specific / least restrictive logic, meaning:

The most specific rule is always given the highest priority.

Example

A rule applying to the “Engineering” group (a specific group) is given precedence over a rule applying to the “All” group (the least specific group.)

Policy Enforcement Within The Same Group

The basic default behavior for CFS policies within the same group is to follow an additive logic, meaning:

Rules are enforced additively

Example
CFS policy 1 disallows porn, gambling, and social networking.
CFS policy 2 applies bandwidth management to sports and adult content to 1Mbps.

The end result of these policies is that sports and adult content are bandwidth managed, even though the first policy implies that they are allowed.

Policy Enforcement with a Schedule

An App Rule with a schedule is in effect only during the schedule.

Example

An App Rule blocks traffic to social networking during working hours (8:00 am to 5:00 pm). Between 5:00 pm and 8:00 am, social networking can be accessed.

* 
NOTE: If an application is blocked in App Control Advanced, the App Rules schedule for it does not matter because App Control Advanced is evaluated first.

Blocking Forbidden Content

To create a CFS Policy for blocking forbidden content:

Create an Application Object

To create an application object containing forbidden content:
1
Navigate to the Firewall > Match Objects page in the SonicOS management interface.

2
Click the Add New Match Object button; the Add/Edit Match Object dialog displays.

3
Enter a descriptive Object Name, such as ‘Forbidden Content’. The minimum length is 0 characters, and the maximum is 96.
4
Select CFS Category List from the Match Object Type drop-down menu. The window changes to display a list of categories.

5
Use the checkboxes to select the categories you wish to add to the forbidden content list. To select all categories, check the Select all Categories checkbox.
6
Click the OK button to add the object to the Application Objects list. If more than 10 objects have been selected, the list shows only the first 10 and an ellipsis (…).

Create an Application Control Policy to Block Forbidden Content

To create an Application Control policy to block content defined in the Application Object:
1
Navigate to the Firewall > App Rules page in the SonicOS management interface.

2
Click the Add New Policy button, the Edit App Control Policy dialog displays.

3
Enter a descriptive name for this action in the Policy Name field, such as Block Forbidden Content. The name can be up to 96 characters.
4
Select CFS from the Policy Type drop-down list. The available options change.

5
From the Match Object drop-down menu, select the object you created in the previous section. In the case of our example, this object is named Forbidden Content.
6
From the Action Object drop-down menu, select CFS block page to display a pre-formatted blocked-content page when users attempt to access forbidden content.
7
Optionally, choose individual users or groups from the Users/Groups Included (default: All) or Excluded (default: None) drop-downs menu for this policy.
8
Optionally, select a Schedule of days and times when this rule is to be enforced from the drop-down menu. The default schedule is Always On.
9
Optionally, select the check box for Log using CFS message format if you wish for the logs to use this format instead of the standard Application Control format.
10
Optionally, select the appropriate Zone where the policy is to be enforced. The default is Any.
11
Optionally, select a CFS Allow/Excluded List to enforce on this particular policy.
12
Optionally, select the appropriate CFS Forbidden/Included List to enforce on the particular policy.
13
Click the OK button to create this policy. The App Rules Policies table is updated.

Bandwidth Managing Content

To create a CFS Policy for applying BWM to non-productive content:

Create an Application Object for Non-Productive Content

To create an application object containing non-productive content:
1
Navigate to the Firewall > Match Objects page in the SonicOS management interface.
2
Click the Add New Match Object button, the Add/Edit Match Object dialog displays.
3
Enter a descriptive Object Name, such as Non-Productive Content.
4
Select CFS Category List from the Match Object Type drop-down menu.
5
Use the checkboxes to select the categories you wish to add to the content list.

6
Click the OK button to add the object to the Application Objects list. If more than 10 objects have been selected, the list shows only the first 10 and an ellipsis (…).

Create a Bandwidth Management Action Object

Although Application Control contains pre-configured action objects for bandwidth management, a custom action object provides more control, including the ability to manage bandwidth per policy or per action.

For information on configuring bandwidth management, see Configuring BWM in an Action Object.

Create an Application Control Policy to Manage Non-Productive Content

To create an Application Control policy to block content defined in the Application Object:
1
Navigate to the Firewall > App Rules page in the SonicOS management interface.
2
Click the Add New Policy button, the Edit App Content Policy dialog displays.
3
Enter a descriptive name for this action in the Policy Name field. The name can be up to 96 characters.
4
Select ‘CFS from the Policy Type drop-down menu. The available options change.
5
From the Match Object drop-down menu, select the object you created in the previous section. In the case of our example, this object is named Non-Productive Content.
6
From the Action Object drop-down menu, select the BWM action object, Bandwidth Management - 100k, that you created to apply this custom BWM rule when users attempt to access non-productive content.
* 
NOTE: If you chose not to create a custom BWM object, you may use one of the pre-defined BWM objects (Advanced BWM High, Advanced BWM Medium, or Advanced BWM Low).
7
Optionally, select the Users/Groups who this policy is to be Included or Excluded on from the dropdown list. Our example uses the defaults of including All and excluding None.
8
Optionally, select a Schedule of days and times when this rule is to be enforced from the dropdown list. Our example uses the pre-defined Work Hours selection to enforce this policy only during weekday work hours. The default is Always on.
9
Optionally, select the checkbox for Log using CFS message format if you wish for the logs to use this format instead of the standard Application Control format.
10
Optionally, select the appropriate Zone where the policy is to be enforced. Our example uses LAN to enforce the policy on all traffic traversing the local network. The default is Any.

11
Click the OK button to create this policy. The App Rules Policy table is updated.

Applying Policies to Multiple Groups

This section details applying a single policy to multiple user groups. CFS allows you to apply one policy to different groups, allowing for variation (in time restrictions, exclusions, etc...) in the way it is applied to users.

To apply a policy to multiple groups:

See also:

Creating a Group-Specific Application Control Policy

To create an Application Control policy to block content defined in the Application Object:
1
Navigate to the Firewall > App Rules page in the SonicOS management interface.
2
Click the Add New Policy button; the Edit App Control Policy dialog displays.
3
Enter a descriptive name for this action in the Policy Name field. For easy identification, this name can include the user group to which you are applying the policy.
4
Select CFS from the Policy Type drop-down list.
5
Select a Match Object from the drop-down list. Our example uses Non-Productive Content.
6
Select an Action Object form the drop-down list. Our example uses the pre-defined BWM Medium action to manage bandwidth of the applicable content.
7
Select the Users/Groups who this policy is to be Included or Excluded on from the dropdown list. Our example uses the Trusted Users group, although you may choose a different, or custom group depending on your needs.
8
Select a Schedule appropriate for this group. Our example uses the pre-defined Work Hours schedule.

With the selections in this example, Nonproductive Content is Bandwidth Managed for Trusted Users only during Work Hours.

9
Click the OK button to create this policy. The new policy displays in the Application Firewall Policies list.

10
Repeat Step 2 through Step 9 with variations required by your implementation to create a policy for each required group.

Creating a Custom CFS Category

This section details creating a custom CFS category entry. CFS allows you not only to create custom Policies, but also allows for custom domain name entries to the existing CFS rating categories. This allows for insertion of custom CFS-managed content into the existing and very flexible category structure.

Enabling CFS Custom Categories

1
Navigate to the Security Services > Content Filter page in the SonicOS management interface.
2
Scroll down to the CFS Custom Category section and select the Enable CFS Custom Category checkbox.

3
Click the Accept button to save your changes and enable the Custom Category feature.

Adding a New CFS Custom Category Entry

1
After enabling the CFS Custom Category in the Security Services > Content Filter page, CFS Custom Category section, click the Add… button. The Edit CFS Local Rating dialog displays.

2
Enter a descriptive Name for the custom entry.
3
Choose the pre-defined Category to which this entry will be added.
4
Enter a domain name into the Content field.
* 
NOTE: All subdomains of the domain entered are affected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my.yahoo.com”, hence it is not necessary to enter all FQDN entries for subdomains of a parent domain.
5
Add the domain name to the List by clicking the Add button.
6
Repeat the previous two steps for each domain to be included in this CFS Custom Category.

7
When you have finished adding domain names, click the OK button to add this custom category. The CFS Custom Category table is updated; multiple domains are separated by a caret (^).

Configuring YouTube for Schools as an App Policy

This section describes how to configure YouTube for Schools when using CFS 3.0. For more information on signing up for and configuring YouTube for Schools, see SonicWall Legacy Content Filtering Service.

1
On the Security Services > Content Filter page, ensure that the CFS Policy Assignment drop-down menu is set for Via App Rules.

2
Click the Accept button.
3
Navigate to the Firewall > App Rules page.
4
Click Add New Policy.

5
For the Policy Type, select CFS.
6
Select the appropriate Match Object from the drop-down menu.
7
For Action Object, select No Action.
8
Select the Enable YouTube for Schools checkbox.
9
Paste in your School ID, which is obtained from www.youtube.com/schools.
10
Click OK. The policy is added to the App Rules Policies table.

* 
TIP: Ensure that there are no rules configured on the appliance that would block youtube.com.

Access to YouTube will now be governed by YouTube for Schools. Students will only be able to access YouTube EDU videos, while allowed teacher and administrators will have full access.

Legacy Content Filtering Examples

The following sections describe how to configure the settings on the Security Services > Content Filter page using legacy Content Filtering methods.

* 
NOTE: It is not possible to create advanced rules which utilize bandwidth management and application filter policy control when using the ‘legacy’ method of Content Filtering. For advanced rule creation, see the CFS Policy Management Overview.
Topics:

Content Filter Status

If SonicWall CFS is activated, the Content Filter Status section displays the status of the Content Filter Server, as well as the date and time that your subscription expires. The expiration date and time is displayed in Universal Time Code (UTC) format.

You can also access the SonicWall CFS URL Rating Review Request form by clicking on the here link in If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here.

If SonicWall CFS is not activated, you must purchase a license subscription for full content filtering functionality, including custom CFS Policies. If you do not have an Activation Key, you must purchase SonicWall CFS from a SonicWall reseller or from your MySonicWall.com account (limited to customers in the USA and Canada).

Topics:
Activating SonicWall CFS

If you have an Activation Key for your SonicWall CFS subscription, follow these steps to activate SonicWall CFS:

* 
NOTE: You must have a MySonicWall.com account and your SonicWall security appliance must be registered to activate SonicWall Client Anti-Virus.
1
Click the SonicWall Content Filtering Subscription link on the Security Services > Content Filtering page. The MySonicWall.com Login page is displayed.
2
Enter your MySonicWall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed.
* 
NOTE: If your SonicWall security appliance is already connected to your MySonicWall.com account, the System > Licenses page appears after you click the SonicWall Content Filtering Subscription link.
3
Click Activate or Renew in the Manage Service column in the Manage Services Online table.
4
Type in the Activation Key in the New License Key field and click Submit. Your SonicWall CFS subscription is activated on your SonicWall.
5
When you activate SonicWall CFS at MySonicWall.com, the SonicWall CFS activation is automatically enabled on your SonicWall within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWall.
Activating a SonicWall CFS FREE TRIAL

You can try a FREE TRIAL of SonicWall CFS by following the steps described in Obtaining Free Trial Subscriptions.

Content Filter Type

Select one of the content filtering options available on the SonicWall security appliance from the Content Filter Type menu:

Content Filter Service - Selecting SonicWall CFS as the Content Filter Type allows you to access SonicWall CFS functionality that is included with SonicOS Enhanced, and also to configure custom CFS Policies that are available only with a valid subscription. You can obtain more information about SonicWall Content Filtering Service at http://www.SonicWall.com/products/cfs.html.
Websense Enterprise - Websense Enterprise is also a third party content filter list supported by SonicWall security appliances.

Clicking the Network > Zones link in Note: Enforce the Content Filtering per zone from the Network > Zone page, displays the Network > Zones page for enabling SonicWall Content Filtering Service on network zones.

* 
NOTE: For this link to appear, you must select Via User and Zone Screens from the CFS Policy Assignment drop-down menu.

Restrict Web Features

Restrict Web Features enhances your network security by blocking potentially harmful Web applications from entering your network.

Restrict Web Features are included with SonicOS. Select any of the following applications to block:

ActiveX - A programming language that embeds scripts in Web pages. Malicious programmers can use ActiveX to delete files or compromise security. Select the ActiveX check box to block ActiveX controls.
Java - Used to download and run small programs, called applets, on Web sites. It is safer than ActiveX as it has built-in security mechanisms. Select the Java check box to block Java applets from the network.
Cookies - Used by Web servers to track Web usage and remember user identity. Cookies can also compromise users' privacy by tracking Web activities. Select the Cookies check box to disable Cookies.
Access to HTTP Proxy Servers - When a proxy server is located on the WAN, LAN users can circumvent content filtering by pointing their computer to the proxy server. Check this box to prevent LAN users from accessing proxy servers on the WAN.

Trusted Domains

Trusted Domains can be added to enable content from specific domains to be exempt from Restrict Web Features.

If you trust content on specific domains and want them to be exempt from Restrict Web Features, follow these steps to add them:

1
Select the Do not block Java/ActiveX/Cookies to Trusted Domains checkbox.
2
Click Add…. The Add Trusted Domain Entry dialog displays.

3
Enter the trusted domain name in the Domain Name field.
4
Click OK. The trusted domain entry is added to the Trusted Domains table.

To keep the trusted domain entries but enable Restrict Web Features, uncheck Do not block Java/ActiveX/Cookies to Trusted Domains. To delete an individual trusted domain, click on the Delete icon for the entry. To delete all trusted domains, click Delete All. To edit a trusted domain entry, click the Edit icon.

CFS Exclusion List for the Administrator

The Do not bypass CFS blocking for the Administrator check box controls content filtering for administrators. By default, when the administrator (“admin” user) is logged into the SonicOS management interface from a system, CFS blocking is suspended for that system’s IP address for the duration of the authenticated session. If you prefer to provide content filtering and apply CFS policies to the IP address of the administrator’s system, select the Do not bypass CFS blocking for the administrator check box.

CFS Exclusion List

Address objects can be manually added to or deleted from the CFS Exclusion List. For traffic from the address objects in the CFS Exclusion List, content filtering is disabled and the traffic is allowed access through any firewall access rules that are set to allow only certain users without requiring the user to be authenticated. If Single Sign On is enabled, that traffic will not initiate SSO. These address objects are treated as trusted domains. Select Enable CFS Exclusion List to enable this feature.

Topics
Adding Address Objects to the CFS Exclusion List
To add an address object to the CFS Exclusion List:
1
Scroll down to the CFS Exclusion List section of the Security Services > Content Filter page.
2
Select the Enable CFS Exclusion List check box.

3
Select the type of exclusion:
CFS only
CFS and user authentication in access rules (default)
4
Select an address object from the drop-down menu or create a new one.
5
Click Accept on the Security Services > Content Filter page.
Disabling the CFS Exclusion List

To disable the CFS Exclusion List, uncheck the Enable CFS Exclusion List check box.

CFS Policy per IP Address Range

To configure a custom CFS policy for a range of IP addresses:
1
On the Security Services > Content Filter page, scroll down to the CFS Policy per IP Address Range section and select the Enable Policy per IP Address Range check box.

2
Click Add…. The Add CFS Policy per IP range dialog displays.

3
Enter the first IP address in the range in the IP Address From: field and the last address in the IP Address To: field.
4
Select the CFS policy to apply to this IP address range in the CFS Policy: drop-down menu.
5
Optionally add a comment about this IP address range in the Comment: field.
6
Click OK. The policy is added to the CFS Policy per IP Address Range table.

Web Page to Display when Blocking

You can fully customize the web page that is displayed to the user when access to a blocked site is attempted. To see a preview of the display, click the Preview button.To revert to the default page, click the Default Blocked Page button.

* 
NOTE: Due to potential vulnerability issues, scripting code (Javascript) and HTML inline event attributes that invoke scripting code are not evaluated and/or might be disabled. Some of your preview pages may not render properly because of this limitation.
Default Blocked Page

The Default Blocked Page displays the Block policy, Client IP address, and the reason for the Block, as shown in this preview:

Configuring YouTube for Schools for Legacy CFS

This section describes how to configure YouTube for Schools when using Legacy CFS. For information on signing up for and configuring YouTube for Schools, see SonicWall Legacy Content Filtering Service.

1
Navigate to the Security Services > Content Filter page.
2
Ensure that the CFS Policy Assignment drop-down menu is set for Via User and Zone Screens.
3
From the Content Filter Type drop-down menu, select Content Filter Service.
4
Click Configure. TheSonicWall Filter Properties dialog displays.

5
On the Policy tab, click the configure icon for the CFS policy on which you want to enable YouTube for Schools, or click Add to configure a new CFS policy.

If you selected a policy to edit, the Edit CFS Policy dialog displays.

6
Click on the Settings tab.

7
Select the Enable YouTube for Schools check box.
8
Paste in your School ID, which is obtained from www.youtube.com/schools.
9
Click OK. The SonicWall Filter Properties window redisplays.
* 
TIP: Ensure that there are no rules configured on the appliance that would block youtube.com.
10
Click OK.

Access to YouTube for this policy will now be governed by YouTube for Schools. Students will only be able to access YouTube EDU videos, while allowed teacher and administrators will have full access.

For information on setting up Content Filter Properties, see Configuring Legacy SonicWall Filter Properties.

Configuring Legacy SonicWall Filter Properties

For general information on Content Filter Service, see Security Services > Content Filter.

You can customize SonicWall content filtering features included with SonicOS from the SonicWall Filter Properties dialog. A valid subscription to SonicWall CFS Premium on a SonicWall security appliance running SonicOS Enhanced allows you to create custom policies to apply to specified user groups. The Default CFS Premium policy is used as the content filtering basis for all users not assigned to a specific custom policy.

* 
NOTE: SonicWall recommends that you make the Default CFS Premium policy the most restrictive policy. Custom CFS policies are subject to content filter inheritance. This means that all custom CFS policies inherit the filters from the Default CFS policy. To ensure proper content filtering, the Default CFS policy should be configured to be the most restrictive policy, then each custom policy should be configured to grant privileges that are otherwise restricted by the Default policy.
To display the SonicWall Filter Properties dialog:
1
Navigate to the Security Services > Content Filter page.
2
Select Content Filter Service from the Content Filter Type drop-down menu.
3
Click Configure. TheSonicWall Filter Properties dialog displays.

For configuration information about the filter properties settings, see the following sections that describe the tabs on the SonicWall Filter Properties dialog:

CFS

The CFS tab allows you to:

Enable IP-based HTTPS Content Filtering.
Block or allow traffic to sites when the server is unavailable.
Set preferences for your URL cache.

The CFS tab has these sections:

Settings

The Settings section allows you to enable HTTPS content filtering, select what you want the firewall to do if the server is unavailable, and what it should do when access is attempted to a forbidden Web site.

Enable IP based HTTPS Content Filtering - Select this check box to enable HTTPS content filtering. HTTPS content filtering is IP- and host name-based, and will not inspect the URL. While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HTTPS filtered pages will be silently blocked. You must provide the IP address for any HTTPS Web sites to be filtered.
Enable CFS Server Failover - Select this check box to enable CFS Server Failover.
Enable CFS Wire Mode - Select this check box to enable CFS Wire Mode.
If Server is unavailable for (seconds) - Set the amount of time after the content filter server is unavailable before the SonicWall security appliance takes action to either block access to all Web sites or allow traffic to continue to all Web sites. Then, select one of the following options:
* 
NOTE: If the server is unavailable, the firewall can allow access to Web sites in the cache memory. This means that by selecting the Block traffic to all Web sites check box, the firewall will only block Web sites that are not in the cache memory.
Block traffic to all Web sites - Select this feature if you want the SonicWall security appliance to block access to all Web sites until the content filter server is available.
Allow traffic to all Web sites - Select this feature if you want to allow access to all Web sites when the content filter server is unavailable. However, Forbidden Domains and Keywords, if enabled, are still blocked. This is the default setting.
If URL marked as Forbidden - If you have enabled blocking by Categories and the URL is blocked by the server, there are two options available, both of which are selected by default.
Block Access to URL - Selecting this option prevents the browser from displaying the requested URL to the user.
Log Access to URL - Selecting this option logs access to forbidden URLs in the log file automatically
URL Cache

The URL Cache section allows you to configure the URL cache size on the SonicWall security appliance. Enter the size, in KBs, in the Cache Size field.

* 
TIP: A larger URL cache size can provide noticeable improvements in Internet browsing response times.
URL Rating Review

If you believe that a Web site is rated incorrectly or you wish to submit a new URL to be rated, you can click the here link to display the SonicWall CFS URL Rating Review Request form for submitting the request. This can also be used to view the rating of a URL.

In the SonicWall CFS URL Rating Review Request form, enter a URL and verification text and then click Submit. A description of the URL is displayed. You can then select Rating Request to request that a URL be rated or that the rating be changed.

Policy

The Policy tab is only visible if the SonicWall appliance has a current subscription to SonicWall CFS Premium. The Policy tab allows you to modify the Default CFS policy and create custom CFS policies, which you can then apply to specific user groups in the Users > Local Groups page. The Default CFS policy is always inherited by every user. A custom CFS policy allows you to modify the default CFS configuration to tailor content filtering policies for particular user groups on your network.

* 
NOTE: To ensure proper content filtering, the Default CFS policy should be configured to be the most restrictive policy, and then each custom policy should be configured to grant privileges that are otherwise restricted by the Default policy.
Topics:
Creating a Custom CFS Policy

Custom CFS policies can only be created when the appliance has a valid subscription for SonicWall CFS Premium.

To create new policy:
1
On the Policy tab of the SonicWall Filter Properties dialog, click Add to display the Add CFS Policy dialog.

2
Enter a name for the policy in the Name field.
3
Click the URL List tab.

4
In the Select Forbidden Categories list, by default, the Select all Categories check box is checked. Uncheck any category to which you want to allow access. Select the Select all categories check box if you want to block all categories, or uncheck the check box to deselect all categories and select individual categories.
5
Click the Settings tab.

6
Under Custom List Settings, from the following drop-down menus, select any of these settings: Global (default), None, or Per Policy:
Source of Allowed Domains - Select the source of allowed domains/URLs that are listed on the Custom List tab:
Source of Forbidden Domains - Select the source of forbidden domains/URLs that are listed on the Custom List tab.
Source of Keyword - Select the source to enable keyword blocking for the keywords that are listed in the Forbidden Keyword field on the Custom List tab.
* 
NOTE: The source for the Per Policy allowed domains, forbidden domains, and keywords are on the Custom List tab; see Step 10.
7
Under Safe Search Enforcement Settings, select Enable Safe Search Enforcement to enable the safe browsing options for certain search engines like Google and Yahoo.
* 
NOTE: Google Safe Search helps prevent adult content or other potentially offensive content from appearing in search results.
8
To configure YouTube for Schools:
a
Select Enable YouTube for Schools.
b
Enter your School ID.

For more information, seeSonicWall Legacy Content Filtering Service.

9
To configure the schedule for Content Filtering enforcement, select one of the following from the drop-down menu under Filter Forbidden URLs by time of day:
* 
TIP: Time of Day restrictions only apply to the Content Filter List, Customized blocking, and Keyword blocking. Consent and Restrict Web Features are not affected.
Always on (default) - When selected, Content Filtering is enforced at all times.
Specific times, such as Work Hours or M-T-W-Th-F 08:00 to 17:00 - When selected, Content Filtering is enforced only during the time and days specified.
10
Click the Custom List tab.
* 
NOTE: The URLs and keywords entered in this tab are the source of the allowed domains, forbidden domains, and keywords in Step 6.
* 
CAUTION: Do not include the prefix “http://” in either the Allowed Domains or Forbidden Domains fields. All subdomains are affected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my.yahoo.com”.

11
Enter an allowed URL in the Content field in the Allowed Domains section. A URL can be up to 80 characters.
12
Click Add. The URL is added to the Allowed Domains List.
13
Add multiple allowed domains by repeating Step 11 and Step 12 for each allowed domain. You can add up to 100 domains.

To delete a list entry, select it and click Remove. To remove all entries, click Remove All.

14
Enter a forbidden URL in the Content field in the Forbidden Domains section.
15
Click Add. The URL is added to the Forbidden Domains List.
16
Add multiple forbidden domains by repeating Step 14 and Step 15 for each forbidden domain. You can add up to 100 domains.

To delete a list entry, select it and click Remove. To remove all entries, click Remove All.

17
Enter a keyword to be blocked in the Content field in the Keyword section.
18
Click Add. The URL is added to the keyword List
19
Add multiple keywords by repeating Step 17 and Step 18 for each keyword. You can add up to 100 keywords.

To delete a list entry, select it and click Remove. To remove all entries, click Remove All.

20
Click OK.
Configuring the Default CFS Policy
To configure the Default policy to be the most restrictive:
1
On the Security Services > Content Filter page, ensure the Content Filter Type is content Filter Service.
2
Click Configure. TheSonicWall Filter Properties dialog displays.
3
Click the Policy tab.

4
Click the Edit icon in the Configure column. The Edit CFS Policy dialog displays.

* 
NOTE: The Name field is dimmed because the Default policy name cannot be changed.
5
Click the URL List tab.
7
Click OK.

Custom List

You can customize your URL list to include allowed domains, forbidden domains, and blocked keywords. By customizing your URL list, you can include specific domains to be accessed, blocked, and include specific keywords to block sites. The settings available on the Custom List page are different for an appliance with a valid SonicWall CFS Premium subscription than they are for an appliance with no CFS Premium license. The image below shows the Custom List tab for an appliance with an active CFS Premium subscription:

For an appliance with a CFS Premium subscription, these features are controlled by each Policy on a global or per-policy basis.

By default, the Allowed Domains list is disabled, and the Forbidden Domains list and Keyword Blocking list are enabled. When SonicWall CFS Premium is licensed on the appliance, these settings are controlled on a per-policy basis. Without a current SonicWall CFS Premium subscription, these settings are available on the Custom List tab at the bottom of the page.

Topics:
Adding Allowed Domains
To allow access to a Web site that is blocked by the Content Filter List:
1
Click Add in the Allowed Domains section of the Custom List tab. The Add Allowed Domain Entry dialog displays.

2
Enter the host name, such as www.ok-site.com, into the Domain Entry field.
* 
CAUTION: Do not include the prefix http:// in either the Allowed Domains or Forbidden Domains fields. All subdomains are affected. For example, entering yahoo.com applies to mail.yahoo.com and my.yahoo.com.
3
Click OK. You can add up to 1,024 entries to the Allowed Domains list by repeating Step 1 through Step 3 for each entry.
4
To block a Web site that is not blocked by the Content Filter Service, click Add in the Forbidden Domains section. The Add Forbidden Domain Entry dialog displays.

5
Enter the host name, such as www.bad-site.com, into the Forbidden Domains field.
6
Click OK. You can add up to 1,024 entries to the Forbidden Domains list by repeating Step 4 through Step 6 for each entry.
7
To enable blocking using Keywords, click Add under Keyword Blocking. The Add Keyword Entry dialog displays.

8
Enter the keyword to block in the Add Keyword field.
9
Click OK. You can add up to 100 entries to the Keyword Blocking list by repeating Step 7 through Step 9 for each entry.
10
When you have finished making all your entries, click OK.
Removing Domains or Keywords

To remove a trusted or forbidden domain, select it from the appropriate list, and click Delete. Once the domain has been deleted, the Status bar displays Ready.

To remove a keyword:
1
Select the keyword from the list.
2
Click Delete. After the keyword has been removed, the Status bar displays Ready.
3
Click OK when finished.
Enabling or Disabling on Appliances With a CFS Premium Subscription

To enable or disable the Allowed/Forbidden Domains or Keyword Blocking features when the SonicWall appliance has a current subscription to SonicWall CFS Premium:

1
On the Security Services > Content Filter page, select SonicWall CFS under Content Filter Type and click Configure.
2
On the SonicWall Filter Properties dialog, click the Policy tab.
3
Click the Edit icon in the Configure column of the Policy for which to enable or disable these features. The Edit CFS Policy dialog displays.
4
Click the Settings tab.
6
Click OK.
Enabling or Disabling on Appliances Without a CFS Premium Subscription

To enable or disable the Allowed/Forbidden Domains or Keyword Blocking features when the SonicWall appliance is not licensed for SonicWall CFS Premium:

1
On the Custom List tab, at the bottom of the page, select any of these settings:
Disable Allowed Domains - select this setting to disable the allowed domains that are listed on the Custom List tab. The domains in the Allowed Domains list will not be exempt from content filtering.
Enable Forbidden Domains - select this setting to enable filtering (blocking) of forbidden domains that are listed on the Custom List tab.
Enable Keyword Blocking - select this setting to enable keyword blocking for the URLs that are listed in the Keyword Blocking section on the Custom List tab.

2
Click OK.
Disable all Web traffic except for Allowed Domains

Selecting the Disable Web traffic except for Allowed Domains check box causes theSonicWall security appliance to allow Web access only to sites on the Allowed Domains list. With careful screening, this can be nearly 100% effective at blocking pornography and other objectionable material.

The Disable Web traffic except for Allowed Domains check box is not available when the SonicWall appliance has a valid SonicWall CFS subscription. In this case, you can configure a CFS Policy to block undesirable Web sites.

Consent

The Consent tab allows you to enforce content filtering on designated computers and provide optional filtering on other computers. Consent can be configured to require the user to agree to the terms outlined in an Acceptable Use Policy dialog before Web browsing is allowed.

Topics:
Enabling Consent Properties

To enable the Consent properties, select Require Consent.

Maximum Web Usage (minutes) - In an environment where there are more users than computers, such as a classroom or library, time limits are often imposed. TheSonicWall security appliance can be used to remind users when their time has expired by displaying the page defined in the Consent page URL field. Enter the time limit, in minutes, in the Maximum Web usage field. When the default value of zero (0) is entered, this feature is disabled.
User Idle Timeout (minutes) - After a period of Web browser inactivity, the SonicWall security appliance requires the user to agree to the terms outlined in the Consent page before accessing the Internet again. To configure the value, follow the link to the Users window and enter the desired value in the User Idle Timeout section.
Consent Page URL (optional filtering) - When a user opens a Web browser on a computer requiring consent, they are shown a consent page and given the option to access the Internet with or without content filtering. This page must reside on a Web server and be accessible as a URL by users on the network. It can contain the text from, or links to an Acceptable Use Policy (AUP). This page must contain links to two pages contained in the SonicWall security appliance, which, when selected, tell the SonicWall security appliance if the user wishes to have filtered or unfiltered access. The link for unfiltered access must be <192.168.168.168/iAccept.html> and the link for filtered access must be <192.168.168.168/iAcceptFilter.html>, where the SonicWall LAN IP address is used instead of 192.168.168.168"\.
Consent Accepted URL (filtering off) - When a user accepts the terms outlined in the Consent page and chooses to access the Internet without the protection of Content Filtering, they are shown a Web page confirming their selection. Enter the URL of this page in the Consent Accepted (filtering off) field. This page must reside on a Web server and be accessible as a URL by users on the network.
Consent Accepted URL (filtering on) - When a user accepts the terms outlined in the Consent page and chooses to access the Internet with the protection of Content Filtering, they are shown a Web page confirming their selection. Enter the URL of this page in the Consent Accepted (filtering on) field. This page must reside on a Web server and be accessible as a URL by users on the network.
Mandatory Filtered IP Addresses

When a user opens a Web browser on a computer using mandatory content filtering, a consent page is displayed. You must create the Web page that appears when the Web browser is opened. It can contain text from an Acceptable Use Policy, and notification that violations are logged or blocked.

This Web page must reside on a Web server and be accessible as a URL by users on the LAN. This page must also contain a link to a page contained in the SonicWall security appliance that tells the device that the user agrees to have filtering enabled. The link must be <192.168.168.168/iAcceptFilter.html>, where the SonicWall LAN IP address is used instead of 192.168.168.168.

Enter the URL of this page in the Consent Page URL (mandatory filtering) field and click OK. Once the SonicWall security appliance has been updated, a message confirming the update is displayed at the bottom of the Web browser window.

Adding a New Address

The SonicWall security appliance can be configured to enforce content filtering for certain computers on the LAN. Click Add to display the Add Filtered IP Address Entry window. Enter the IP addresses of these computers in the Add New Address field and then click the Submit button. Up to 128 IP addresses can be entered.

To remove a computer from the list of computers to be filtered, highlight the IP address in the Mandatory Filtered IP Addresses list and click Delete.

Configuring Websense Enterprise Content Filtering

Websense Enterprise is a third party Internet filtering package that allows you to use Internet content filtering through the SonicWall.

1
Select Websense Enterprise from the Content Filter Type drop-down menu.
2
Click Configure to display the Websense Properties dialog.

* 
NOTE: You specify enforcement of content filtering on the Network > Zones page.

The General page in the Websense Properties window includes the following settings:

Server Host Name or IP Address - Enter the Server Host Name or the IP address of the Websense Enterprise server used for the Content Filter List.
Server Port - Enter the UDP port number for theSonicWall to “listen” for the Websense Enterprise traffic. The default port number is 15868.
User Name - To enable reporting of users and groups defined on the Websense Enterprise server, leave this field blank. To enable reporting by a specific user or group behind the SonicWall, enter the User Name configured on the Websense Enterprise Server for the user or group. If using NT-based directories on the Websense Enterprise Server, the User Name is in this format, for example: NTLM:\\domainname\username. If using LDAP-based directories on the Websense Enterprise server, the User Name is in this format, for example: LDAP://o-domain/ou=sales/username.
* 
CAUTION: If you are not sure about entering a user name in this section, leave the field blank and consult your Websense documentation for more information.
Enable HTTPS Content Filtering - With this option enabled, the firewall’s Content Filter service checks HTTPS connections. This is done by sending a request (carrying the URL of the HTTPS connection) from the firewall to the Websense Manager. The Websense Manager checks the URL category and decides whether to allow or deny the HTTPS connection according to its policy configuration.
Enable Websense probe monitoring - Enables the firewall to probe for the presence of a Websense server. Use the following options to configure the Websense probe settings:
Check Server every - Enter the amount of time (in seconds) that the firewall sends a probe to the Websense server.
Deactivate Websense after - Enter the number of missed probes before the firewall deactivates the Websense feature.
Reactivate Websense after - Enter the number of successful probes needed before the firewall will reactivate the Websense feature.
If Server is unavailable for (seconds) - Defines what action is taken if the Websense Enterprise server is unavailable. The default value for timeout of the server is 5 seconds, but you can enter a value between 1 and 10 seconds.
Block traffic to all Web sites - Selecting this option blocks traffic to all Web sites except Allowed Domains until the Websense Enterprise server is available.
Allow traffic to all Web sites - Selecting this option allows traffic to all Web sites without Websense Enterprise server filtering. However, Forbidden Domains and Keywords, if enabled, are still blocked.
Cache Size (KB) - Configure the size of the URL Cache in KB.
* 
TIP: A larger URL Cache size can result in noticeable improvements in Internet browsing response times.
3
After configuring Websense content filtering in the Websense Properties window, click OK.

Websense Server Status

This displays the status of the Websense Enterprise server used for content filtering.

Enforcing Client Anti-Virus

Security Services > Client AV Enforcement

By their nature, anti-virus products typically require regular, active maintenance on every PC. When a new virus is discovered, all anti-virus software deployed within an organization must be updated with the latest virus definition files. Failure to do so severely limits the effectiveness of anti-virus software and disrupts productive work time. With more than 50,000 known viruses and new virus outbreaks occurring regularly, the task of maintaining and updating virus protection can become unwieldy. Unfortunately, many small to medium businesses do not have adequate IT staff to maintain their anti-virus software. The resulting gaps in virus defenses may lead to data loss and decreased employee productivity.

The widespread outbreaks of viruses, such as NIMDA and Code Red, illustrate the problematic nature of virus defense for small and medium businesses. Users without the most current virus definition files allow these viruses to multiply and infect many other users and networks. SonicWall Client Anti-Virus prevents occurrences like these and offers a new approach to virus protection. SonicWall security appliance constantly monitors the version of the virus definition file and automatically triggers download and installation of new virus definition files to each user’s computer. In addition, the SonicWall security appliance restricts each user’s access to the Internet until they are protected, therefore acting as an enforcer of the company’s virus protection policy. This new approach ensures the most current version of the virus definition file is installed and active on each PC on the network, preventing a rogue user from disabling the virus protection and potentially exposing the entire organization to an outbreak.

* 
NOTE: You must purchase an Anti-Virus subscription to enforce Anti-Virus through the SonicOS management interface. Enforced Client Anti-Virus can also be purchased and used without requiring a firewall. Policies are configured by logging into the SonicWall Enforced Client Policy & Reporting Server (EPRS) in the cloud.

SonicOS supports both McAfee and Kaspersky client anti-virus for client AV enforcement. These services are licensed separately, allowing you to purchase the desired number of each license for your deployment.

Topics:

Activating SonicWall Client Anti-Virus

If SonicWall Client Anti-Virus is not licensed on your firewall, you must activate the license or sign up for a free trial.

* 
NOTE: You must have a MySonicWall account and your firewall must be registered to activate SonicWall Client Anti-Virus in SonicOS.

If you do not have an activation key, you can purchase SonicWall Client Anti-Virus from a SonicWall reseller or directly from your MySonicWall account (limited to customers in the USA and Canada).

To activate SonicWall Client Anti-Virus on your firewall:
1
In SonicOS, navigate to the System > Licenses page.
2
Under Manage Security Services Online, click the click here link in the To Activate, Upgrade, or Renew services, click here line. The MySonicWall login page is displayed.
3
Enter your MySonicWall account credentials in the User Name/Email and Password fields, then click Submit. The Service Management page in MySonicWall is displayed.
4
Click the Try, Activate, Upgrade, or Renew link for the desired Anti-Virus in the Manage Service column in the Manage Services Online table. When using Activate, type in the activation key in the Activation Key field and click Submit. When using Try, click Continue in the next screen to get a 30-day free trial.
5
When you activate SonicWall Client Anti-Virus on MySonicWall, the Client Anti-Virus license is automatically enabled on your firewall within 24-hours, or you can click the Synchronize button on the Security Services > Summary page or the System > Licenses page to update your SonicWall security appliance.
6
In SonicOS, navigate to Security Services > Client AV Enforcement to configure your Client Anti-Virus settings.
7
When policies and settings are configured, Client Anti-Virus must be enabled on one or more zones to start using it. Navigate to Network > Zones and click the Configure button for the desired zone, then select the Enable Client AV Enforcement Service check box and click OK.

Status and License Management

The Status section of the Security Services > Client AV Enforcement page contains both the status of your anti-virus license as well as a way to manage that license.

<AV Vendor> Client AV Status — Specifies the name of the third-party anti-virus software, vendor, such as McAfee and Kaspersky.
Status — Specifies whether the anti-virus software is licensed or if the license has expired.
License Count — Specifies the number of licensed seats.
Expiration Date — Specifies the date the license expires.
Click here to Manage <AV Vendor> AV Settings, Create Reports and/or Custom Policies. — Clicking on here displays the Licenses > License Management login page. To continue, enter your MySonicWall username or email address, password, and firewall Authentication Code. This logs you into the SonicWall Enforced Client Policy & Reporting Server (EPRS) in the cloud, where you can configure user and group policies and view reports.
Manage Licenses. — Clicking on Licenses displays the Licenses > License Management login page. To continue, enter your MySonicWall credentials.
Note: Enforce the Client Anti-Virus Service per zone from the Network > Zones page. — Clicking on Network > Zones displays the Network Zones page. On that page you can enable the Client AV Enforcement Service for any zone you create or modify. For further information, see Enforcing Client Anti-Virus on Network Zones.

Enforcing Client Anti-Virus on Network Zones

To enforce Client Anti-Virus on a per-zone basis:
1
On the Security Services > Client AV Enforcement page, click the Network > Zones link in Note: Enforce the Client Anti-Virus Service per zone from the Network > Zone page under the Status section, or simply navigate to the Network > Zones page.

2
Click the Configure button for the zone on which you want to enforce Client Anti-Virus or Add to create a new zone.
3
In the Edit Zone or Add Zone window, select the Enable Client AV Enforcement Service checkbox.

4
Click OK.

Configuring Client Anti-Virus Service

Topics:

For information on activating the Client Anti-Virus service, see Activating SonicWall Client Anti-Virus.

Client Anti-Virus Policies

The following features are available in the Client Anti-Virus Policies section:

Disable policing from Trusted to Public - Unchecked, this option enforces anti-virus policies on computers located on Trusted zones. Choosing this option allows computers on a trusted zone (such as a LAN) to access computers on public zones (such as DMZ), even if anti-virus software is not installed on the LAN computers.
Enable strict enforcement of AV Vendor to Policy -
Days before forcing update - This feature defines the maximum number of days, 0 – 5, users may access the Internet before the SonicWall requires the latest virus data files to be downloaded. The default is 5 days.
Force update on alert - SonicWall, Inc. broadcasts virus alerts to all SonicWall appliances with an Anti-Virus subscription. Three levels of alerts are available, and you may select more than one. When an alert is received with this option selected, users are upgraded to the latest version of VirusScan ASaP before they can access the Internet. This option overrides the maximum number of days allowed before forcing update selection. In addition, every virus alert is logged, and an alert message is sent to you.
Low Risk - A virus that is not reported in the field and is considered unlikely to be found in the field in the future has a low risk. Even if such a virus includes a very serious or unforeseeable damage payload, its risk is still low.
Medium Risk - If a virus is found in the field, and if it uses a less common infection mechanism, it is considered to be medium risk. If its prevalence stays low and its payload is not serious, it can be downgraded to a low risk. Similarly it can be upgraded to high risk if the virus becomes more and more widespread.
High Risk - To be assigned a high risk rating, it is necessary that a virus is reported frequently in the field. Additionally, the payload must have the ability to cause at least some serious damage. If it causes very serious or unforeseeable damage, high risk may be assigned even with a lower level of prevalence.

Client Anti-Virus Enforcement

SonicWall Client Anti-Virus currently supports Windows platforms. To access the Internet, computers with other operating systems must be exempt from Anti-Virus policies. To ensure full network protection from virus attacks, it is recommended that only servers and unsupported machines are excluded from protection, and that third party Anti-Virus software is installed on each machine before excluding that machine from Anti-Virus enforcement.

Under Client Anti-Virus Enforcement, you can specify which clients use McAfee, which use Kaspersky, and which are excluded from client AV enforcement.

Topics:
AV Vendor Enforcement
* 
NOTE: If you use both McAfee and Kaspersky, the Client Anti-Virus Enforcement table will show an entry for both. If you use only one of the two vendors, only the entry for that vendor appears. The following procedure uses just McAfee.

To configure these enforcement lists, perform the following steps, where <AV Vendor> can be either McAfee or Kaspersky:

1
For enforcement, click the Edit icon in the Configure column for <AV Vendor> Client AV Enforcement List.
2
In the Edit Address Object Group window, select the address groups for which <AV Vendor> should be enforced in the left box and click the right arrow to move them into the box on the right.

3
Click OK.
4
To create another address group for <AV Vendor> enforcement, click the Add Entry icon. The Add Address Object dialog displays.

5
Enter a friendly name in the Name field, select a zone from the Zone Assignment drop-down menu, and select either Host or Range from the Type drop-down menu.
If you selected Host for the Type, enter an IP address in the IP Address field.
If you selected Range for Type, the options change:

Enter addresses in the Starting IP Address and Ending IP Address fields for the range of addresses.

6
Click OK.
7
Click Accept at the top of the page to apply your settings.
Exclude from Enforcement
1
To exclude certain clients from enforcement, click the Configure button for Excluded from Client AV Enforcement List. The Edit Address Object Group dialog displays.

2
Select the address groups which should be excluded from enforcement in the left box and click the right arrow to move them into the box on the right.
3
Click OK.
4
To create another address group for enforcement exclusion, click the Add Entry icon. The Add Address Object dialog displays.

5
Enter a friendly name in the Name field, select a zone from the Zone Assignment drop-down menu, and select either Host or Range from the Type drop-down menu.
If you selected Host for Type, enter an IP address in the IP Address field.
If you selected Range for Type, the options change:

Enter addresses in the Starting IP Address and Ending IP Address fields for the range of addresses.

6
Click OK.
7
Click Accept at the top of the page to apply your settings.
Default Enforcement
1
For computers whose addresses do not fall in any of the above lists, select the default enforcement setting from the drop-down list below the Client Anti-Virus Enforcement section. You can select None, McAfee, or Kaspersky.
* 
NOTE: If you use only one of the AV vendors, the choices will be None and that vendor.
2
Click Accept at the top of the page to apply your settings.

Configuring Client CFS Enforcement

Security Services > Client CF Enforcement

SonicWall Client CFS Enforcement provides protection and productivity policy enforcement for businesses, schools, libraries and government agencies. SonicWALL has created a revolutionary content filtering architecture, utilizing a scalable, dynamic database to block objectionable and unproductive Web content.

Client CFS Enforcement provides the ideal combination of control and flexibility to ensure the highest levels of protection and productivity. Client CFS Enforcement prevents individual users from accessing inappropriate content while reducing organizational liability and increasing productivity. Web sites are rated according to the type of content they contain. The Content Filtering Service (CFS) blocks or allows access to these web sites based on their ratings and the policy settings for a user or group.

Businesses can typically control web surfing behavior and content when the browsing is initiated within the perimeter of the security appliance by setting filter policies on the appliance. But when the same device exits the perimeter, the control is lost. Client CFS Enforcement kicks into action to address this gap, by blocking objectionable and unproductive Web content outside the security appliance perimeter.

SonicWALL security appliances working in conjunction with Client CFS Enforcement automatically and consistently ensure all endpoints have the latest software updates for the ultimate network protection. The client is designed to work with both Windows and Mac PCs.

Client CF Enforcement consists of the following three main components:

A Network Security Appliance running SonicOS whose role is to facilitate and verify licencing of CFS and to enable or disable enforcement and configure exclusions and other settings.
Automatic triggering to install the Client CF Enforcement of any client attempting to access the Internet without the client software installed will be blocked from accessing Websites until it is installed.
Administration of client policies and client groups using the cloud-based EPRS server accessed from MySonicWall or from SonicOS running on the appliance.
Topics:

Enabling and Configuring Client CF Enforcement

This section describes how to enable and configure settings for Client CFS Enforcement in SonicOS.

Client CF Enforcement must be enabled on the SonicWall appliance before users will be presented with a Website block page, which prompts the user to install the Client CF Enforcement.

* 
NOTE: If the Content Filtering Service (CFS) is not activated on MySonicWALL, you must activate it to enforce client content filtering polices on client systems.

Configuring Client CF Enforcement in Security Services

To configure settings for Client CF Enforcement, perform the following steps on your SonicWall appliance:
1
Navigate to the Security Services > Client CF Enforcement page.

2
Under the Client CFS Enforcement Policies section, select the number of days, 0 – 5, from the drop-down list for the Grace Period during which CFS enforcement policies remain valid. The default is 5 days.
3
The Client CFS Enforcement Lists section contains a table that displays the Client CFS Enforcement List and the Excluded from Client CFS Enforcement List. To configure either of these lists, click the Edit icon in the Configure column for the list you wish to configure. The Edit Address Object Group dialog displays.

4
Select from the available list the values to include/not include for the group, use the arrow buttons to move the entries between columns, and then click OK.
5
For the Client CFS Enforcement List and Excluded from Client CFS Enforcement List. If you have made any entries in these lists, you can click the arrow next to the list title to display the entries.

6
To add entries to either list, click the Plus icon in that row. The Add Address Object dialog displays.

7
Enter a name in the Name field, select a zone from the Zone Assignment drop-down list, the address object type from the Type drop-down list, and specify an IP address, or address range, in the IP Address field.
8
Click OK.
9
Below the Client CFS Enforcement Lists section is a field labeled For computers whose addresses do not fall in any of the above lists, the default enforcement is. Select Client CFS Enforcement from the drop-down list. Selecting this will prompt all other computers connecting to the Internet through the appliance to install the Enforced Client. You can select None from the drop-down list if you only want to enforce the service on computers that you have configured. The default is None.
10
Click Accept.

Enabling Client CFS in Network Zones

Client Content Filtering is enforced on a per-zone basis by performing the following steps:

1
On the Security Services > Client CF Enforcement page, click the Network > Zones link in the Note.

The Network > Zones page displays.

2
Click the Edit icon for the zone on which you want to enforce the Client Content Filtering Service. The Edit Zone window appears.

3
Select the Enforce Content Filtering Service check box.
4
Optionally, select the CFS policy from the CFS Policy drop-down list. The default is Default.
5
Select the Enable Client CF Service check box.
6
Click OK.

Managing SonicWall Gateway Anti-Virus Service

Security Services > Gateway Anti-Virus

SonicWall GAV delivers real-time virus protection directly on the SonicWall security appliance by using SonicWall’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWall gateway. Building on SonicWall’s reassembly-free architecture, SonicWall GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic. Because SonicWall GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis.

SonicWall GAV delivers threat protection directly on the SonicWall security appliance by matching downloaded or emailed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWall’s SonicAlert Team, third-party virus analysts, open source developers and other sources.

SonicWall GAV can be configured to protect against internal threats as well as those originating outside the network. It operates over a multitude of protocols including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols, to provide administrators with comprehensive network threat prevention and control. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, SonicWall GAV integrates advanced decompression technology that automatically decompresses and scans files on a per packet basis.

Topics:

SonicWall GAV Multi-Layered Approach

SonicWall GAV delivers comprehensive, multi-layered anti-virus protection for networks at the desktop, the network, and at remote sites. SonicWall GAV enforces anti-virus policies at the gateway to ensure all users have the latest updates and monitors files as they come into the network.

SonicWall GAV Multi-Layered Approach

Topics:

Remote Site Protection

1
Users send typical e-mail and files between remote sites and the corporate office.
2
SonicWall GAV scans and analyses files and email messages on the SonicWall security appliance.
3
Viruses are found and blocked before infecting remote desktop.
4
Virus is logged and alert is sent to administrator.

Remote Site Protection

Internal Network Protection

1
Internal user contracts a virus and releases it internally.
2
All files are scanned at the gateway before being received by other network users.
3
If virus is found, file is discarded.
4
Virus is logged and alert is sent to the administrator.

Internal Network Protection

HTTP File Downloads

1
Client makes a request to download a file from the Web.
2
File is downloaded through the Internet.
3
File is analyzed the SonicWall GAV engine for malicious code and viruses.
4
If virus found, file discarded.
5
Virus is logged and alert sent to the administrator.

HTTP File Download Protection

Server Protection

1
Outside user sends an incoming e-mail.
2
E-mail is analyzed the SonicWall GAV engine for malicious code and viruses before received by e-mail server.
3
If virus found, threat prevented.
4
E-mail is returned to sender, virus is logged, and alert sent to the administrator.

Server Protection

SonicWall GAV Architecture

SonicWall GAV is based on SonicWall's high performance DPIv2.0 engine (Deep Packet Inspection version 2.0) engine, which performs all scanning directly on the SonicWall security appliance. SonicWall GAV includes advanced decompression technology that can automatically decompress and scan files on a per packet basis to search for viruses and malware. The SonicWall GAV engine can perform base64 decoding without ever reassembling the entire base64 encoded mail stream. Because SonicWall's GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding and ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWall GAV engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without ever buffering any of the bytes within the stream.

SonicWall GAV Architecture

Building on SonicWall's reassembly-free architecture, GAV has the ability to inspect multiple application protocols, as well as generic TCP streams, and compressed traffic. SonicWall GAV protocol inspection is based on high performance state machines which are specific to each supported protocol. SonicWall GAV delivers protection by inspecting over the most common protocols used in today's networked environments, including SMTP, POP3, IMAP, HTTP, FTP, NetBIOS, instant messaging and peer-to-peer applications and dozens of other stream-based protocols. This closes potential backdoors that can be used to compromise the network while also improving employee productivity and conserving Internet bandwidth.

Activating the Gateway Anti-Virus, Anti-Spyware, and IPS License

* 
TIP: To activate the Gateway Anti-virus, Anti-Spyware, and IPS License, you must have a If your SonicWall security appliance is connected to the Internet and registered at MySonicWall.com, you can activate a 30-day FREE TRIAL of SonicWall Gateway Anti-Virus, SonicWall Anti-Virus, and SonicWall Intrusion Prevention Service separately from the System > Licenses page in the management interface.
* 
NOTE: MySonicWall.com account and the appliances on which it is applied must be registered. To obtain a free MySonicWall.com account and register your appliance, see the Getting Started Guide for your appliance.

Because SonicWall Anti-Spyware is part of SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, the Activation Key you receive is for all three services on your SonicWall security appliance.

If you do not have a SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service. license activated on your SonicWall security appliance, you must purchase it from a SonicWall reseller or through your MySonicWall.com account (limited to customers in the USA and Canada).

If you have an Activation Key for SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform the steps described in Activating, Upgrading, or Renewing Services to activate the combined services.

Activating FREE TRIALs

You can try FREE TRIAL versions of SonicWall Gateway Anti-Virus, SonicWall Anti-Spyware, and SonicWall Intrusion Prevention Service.

To try a FREE TRIAL of SonicWall Gateway Anti-Virus, SonicWall Anti-Spyware, or SonicWall Intrusion Prevention Service, perform these steps described in Obtaining Free Trial Subscriptions.

Setting Up SonicWall Gateway Anti-Virus Protection

Activating the SonicWall Gateway Anti-Virus license on your SonicWall security appliance does not automatically enable the protection. To configure SonicWall Gateway Anti-Virus to begin protecting your network, you need to perform the following steps:

The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWall GAV on your SonicWall security appliance.

Security Services > Gateway Anti-Virus Page

Enabling SonicWall GAV

To enable Gateway Anti-Virus on your SonicWall security appliance:
1
On the Security Services > Gateway Anti-Virus page in SonicOS, select the Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings section.
2
Click Accept at the top of the page.

This enables the service globally, but you still have to enable it on each specific zone. See Applying SonicWall GAV Protection on Zones.

Applying SonicWall GAV Protection on Zones

You can enforce SonicWall GAV not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWall GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing LAN traffic.

1
In the SonicWall security appliance management interface, do one of these:
Navigate to the Network > Zones page.
From the Gateway Anti-Virus Status section, on the Security Services > Gateway Anti-Virus page, click the link in Note: Enable the Gateway Anti-Virus per zone from the Network > Zones page.

The Network > Zones page is displayed.

2
In the Configure column in the Zone Settings table, click the Edit icon for the zone to be configured. The Edit Zone dialog displays.
3
Click the Enable Gateway Anti-Virus Service check box. A check mark appears. To disable Gateway Anti-Virus Service, clear the check box.

4
Click OK.
5
Repeat this procedure for other zones on which you want to enable Gateway Anti-Virus.
* 
NOTE: You also enableSonicWall GAV protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone dialog, which includes the same settings as the Edit Zone dialog.

Viewing SonicWall GAV Status Information

The Gateway Anti-Virus Status section shows the state of the anti-virus signature database, including the database's timestamp, and the time the SonicWall signature servers were last checked for the most current database version. The SonicWall security appliance automatically attempts to synchronize the database on startup, and once every hour.

The Gateway Anti-Virus Status section displays the following information:

Signature Database indicates whether the signature database needs to be downloaded or has been downloaded.
Signature Database Timestamp displays the last update to the SonicWall GAV signature database, not the last update to your SonicWall security appliance.
Update button updates the database manually.
Last Checked indicates the last time the SonicWall security appliance checked the signature database for updates. The SonicWall security appliance attempts to synchronize the database automatically on startup and once every hour.
Gateway Anti-Virus Expiration Date indicates the date when the SonicWall GAV service expires. If your SonicWall GAV subscription expires, the SonicWall IPS inspection is stopped and the SonicWall GAV configuration settings are removed from the SonicWall security appliance. These settings are restored automatically after renewing your SonicWall GAV license to the previously configured state.

The Gateway Anti-Virus Status section displays Note: Enable the Gateway Anti-Virus per zone from the Network > Zones page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWall GAV on zones.

* 
NOTE: Refer to Applying SonicWall GAV Protection on Zones for instructions on applying SonicWall GAV protection to zones.

Updating SonicWall GAV Signatures

By default, the SonicWall security appliance running SonicWall GAV automatically checks theSonicWall signature servers once an hour. There is no need for an administrator to constantly check for new signature updates. You can also manually update your SonicWall GAV database at any time by clicking the Update button located in the Gateway Anti-Virus Status section.

SonicWall GAV signature updates are secured. The SonicWall security appliance must first authenticate itself with a pre-shared secret, created during the SonicWall Distributed Enforcement Architecture licensing registration. The signature request is transported through HTTPS, along with full server certificate verification.

Specifying GAV Protocol Filtering

Application-level awareness of the type of protocol that is transporting the violation allows SonicWall GAV to perform specific actions within the context of the application to gracefully handle the rejection of the payload.

By default, SonicWall GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic. Generic TCP Stream can optionally be enabled to inspect all other TCP based traffic, such as non-standard ports of operation for SMTP and POP3, and IM and P2P protocols.

Topics:

Enabling Inbound Inspection

Within the context of SonicWallSonicWall GAV, the Enable Inbound Inspection protocol traffic handling refers to the following:

Non-SMTP traffic initiating from a Trusted, Wireless, or Encrypted zone destined to any zone.
Non-SMTP traffic from a Public zone destined to an Untrusted zone.
SMTP traffic initiating from a non-Trusted zone destined to a Trusted, Wireless, Encrypted, or Public zone.
SMTP traffic initiating from a Trusted, Wireless, or Encrypted zone destined to a Trusted, Wireless, or Encrypted zone.

The Enable Inbound Inspection protocol traffic handling represented as a table:

 

Enable Inbound Inspection Protocol Traffic Handling: SMTP Traffic

SMTP Traffic

 

To

Trusted

Encrypted

Wireless

Public

Untrusted

From

 

Trusted

X

X

X

 

 

Encrypted

X

X

X

 

 

Wireless

X

X

X

 

 

Public

X

X

X

X

X

Untrusted

X

X

X

X

X

 

Enable Inbound Inspection Protocol Traffic Handling: All Other Traffic

All Other Traffic

 

To

Trusted

Encrypted

Wireless

Public

Untrusted

From

 

Trusted

X

X

X

X

X

Encrypted

X

X

X

X

X

Wireless

X

X

X

X

X

Public

 

 

 

 

X

Untrusted

 

 

 

 

 

The Enable Inbound Inspection feature is available for the following traffic:

HTTP
FTP
IMAP
SMTP
POP3
CIFS/Netbios
TCP

Enabling Outbound Inspection

The Enable Outbound Inspection feature is available for the following traffic:

HTTP
FTP,
SMTP
TCP traffic.

Restricting File Transfers

For each protocol you can restrict the transfer of files with specific attributes by clicking on the Settings buttons in the Protocol Settings entry in the Gateway Anti-Virus Global Settings table. The Gateway AV Config View dialog displays.

These restrict transfer settings include:

Restrict Transfer of password-protected ZIP files - Disables the transfer of password protected ZIP files over any enabled protocol. This option only functions on protocols (for example, HTTP, FTP, SMTP) that are enabled for inspection.
Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) - Disables the transfers of any MS Office 97 and above files that contain VBA macros.
Restrict Transfer of packed executable files (UPX, FSG, etc.) - Disables the transfer of packed executable files. Packers are utilities which compress and sometimes encrypt executables. Although there are legitimate applications for these, they are also sometimes used with the intent of obfuscation, so as to make the executables less detectable by anti-virus applications. The packer adds a header that expands the file in memory, and then executes that file. SonicWall Gateway Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and ASPack. additional formats are dynamically added along with SonicWall GAV signature updates.

Configuring Gateway AV Settings

Clicking the Configure Gateway AV Settings button at the bottom of the Gateway Anti-Virus Global Settings table displays the Gateway AV Config View window, which allows you to configure clientless notification alerts and create aSonicWall GAV exclusion list.

Topics:
Configuring Gateway Anti-Virus Settings

You can enable or disable these AV settings:

Disable SMTP Responses - If you want to suppress the sending of email messages (SMTP) to clients from SonicWall GAV when a virus is detected in an email or attachment, select the Disable SMTP Responses check box. By default, the setting is disabled.
* 
CAUTION: The following options should not be changed without recommendation from SonicWall technical support.
Disable detection of EICAR test virus - Disables detection of the EICAR test virus (disabling detection of this test virus helps reduce false positives when other vendors’ client AV definitions are downloaded). By default, the setting is enabled.
Enable HTTP Byte-Range requests with Gateway AV - Allows usage of HTTP byte range requests when GAV is enabled. By default, the setting is enabled.
Enable FTP ‘REST’ requests with Gateway AV - Allows FTP REST command usage when GAV is enabled. By default, the setting is enabled.
Do not scan parts of files with high compression ratios. - Disables the scanning of files with high compression ratios. By default, the setting is enabled, which disables scanning of these types of files.
Block files with multiple levels of zip/gzip compression - Suppresses the receiving of multi-level zip/gzip files in an email attachment. By default, the setting is disabled.
Configuring HTTP Clientless Notification

The HTTP Clientless Notification feature notifies users when GAV detects an incoming threat from an HTTP server. If this option disabled, when GAV detects an incoming threat from an HTTP server, GAV blocks the threat and the user receives a blank HTTP page. Typically, users will attempt to reload the page because they are not aware of the threat. The HTTP Clientless Notification feature informs the user that GAV detected a threat from the HTTP server.

To configure this feature, check the Enable HTTP Clientless Notification Alerts check box and enter a message in the Message to Display when Blocking field, as shown below.

* 
TIP: The HTTP Clientless Notification feature is also available for SonicWall Anti-Spyware.

Optionally, you can configure the timeout for the HTTP Clientless Notification on the Security Services > Summary page under the Security Services Summary heading.

Configuring a SonicWall GAV Exclusion List

Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded from SonicWall GAV scanning.

* 
CAUTION: Use caution when specifying exclusions to SonicWall GAV protection.
To add an IP address range for exclusion:
1
In the Gateway AV Config View window, scroll to the Gateway AV Exclusion List section.

2
Click the Enable Gateway AV Exclusion List check box to enable the exclusion list feature. The radio button and Add… button for Use Address Range become active. You can do any or all of the following:
Add multiple ranges to the Gateway AV Exclusion List table as described in Adding a range to be excluded.
Configure or delete excluded ranges in the Gateway AV Exclusion List table, as described in Modifying a Gateway AV Exclusion List table entry
Delete excluded ranges in the Gateway AV Exclusion List table, as described in Deleting entries in the Gateway AV Exclusion List table
Select an address object to be excluded, as described in Selecting an address object to be excluded
Adding a range to be excluded
3
Click the Add… button. The Add GAV Range Entry dialog displays.

4
Enter the IP address range in the IP Address From and IP Address To fields, then click OK. You IP address range is added to the Gateway AV Exclusion List table and the window closes. The message, The configuration has been updated., displays in the status line.
5
To add other ranges to the Gateway AV Exclusion List table, repeat Step 1 through Step 4 for each range to be excluded.
Modifying a Gateway AV Exclusion List table entry
1
To change an entry in the Configure column, click the Edit icon for that entry. The Edit GAV Range Entry dialog displays.
2
Modify either or both of the IP addresses.
3
Click OK. The modifications are made to the Gateway AV Exclusion List table and the dialog closes. The message, The configuration has been updated., displays in the status line.
4
To modify multiple entries, repeat Step 1 through Step 3.
Deleting entries in the Gateway AV Exclusion List table
1
To delete an entry from the Gateway AV Exclusion List table, click the Delete icon. To delete all the excluded ranges, click the Delete All button. A warning message displays, asking for confirmation of the deletion.

2
Click OK. The entry is removed from the Gateway AV Exclusion List table and the window closes.
Selecting an address object to be excluded
1
In the Gateway AV Exclusion List section, click the Use Address Object radio button. The drop-down menu becomes available.
2
Select an address object to be excluded or create a new one.

* 
NOTE: You can select only one address object at a time to be excluded.
3
Click OK to select the address object and exit the Gateway AV Config View dialog.
Resetting Gateway Anti-Virus Settings

You can reset all your Gateway Anti-Virus Settings to factory default values by clicking the Reset Gateway AV Settings button. A warning message displays.

To completely remove your Gateway Anti-Virus Settings and restore the factory default values, click OK. Otherwise, click Cancel.

Using Cloud Anti-Virus

The Cloud Anti-Virus feature introduces an advanced malware scanning solution that compliments and extends the existing Gateway Anti-Virus scanning mechanisms present on SonicWall firewalls to counter the continued growth in the number of malware samples in the wild.

Cloud Anti-Virus expands the Reassembly Free Deep Packet Inspection engine capabilities by consulting with the datacenter-based malware analysis servers. This approach keeps the foundation of RFDPI-based malware detection by providing a low-latency, real-time solution that is capable of scanning unlimited numbers of files of unlimited size on all protocols that are presently supported without adding any significant incremental processing overhead to the appliances themselves. With this additional layer of security, SonicWall’s Next Generation Firewalls are able to extend their current protection to cover multiple millions of pieces of malware.

Topics:

Enabling Cloud Anti-Virus Database

To enable the Cloud Anti-Virus feature, select the Enable Cloud Anti-Virus Database checkbox in the Gateway Anti-Virus Global Settings section of the Security Services > Gateway Anti-Virus page.

Configuring Cloud AV Exclusions

Certain cloud-signatures can be excluded from being enforced to alleviate false positive problems or to enable downloading specific virus files as necessary.

To configure the exclusion list:
1
In Security Services > Gateway Anti-Virus, scroll to the Gateway Anti-Virus Global Settings section.
2
Click the Cloud AV DB Exclusion Settings button. The Add Cloud AV Exclusions dialog displays.

3
Enter the Cloud AV Signature ID in the Cloud AV Signature ID field. The ID must be a decimal value only.
4
Click the Add button. The signature ID is added to the List.

5
To view the latest information on a signature, select the signature ID in the list and click the Sig Info button. The information for the signature is displayed on the SonicALERT website:

https://www.MySonicWall.com/sonicalert/sonicalert.aspx

6
Click OK when you have finished configuring the Cloud AV exclusion list.

Viewing SonicWall GAV Signatures

The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWall GAV signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the SonicWall GAV signature database downloaded to your SonicWall security appliance.

* 
NOTE: Signature entries in the database change over time in response to new threats.
Topics:

Displaying Signatures

You can display the signatures in a variety of views using the View Style menu. Signatures are displayed 50 to a page. The sentence after the First Letter drop-down menu states how many signatures match the search criterion; for example, 23003 malware family signatures (All Signatures) or 323 of 23003 signatures match “bi” (Use Search String, 0-9, or A-Z).

Use Search String - Allows you to display signatures containing a specified string entered in the Lookup Signatures Containing String field.
All Signatures - Displays all the signatures in the table,
0 - 9 - Displays signature names beginning with the number you select from the menu.
A - Z - Displays signature names beginning with the letter you select from menu.

Searching the Gateway Anti-Virus Signature Database

You can search the signature database by entering a search string in the Lookup Signatures Containing String field, then clicking the Search icon.

The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table.

* 
TIP: Making the search string too generic (for example, bi instead of bit) may return an overly large result.

Enabling/Disabling Signatures

By default, all anti-virus signatures are enabled. You can disable a particular anti-virus signature by clearing the Enable check box for it and then clicking Accept.

Activating Intrusion Prevention Service

Security Services > Intrusion Prevention Service

SonicWall Intrusion Prevention Service ( SonicWall IPS) delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, email, file transfer, Windows services and DNS. SonicWall IPS is designed to protect against application vulnerabilities as well as worms, Trojans, and peer-to-peer, spyware and backdoor exploits. The extensible signature language used in SonicWall’s Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. SonicWall IPS offloads the costly and time-consuming burden of maintaining and updating signatures for new hacker attacks through SonicWall’s industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWall IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives.

Topics:

SonicWall Deep Packet Inspection

Deep Packet Inspection looks at the data portion of the packet. The Deep Packet Inspection technology includes intrusion detection and intrusion prevention. Intrusion detection finds anomalies in the traffic and alerts the administrator. Intrusion prevention finds the anomalies in the traffic and reacts to it, preventing the traffic from passing through.

Deep Packet Inspection is a technology that allows a SonicWall Security Appliance to classify passing traffic based on rules. These rules include information about layer 3 and layer 4 content of the packet as well as the information that describes the contents of the packet’s payload, including the application data (for example, an FTP session, an HTTP Web browser session, or even a middleware database connection). This technology allows the administrator to detect and log intrusions that pass through the SonicWall Security Appliance, as well as prevent them (that is, dropping the packet or resetting the TCP connection). SonicWall’s Deep Packet Inspection technology also correctly handles TCP fragmented byte stream inspection as if no TCP fragmentation has occurred.

Topics:

SonicWall’s Deep Packet Inspection Works

Deep Packet Inspection technology enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. This is the technology behind SonicWall Intrusion Prevention Service. SonicWall’s Deep Packet Inspection technology enables dynamic signature updates pushed from the SonicWall Distributed Enforcement Architecture.

The following steps describe how the SonicWall Deep Packet Inspection Architecture works:

SonicWall Deep Packet Inspection Architecture

1
Pattern Definition Language Interpreter uses signatures that can be written to detect and prevent against known and unknown protocols, applications and exploits.
2
TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection framework.
3
Deep Packet Inspection engine preprocessing involves normalization of the packet’s payload. For example, a HTTP request may be URL encoded and thus the request is URL decoded in order to perform correct pattern matching on the payload.
4
Deep Packet Inspection engine postprocessors perform actions which may either simply pass the packet without modification, or could drop a packet or could even reset a TCP connection.
5
SonicWall’s Deep Packet Inspection framework supports complete signature matching across the TCP fragments without performing any reassembly (unless the packets are out of order). This results in more efficient use of processor and memory for greater performance.

SonicWall IPS Terminology

Stateful Packet Inspection - looking at the header of the packet to control access based on port, protocol, and IP address.
Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities.
Intrusion Detection - a process of identifying and flagging malicious activity aimed at information technology.
False Positive - a falsely identified attack traffic pattern.
Intrusion Prevention - finding anomalies and malicious activity in traffic and reacting to it.
Signature - code written to detect and prevent intrusions, worms, application exploits, and Peer-to-Peer and Instant Messaging traffic.

SonicWall Gateway Anti-Virus, Anti-Spyware, and IPS Activation

If you do not have SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service installed on your SonicWall security appliance, the System > Licenses page indicates the service is Not Licensed.

Because SonicWall Intrusion Prevention Service is part of the unified SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, you will have a single License Key to activate all three services on your SonicWall security appliance.

The procedure for obtaining a license and activating it can be found in Activating the Gateway Anti-Virus, Anti-Spyware, and IPS License.

* 
TIP: If your SonicWall security appliance is connected to the Internet and registered at MySonicWall.com, you can activate a 30-day FREE TRIAL of SonicWall Gateway Anti-Virus, SonicWall Anti-Spyware, and SonicWall Intrusion Prevention Service separately. See Activating FREE TRIALs.

Setting Up SonicWall Intrusion Prevention Service Protection

Activating the SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service license on your SonicWall security appliance does not automatically enable the protection.

The Security Services > Intrusion Prevention page displays the configuration settings for SonicWall IPS service on your SonicWall security appliance.

The Security Services > Intrusion Prevention Service page is divided into three sections:

IPS Status - displays status information on the state of the signature database and youSonicWall IPS license.
IPS Global Settings - provides the key settings for enabling SonicWall IPS protection on your SonicWall security appliance, specifying globalSonicWall IPS protection based on three classes of attacks, and other configuration options.
IPS Policies - allows you to view SonicWall IPS signatures and configure the handling of signatures by category groups or on a signature-by-signature basis. Categories are signatures grouped together based on the type of attack.

After activating your Intrusion Prevention Service license, you must enable and configure SonicWall IPS on the Security Services > Intrusion Prevention page before intrusion prevention policies are applied to your network traffic.

Topics:

IPS Status

Signature Database – indicates whether the signature database needs to be downloaded or has been downloaded.
Signature Database Timestamp displays the last update to the SonicWall IPS signature database, not the last update to your SonicWall security appliance.
Update button updates the database manually.
Last Checked indicates the last time the SonicWall security appliance checked the signature database for updates. The SonicWall security appliance attempts to synchronize the database automatically on startup, and once every hour.
IPS Server Expiration Date indicates the date when the SonicWall GAV service expires and, therefore, your Intrusion Prevention service. If your SonicWall GAV subscription expires, the SonicWall IPS inspection is stopped and the SonicWall IPS configuration settings are removed from the SonicWall security appliance. These settings are restored automatically after renewing your SonicWall GAV license to the previously configured state.

The IPS Status section displays Note: Enable the Intrusion Prevention Service per zone from the Network > Zones page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWall IPS on zones.

* 
NOTE: Refer to ApplyingSonicWall IPS Protection on Zones for instructions on applying SonicWall IPS protection to zones.

Configuring Intrusion Prevention Service Overview

To configure SonicWall Intrusion Prevention Service to begin protecting your network, you need to perform the following steps:

1
Enable SonicWall Intrusion Prevention Service as described in Enabling SonicWall IPS.
2
Specify the Priority attack Groups as described in Specifying Global Attack Level Protection.
3
Apply SonicWall Intrusion Prevention Service Protection to zones as described in ApplyingSonicWall IPS Protection on Zones.

Enabling SonicWall IPS

SonicWall IPS must be globally enabled on your SonicWall security appliance by checking the Enable IPS check box in the IPS Global Settings section. A check mark in the Enable IPS check box turns on the service on your SonicWall security appliance.

* 
NOTE: Checking the Enable IPS check box does not automatically startSonicWall IPS protection. You must specify an action in the Signature Groups table to activate intrusion prevention on the SonicWall security appliance, and specify the interface or zones you want to protect.

Specifying Global Attack Level Protection

SonicWall IPS allows you to globally manage your network protection against attacks.

Topics:
Setting Global Attack Level Protection
To set global attack level protection:
1
Go to the IPS Global Settings section of the Security Services > Intrusion Prevention page.

2
For each class of attack in the Signature Groups table, High Priority Attacks, Medium Priority Attacks, and Low Priority Attacks, select the Prevent All checkboxes. Attacks belonging to the enabled group will be prevented.
* 
CAUTION: Leaving the High Priority Attacks, Medium Priority Attacks, and Low Priority Attacks signature groups with no Prevent All action checked means no intrusion prevention will occur on the SonicWall security appliance.
3
For each class of attack in the Signature Groups table, select the Detect All checkboxes. Attacks belonging to the enabled group will be logged.
4
Optionally, specify the number of seconds to delay between log entries for the same detected attack in its Log Redundancy Filter (seconds) field. The default for High Priority Attacks and Medium Priority Attacks is 0 seconds (every attack is logged) and for Low Priority Attack is 60 seconds.
* 
TIP: Specifying a delay time reduces the number of log entries, especially for Low Priority Attacks.
5
Click Apply at the top of the page to protect your network against the most dangerous and disruptive attacks.
Configuring a SonicWall IPS Exclusion List

Any IP addresses listed in the exclusion list bypass IPS scanning on their traffic.The AV IPS List provides the ability to define a range of IP addresses whose traffic will be excluded from SonicWall IPS scanning.

* 
CAUTION: Use caution when specifying exclusions to SonicWall IPS protection.
To add an IP address range for exclusion:
1
In the IPS Global Settings section, click the Configure IPS Settings button. The IPS Config View dialog displays.

2
Click the Enable IPS Exclusion List checkbox to enable the exclusion list feature. The radio button and Add… button for Use Address Range become active. You can do any or all of the following:
Add multiple ranges to the IPS Exclusion List table as described in Adding a range to be excluded.
Configure or delete excluded ranges in the IPS Exclusion List table, as described in Modifying an IPS Exclusion List table entry
Delete excluded ranges in the IPS Exclusion List table, as described in Deleting entries in the IPS Exclusion List table
Select an address object to be excluded, as described in Selecting an address object to be excluded
Adding a range to be excluded
3
Click the Add… button. The Add IPS Range Entry dialog displays.

4
Enter the IP address range in the IP Address From and IP Address To fields, then click OK. You IP address range is added to the IPS Exclusion List table and the window closes. The message, The configuration has been updated., displays in the status line.
5
To add other ranges to the IPS Exclusion List table, repeat Step 1 through Step 4 for each range to be excluded.
Modifying an IPS Exclusion List table entry
1
To change an entry, in the Configure column, click the Edit icon for that entry. The Edit IPS Range Entry dialog displays.
2
Modify either or both of the IP addresses.
3
Click OK. The modifications are made to the IPS Exclusion List table and the window closes. The message, The configuration has been updated., displays in the status line.
4
To modify multiple entries, repeat Step 1 through Step 3.
Deleting entries in the IPS Exclusion List table
1
To delete an entry from the IPS Exclusion List table, click the Delete icon. To delete all the excluded ranges, click the Delete All button. A warning message displays, asking for confirmation of the deletion.

2
Click OK. The entry is removed from the IPS Exclusion List table and the window closes.
Selecting an address object to be excluded
1
In the IPS Exclusion List section, click the Use Address Object radio button. The drop-down menu becomes available.
2
Select an address object to be excluded or create a new one.

* 
NOTE: You can select only one address object at a time to be excluded.
3
Click OK to select the address object and exit the IPS Config View window. The message, The configuration has been updated., displays in the status line.
Resetting IPS Settings and Policies

You can reset all your IPS Settings to factory default values by clicking the Reset IPS Settings & Policies button. A warning message displays.

To completely remove your IPS Settings and Policies and restore the factory default values, click OK. Otherwise, click Cancel.

ApplyingSonicWall IPS Protection on Zones

You apply SonicWall IPS protection to zones on the Network > Zones page to enforce SonicWall IPS not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWall IPS on the LAN zone enforces SonicWall IPS on all incoming and outgoing LAN traffic.

To enable SonicWall IPS protection on a zone, follow the procedure for applying SonicWall GAV protection described in Applying SonicWall GAV Protection on Zones, only in Step 3, click the Enable IPS check box.

* 
NOTE: You also enable SonicWall IPS protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone dialog, which includes the same settings as the Edit Zone dialog.

Viewing and Configuring SonicWall IPS Policies

The IPS Policies section allows you to view SonicWall IPS signatures and configure the handling of signatures by category groups or on a signature-by-signature basis. Categories are signatures grouped together based on the type of attack, such as ACTIVEX or WEB-ATTACKS. All the entries displayed in the IPS Policies table are from the SonicWall GAV signature database downloaded to your SonicWall security appliance.

* 
NOTE: Signature entries in the database change over time in response to new threats.
Topics:
Displaying Signatures

You can display the signatures in a variety of views using the View Style Category drop-down menu and Priority filter drop-down menu or the Lookup Signature ID field. The information the IPS Policies table displays changes according to how you view the signatures:

All Categories — Lists all the signature categories in the SonicWall GAV signature database.

Category — Lists the categories in ascending alphabetic order. Reorder the categories in descending order by clicking the column heading.
Prevent — Displays whether IPS prevention of the entire category is enabled (), disabled (blank), or uses Global Settings (Global; set in the Signature Groups table in the Anti-Spyware Global Settings section). You can sort the table by prevention.
Detect — Displays whether IPS detection and logging of the entire category is enabled, disabled, or uses Global Settings. You can sort the table by detection.
Comments — Displays icons whenever changes have been made to:
User Settings (): inclusions and exclusions
Address Objects (): inclusions and exclusions
Schedule Settings ()
Configure — Contains a configure icon that displays the Edit IPS Category window when clicked.
All Signatures — Displays all the signatures in the table in alphanumeric order by name, in each category:

Displays all the information displayed by All Categories, plus this information:

# — Lists the sequential number of the signatures, which can be used in the Items field. This number changes if the ordering of the signatures is changed.
Name — Displays the name of the signature. Clicking on the signature name displays the SonicAlert page for that signature. The table is sorted automatically in ascending alphanumeric order within Category order. By clicking on Name, you can sort the table in descending order by Name only.

ID — Displays the Lookup Signature ID of the signature, which can be entered into the Lookup Signature ID field. You can sort the table in ascending or descending ID number.
Priority — Displays whether the signature is considered a High, Medium, or Low attack risk. You can sort the table by ascending or descending priority.
Direction — Displays the direction, Incoming or Outgoing, and if its target is general or the Client, the Server, or both.
Individual category — Displays only those signatures belonging to the category selected from the drop-down menu. The information is the same as for All Signatures except for the Category column
Filters — You can filter the display by using one or more of these:
Priority - Displays signature names or categories containing signatures with the priority you select from the drop-down menu: All (default), High, Medium, Low.
Items — Moves the display to the sequential signature number you enter in the Items field.
Lookup Signature ID — Displays the Edit IPS Signature window for the specified signature.
Configuring Categories

By default, Categories are enabled or disabled according to the IPS Global Settings table.

To configure an individual category:
1
In the IP Policies section, select All categories from the Category drop-down menu.
2
Click the Configure icon in the Configure column for the Category to be configured. The Edit IPS Category dialog displays.

3
From the Prevention drop-down menu, select Use Global Setting (default), Enable, or Disable.
* 
NOTE: For both the Prevention and Detection options, if the Global Settings have not been set in the IPS Global Settings section, the Use Global Setting choice will indicate it is (Disabled). If they have been set, the choice will indicate it is (Enabled).
4
From the Detection drop-down menu, select Use Global Setting (default), Enable, or Disable.
5
Optionally, select a user or group category to be included in IPS protection from the Included Users/Groups drop-down menu. The default is All.

6
Optionally, select a user or group category to be excluded from IPS protection from the Excluded Users/Groups drop-down menu. The default is None.
7
Optionally, select an IP category to be included in IPS protection from the Included IP Address Range drop-down menu. The default is All.

8
Optionally, select an IP category to be excluded from IPS protection from the Excluded IP Address Range drop-down menu. The default is None.
9
Optionally, select the time and days IPS protection is in force from the Schedule drop-down menu. The default is Always on.
10
Optionally, specify the duration between logging attacks with the Log Redundancy Filter (seconds) option. By default, the Use Global Settings checkbox is selected. To specify a different duration, deselect the Use Global Settings checkbox and enter the time, in seconds, in the following field.
* 
NOTE: Specifying a time reduces the number of log entries, especially for Low Priority Attacks.
11
Click OK. Changes will be displayed in the IPS Policies table.
Configuring Signatures

By default, all anti-virus signatures are enabled or disabled according to the IPS Global Settings table and the settings of the signature’s Category. You can configure a particular anti-virus signature by clicking the Configure icon in the Configure column for that anti-virus signature. The Edit IPS Signature dialog displays.

The options are the same as those for configuring a Category; follow the steps in Configuring Categories, except in Step 1, select either All Signatures or a specific category, such as ACTIVEX; do not select All Categories.

Activating Anti-Spyware Service

Security Services > Anti-Spyware Service

SonicWall Anti-Spyware is part of the SonicWall Gateway Anti-Virus, Anti-Spyware and Anti-Spyware solution that provides comprehensive, real-time protection against viruses, worms, Trojans, spyware, and software vulnerabilities.

The SonicWall Anti-Spyware Service protects networks from intrusive spyware by cutting off spyware installations and delivery at the gateway and denying previously installed spyware from communicating collected information outbound. SonicWall Anti-Spyware works with other anti-spyware program, such as programs that remove existing spyware applications from hosts. You are encouraged to use or install host-based anti-spyware software as an added measure of defense against spyware.

SonicWall Anti-Spyware analyzes inbound connections for the most common method of spyware delivery, ActiveX-based component installations. It also examines inbound setup executables and cabinet files crossing the gateway, and resets the connections that are streaming spyware setup files to the LAN. These file packages may be freeware bundled with adware, keyloggers, or other spyware. If spyware has been installed on a LAN workstation prior to the SonicWall Anti-Spyware solution install, the service will examine outbound traffic for streams originating at spyware infected clients and reset those connections. For example, when spyware has been profiling a user's browsing habits and attempts to send the profile information home, the SonicWall security appliance identifies that traffic and resets the connection.

TheSonicWall Anti-Spyware Service provides the following protection:

Blocks spyware delivered through auto-installed ActiveX components, the most common vehicle for distributing malicious spyware programs.
Scans and logs spyware threats that are transmitted through the network and alerts you when new spyware is detected and/or blocked.
Stops existing spyware programs from communicating in the background with hackers and servers on the Internet, preventing the transfer of confidential information.
Provides granular control over networked applications by enabling you to selectively permit or deny the installation of spyware programs.
Prevents emailed spyware threats by scanning and then blocking infected emails transmitted either through SMTP, IMAP or Web-based email.
Topics:

SonicWall Gateway Anti-Virus, Anti-Spyware, and IPS Activation

If you do not have SonicWall Gateway Anti-Virus, Anti-Spyware, and Anti-Spyware installed on your SonicWall security appliance, the System > Licenses page indicates the service is Not Licensed.

Because SonicWall Anti-Spyware Service is part of the unified SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, you will have a single License Key to activate all three services on your SonicWall security appliance.

The procedure for obtaining a license and activating it can be found in Activating the Gateway Anti-Virus, Anti-Spyware, and IPS License.

* 
TIP: If your SonicWall security appliance is connected to the Internet and registered at MySonicWall.com, you can activate a 30-day FREE TRIAL of SonicWall Gateway Anti-Virus, SonicWall Anti-Spyware, and SonicWall Intrusion Prevention Service separately. See Activating FREE TRIALs.

Setting Up SonicWall Anti-Spyware Service Protection

After activating your SonicWall Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service license, the Security Services > Anti-Spyware page displays the configuration settings for managing the Anti-Spyware service on your SonicWall security appliance.

The Security Services > Anti-Spyware page is divided into three sections:

Anti-Spyware Status - displays status information on the state of the signature database and your SonicWall Anti-Spyware license.
Anti-Spyware Global Settings - provides the key settings for enabling SonicWall Anti-Spyware protection on your SonicWall security appliance, specifying global SonicWall Anti-Spyware protection based on three classes of attacks, and other configuration options.
Anti-Spyware Policies - allows you to view SonicWall Anti-Spyware signatures and configure the handling of signatures by product category groups or on a signature-by-signature basis. Product categories are signatures grouped together based on the type of attack.

After activating your Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service license, you must enable and configure SonicWall Anti-Spyware on the Security Services > Anti-Spyware page before anti-spyware prevention policies are applied to your network traffic.

Topics:

Anti-Spyware Status

Signature Database indicates whether the signature database needs to be downloaded or has been downloaded.
Signature Database Timestamp displays the last update to the SonicWall Anti-Spyware signature database, not the last update to your SonicWall security appliance.
Update button updates the database manually.
Last Checked indicates the last time the SonicWall security appliance checked the signature database for updates. The SonicWall security appliance attempts to synchronize the database automatically on startup and once every hour.
Anti-Spyware Server Expiration Date indicates the date when the SonicWall GAV service expires and, therefore, your Anti-Spyware service. If your SonicWall GAV subscription expires, the SonicWall Anti-Spyware inspection is stopped and the SonicWall Anti-Spyware configuration settings are removed from the SonicWall security appliance. These settings are restored automatically after renewing your SonicWall GAV license to the previously configured state.

The Anti-Spyware Status section displays Note: Enable the Anti-Spyware per zone from the Network > Zones page. Clicking on the Network > Zones link displays the Network > Zones page for applying SonicWall Anti-Spyware on zones.

* 
NOTE: Refer to Applying SonicWall Anti-Spyware Protection on Zones for instructions on applying SonicWall Anti-Spyware protection to zones.

Configuring Anti-Spyware Overview

To configure SonicWall Anti-Spyware to begin protecting your network, you need to perform the following steps:

1
Enable SonicWall Anti-Spyware as described in EnablingSonicWall Anti-Spyware.
2
Specify the Priority attack Groups as described in Specifying Global Attack Level Protection.
3
Apply SonicWall Anti-Spyware Protection to zones as described in Applying SonicWall Anti-Spyware Protection on Zones.

EnablingSonicWall Anti-Spyware

SonicWall Anti-Spyware must be globally enabled on your SonicWall security appliance by checking the Enable Anti-Spyware check box in the Anti-Spyware Global Settings section. A check mark in the Enable Anti-Spyware check box turns on the service on your SonicWall security appliance.

* 
NOTE: Checking the Enable Anti-Spyware check box does not automatically start SonicWall Anti-Spyware protection. You must specify an action in the Signature Groups table to activate intrusion prevention on the SonicWall security appliance, and specify the interface or zones you want to protect.

Specifying Global Attack Level Protection

SonicWall Anti-Spyware allows you to globally manage your network protection against attacks.

Topics:
Setting Global Attack Level Protection
To set global attack level protection:
1
Go to the Anti-Spyware Global Settings section of the Security Services > Anti-Spyware page.

2
For each class of spyware in the Signature Groups table, High Priority Spyware, Medium Priority Spyware, and Low Priority Spyware, select the Prevent All check boxes. Spyware belonging to the enabled group will be blocked.
* 
CAUTION: Leaving the High Priority Spyware, Medium Priority Spyware, and Low Priority Spyware signature groups with no Prevent All action checked means no Anti-Spyware blocking will occur on the SonicWall security appliance.
3
For each class of attack in the Signature Groups table, select the Detect All check boxes. Spyware belonging to the enabled group will be logged.
4
Optionally, specify the number of seconds to delay between log entries for the same detected spyware in its Log Redundancy Filter (seconds) field. The default for all classes of spyware is 0 seconds (every detected spyware is logged).
* 
TIP: Specifying a delay time reduces the number of log entries, especially for Low Priority Spyware.
5
In the Protocols table, Inbound Inspection is enabled for all protocols by default. To disable Anti-Spyware inspection of any protocol, deselect its check box.
* 
CAUTION: Disabling the Inbound Inspection of any protocol means no Anti-Spyware inspection of inbound traffic will occur for that protocol on theSonicWall security appliance.
6
If spyware has been installed on a LAN workstation prior to the SonicWall Anti-Spyware installation, the service will examine outbound traffic for streams originating at spyware-infected clients and reset those connections. The Enable Inspection of Outbound Spyware Communication is enabled by default. To disable the option, clear its check box.
7
Click Apply at the top of the page to protect your network against the most dangerous and disruptive spyware.
Configuring SonicWall Anti-Spyware Settings

Through Anti-Spyware Settings, you can:

Set SMTP responses
Set HTTP clientless notification alerts
Specify a message to display when blocking
Create an anti-spyware exclusion list
To configure Anti-Spyware Settings:
1
In the Anti-Spyware Global Settings section, click the Configure Anti-Spyware Settings button. The Anti-Spyware Config View dialog displays.

2
SMTP allows for Address Objects to be used to construct a white-list (explicit allow) or black-list (explicit deny) of SMTP servers. Entries in this list will bypass the RBL querying procedure. When enabled, the Disable SMTP Responses setting suppresses the SMTP spam-filtering technique. By default, this setting is disabled. To suppress SMTP spam filtering, select the check box. For more information about the SMTP response, see Anti-Spam > RBL Filter.
3
The Enable HTTP Clientless Notification Alerts setting is enabled by default. When this option is enabled, requests that are blocked by the Anti-Spyware Service will be redirected to a HTTP alert for notification. To disable this setting, deselect the check box; alerts will not be generated.
4
Optionally, enter a message in the Message to Display when Blocking field. The default message is This request is blocked by the SonicWall Anti-Spyware Service.
5
If you are:
Going to enable an Anti-Spyware Exclusion list, go to Step 6.
Not going to add an Anti-Spyware Exclusion list, click the OK button. The modifications are made to the Anti-Spyware Exclusion List table and the window closes. The message, The configuration has been updated., displays in the status line.
* 
CAUTION: Any IP addresses listed in the exclusion list bypass Anti-Spyware scanning on their traffic.The Anti-Spyware Exclusion List provides the ability to define a range of IP addresses whose traffic will be excluded from SonicWall Anti-Spyware scanning. Use caution when specifying exclusions to SonicWall Anti-Spyware protection.
6
Click the Enable Anti-Spyware Exclusion List check box to enable the exclusion list feature. The radio button and Add… button for Use Address Range become active. You can do any or all of the following:
Add multiple ranges to the Anti-Spyware Exclusion List table as described in Adding a range to be excluded.
Configure or delete excluded ranges in the Anti-Spyware Exclusion List table, as described in Modifying an Anti-Spyware Exclusion List table entry
Delete excluded ranges in the Anti-Spyware Exclusion List table, as described in Deleting entries in the Anti-Spyware Exclusion List table
Select an address object to be excluded, as described in Selecting an address object to be excluded
Adding a range to be excluded
1
Click the Add… button. The Add Anti-Spyware Range Entry dialog displays.

2
Enter the IP address range in the IP Address From and IP Address To fields, then click OK. You IP address range is added to the Anti-Spyware Exclusion List table and the window closes. The message, The configuration has been updated., displays in the status line.
3
To add other ranges to the Anti-Spyware Exclusion List table, for each range to be excluded, click the Configure Anti-Spyware Settings button and then repeat Step 1 through Step 2.
Modifying an Anti-Spyware Exclusion List table entry
1
To change an entry, in the Configure column, click the Edit icon for that entry. The Edit Anti-Spyware Range Entry dialog displays.
2
Modify either or both of the IP addresses.
3
Click OK. The modifications are made to the Anti-Spyware Exclusion List table and the dialog closes. The message, The configuration has been updated., displays in the status line.
4
To modify multiple entries, repeat Step 1 through Step 3.
Deleting entries in the Anti-Spyware Exclusion List table
1
To delete an entry from the Anti-Spyware Exclusion List table, click the Delete icon. To delete all the excluded ranges, click the Delete All button. A warning message displays, asking for confirmation of the deletion.

2
Click OK. The entry is removed from the Anti-Spyware Exclusion List table and the dialog closes.
Selecting an address object to be excluded
1
In the Anti-Spyware Exclusion List section, click the Use Address Object radio button. The drop-down menu becomes available.
2
Select an address object to be excluded or create a new one.

* 
NOTE: You can select only one address object at a time to be excluded.
3
Click OK to select the address object and exit the Anti-Spyware Config View dialog. The message, The configuration has been updated., displays in the status line.
Resetting Gateway Anti-Virus Settings

You can reset all your Gateway Anti-Virus Settings to factory default values by clicking the Reset Anti-Spyware Settings & Policies button. A warning message displays.

To completely remove your Gateway Anti-Virus Settings and restore the factory default values, click OK. Otherwise, click Cancel.

Applying SonicWall Anti-Spyware Protection on Zones

You apply SonicWall Anti-Spyware protection to zones on the Network > Zones page to enforce SonicWall Anti-Spyware not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWall Anti-Spyware on the LAN zone enforces SonicWall Anti-Spyware on all incoming and outgoing LAN traffic.

To enable SonicWall Anti-Spyware protection on a zone, follow the procedure for applying SonicWall GAV protection described in Applying SonicWall GAV Protection on Zones, only in Step 3, click the Enable Anti-Spyware checkbox.

* 
NOTE: You also enable SonicWall Anti-Spyware protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone dialog, which includes the same settings as the Edit Zone dialog.

Viewing and Configuring SonicWall Anti-Spyware Policies

The Anti-Spyware Policies section allows you to view SonicWall Anti-Spyware signatures and configure the handling of signatures by category groups or on a signature-by-signature basis. Categories are signatures grouped together based on the type of attack, such as ACTIVEX or WEB-ATTACKS. All the entries displayed in the Anti-Spyware Policies table are from the SonicWall GAV signature database downloaded to your SonicWall security appliance.

* 
NOTE: Signature entries in the database change over time in response to new threats.
Topics:
Displaying Signatures

You can display the signatures in a variety of views using the View Style First Letter drop-down menu or the Lookup Signatures Containing String field:

All Signatures – Displays all the signatures in the database, in alphanumeric order, by signatures within each signature product.
Use Search String - Allows you to display signatures containing a specified string entered in the Lookup Signatures Containing String field.
0 - 9 - Displays signature names beginning with the number you select from the menu.
A - Z - Displays signature names beginning with the letter you select from menu.

The Anti-Spyware Policies table displays this information:

# — Lists the sequential number of the signatures in this particular display.
Product — Lists the product categories in ascending alphabetic order. Reorder the categories in descending order by clicking the column heading.
Name — Displays the name of a particular Anti-Spyware signature policy. Click on the policy name to display its SonicALERT page.
ID — Displays the Signature ID of the signature.
Prevent — Displays whether Anti-Spyware prevention of the signature or signature product is enabled (), disabled (blank), or uses Global Settings (Global; set in the Signature Groups table in Anti-Spyware Global Settings section).
Detect — Displays whether Anti-Spyware detection and logging of the signature or signature product is enabled, disabled, or uses Global Settings. You can sort the table by detection.
Comments — Displays icons whenever changes have been made to:
User Settings (): inclusions and exclusions
Address Objects (): inclusions and exclusions
Schedule Settings ()
Configure — Contains a configure icon that displays the Edit Anti-Spyware Category window when clicked.
Configuring Products

By default, Products are enabled or disabled according to the Anti-Spyware Global Settings table.

To configure an individual category:
1
Click the Configure icon in the Configure column for the Product to be configured. The Edit Anti-Spyware Category dialog displays.

2
From the Prevention drop-down menu, select Use Global Setting (default), Enable, or Disable.
* 
NOTE: For both the Prevention and Detection options, if the Global Settings have not been set in the Anti-Spyware Global Settings section, the Use Global Setting choice indicates it is (Disabled). If they have been set, the choice indicates it is (Enabled).
3
From the Detection drop-down menu, select Use Global Setting (default), Enable, or Disable.
4
Optionally, select a user or group category to be included in Anti-Spyware protection from the Included Users/Groups drop-down menu. The default is All.

5
Optionally, select a user or group category to be excluded from Anti-Spyware protection from the Excluded Users/Groups drop-down menu. The default is None.
6
Optionally, select an IP category to be included in Anti-Spyware protection from the Included IP Address Range drop-down menu. The default is All.

7
Optionally, select an IP category to be excluded from Anti-Spyware protection from the Excluded IP Address Range drop-down menu. The default is None.
8
Optionally, select the time and days Anti-Spyware protection is in force from the Schedule drop-down menu. The default is Always on.
9
Optionally, specify the duration between logging attacks with the Log Redundancy Filter (seconds) option. By default, the Use Global Settings check box is selected. To specify a different duration, deselect the Use Global Settings check box and enter the time, in seconds, in the following field.
* 
NOTE: Specifying a time reduces the number of log entries, especially for Low Priority Attacks.
10
Click OK. Changes are displayed in the Anti-Spyware Policies table.
Configuring Signatures

By default, all anti-spyware signatures are enabled or disabled according to the Anti-Spyware Global Settings table and the settings of the signature’s Product category. You can configure a particular anti-spyware signature by clicking the Configure icon in the Configure column for that anti-spyware signature. The Edit Anti-Spyware Signature dialog displays.

The options are the same as those for configuring a Product Category; follow the steps, beginning with Step 2, in Configuring Products.

Configuring SonicWall Real-Time Blacklist

Security Services > RBL Filter

* 
NOTE: The Security Services > RBL Filter page has been moved to Anti-Spam > RBL Filter. Clicking Security Services > RBL Filter in the left navigation pane open the Anti-Spam > RBL Filter page. For more information, see Anti-Spam > RBL Filter.

 

Configuring Geo-IP and Botnet Filters

* 
NOTE: Geo-IP and Botnet filters are supported on E-Class NSA series, NSA series, TZ 215 series, and TZ 210 series appliances.

Security Services > Geo-IP Filter

The Geo-IP Filter feature allows you to block connections to or from a geographic location. The SonicWall network security appliance uses IP address to determine to the location of the connection.

Topics:

Configuring Geo-IP Filtering

To configure Geo-IP Filtering:
1
Navigate to Security Services > Geo-IP Filter page.

2
To block connections to and from specific countries, select the Block connections to/from countries listed in the table below option. If this option is enabled, all connections to/from the selected list of countries will be blocked. You can specify an exclusion list to exclude this behavior for selected IPs, as described below in Step 8.
3
Select one of the following two modes for Geo-IP Filtering:
All Connections: All connections to and from the firewall are filtered. This option is enabled by default.
Firewall Rule-based Connections: Only connections that match an access rule configured on the firewall are filtered for blocking.
4
If you want to block all connections to public IPs when the Geo-IP database is not downloaded, select the Block all connections to public IPs if Geo-IP DB is not downloaded option.
5
To log Geo-IP Filter-related events, select Enable logging.
6
Under Countries, in the Blocked Country table, select the countries to be blocked. Clicking the checkbox at the top of the table selects all countries, and then you can select countries to be excluded from blocking by deselecting them.
7
If you want to block any countries that are not listed, select the Block ALL UNKNOWN countries option. All connections to unknown public IPs will be blocked.
8
Optionally, you can configure an exclusion list of all connections to approved IP addresses by doing one of these:
Select an address object or address group from the Geo-IP Exclusion Object drop-down menu or create.
Create a new address object or address group by selecting Create new address object… or Create new address group… from the Geo-IP Exclusion Object drop-down menu.

The Geo-IP Exclusion Object is a network address object group that specifies a group or a range of IP addresses to be excluded from the Geo-IP filter blocking. All IP addresses in the address object or group will be allowed, even if they are from a blocked country.

For example, if all IP addresses coming from Country A are set to be blocked and an IP address from Country A is detected, but it is in the Geo-IP Exclusion Object list, then traffic to and from this IP address will be allowed to pass.

For this feature to work correctly, the country database must be downloaded to the appliance. The Status indicator at the top right of the page turns yellow if this download fails. Green status indicates that the database has been successfully downloaded. Click the Status button to display more information.

For the country database to be downloaded, the appliance must be able to resolve the address, geodnsd.global.sonicwall.com.

When a user attempts to access a web page that is from a blocked country, a block page is displayed on the user’s web browser.

* 
NOTE: If a connection to a blocked country is short-lived, and the firewall does not have a cache for the IP address, then the connection may not be blocked immediately. As a result, connections to blocked countries may occasionally appear in the App Flow Monitor. However, additional connections to the same IP address will be blocked immediately.
9
Click the Accept button at the top of the page to enable your changes.

Customizing Web Block Page Settings

The Geo-IP Filter has a default message that is displayed when a page is blocked. You can have the message display detailed information, such as the reason why this IP address is blocked as well as the IP address and the country from which it was detected. You also can create a custom message and include a custom logo by following these steps:

1
Scroll to the Customize Web Block Page Settings section of the Security Services > Geo-IP Filter page.

2
Ensure the Include Geo-IP Filter Block Details option is selected. When enabled, this option shows block details such as reason for the block, IP address, and country. When disabled, no information is displayed.
3
Do one of the following:
To use the default message, This site has been blocked by the network administrator., click the Default Blocked Page button and then go to Step 5.
Specify a custom message to be displayed in the Geo-IP Filter Block page in the Alert text field. Your message can be up to 100 characters long.
4
Optionally, in the Base64-encoded Logo Icon field, you can specify a Base 64-encoded GIF icon to be displayed; the default is thelogo.
* 
NOTE: Ensure the icon is valid and make the size as small as possible. The recommended size is 400 x 65.
5
To see a preview of your customized message and logo (or the default message), click the Preview button. The Web Site Blocked dialog displays.

6
Close the Web Site Blocked window.
7
Click the Accept button.

Using Geo-IP Filter Diagnostics

The Security Services > Geo-IP Filter page has a Diagnostics section containing:

Show Resolved Locations

When you click on the Show Resolved Locations button, a pop-up table of resolved IP addresses displays with this information:

Index
IP Address
Country
Domain

Geo-IP Cache Statistics

The Geo-IP Cache Statistics table contains this information:

Location Server IP
Resolved Entries
Unresolved Entries
Total Entries
Location Map Count

Check GEO Location Server Lookup

The Geo-IP Filter also provides the ability to look up IP addresses to determine:

Domain name or IP address
DNS server used
The country of origin and whether it is classified as a Botnet server
* 
NOTE: The similar Botnet Location Server Lookup tool can also be accessed from the System Services > Botnet Filter page.
To look up a GEO server:
1
Scroll to the Check GEO Location Server Lookup section at the bottom of the Security Services > GEO-IP Filter page.

2
Enter the IP address in the Lookup IP field.
3
Click Go. Details on the IP address are displayed below the Result heading.

Security Services > Botnet Filter

The Security Services > Botnet Filter feature allows you to block connections to or from Botnet command and control servers.

Topics:

Configuring Botnet Filtering

To configure Geo-IP Filtering:
1
Navigate to the Security Services > Botnet Filter page.

2
To block all servers that are designated as Botnet command and control servers, select the Block connections to/from Botnet Command and Control Servers option. All connection attempts to/from Botnet command and control servers will be blocked. To exclude selected IPs from this blocking behavior, use exclusion lists as described in the following steps.
3
Select one of the following two modes for Botnet Filtering:
All Connections: All connections to and from the firewall are filtered. This is the default Botnet block mode.
Firewall Rule-based Connections: Only connections that match an access rule configured on the firewall are filtered for blocking.
4
If you want to block all connections to public IPs when the Botnet database is not downloaded, select the Block all connections to public IPs if BOTNET DB is not downloaded.
5
Select Enable logging to log Botnet Filter-related events.
6
Optionally, you can configure an exclusion list of all IPs belonging to the configured address object/address group. All IPs belonging to the list will be excluded from being blocked. To enable an exclusion list, select an address object or address group from the Botnet Exclusion Object drop-down menu.

7
Click the Accept button at the top of the page to enable your changes.

Customizing Web Block Page Settings

The Botnet Filter has a default message that is displayed when a page is blocked. You can create a custom message and include a custom logo by following these steps:

1
Scroll to the Customize Web Block Page Settings section of the Security Services > Botnet Filter page.

2
Ensure the Include Botnet Filter Block Details option is selected. When enabled, this option shows block details such as reason for the block, IP address, and country. When disabled, this option hides all information.
3
Specify a custom message to be displayed in the Botnet Filter Block page in the Alert text field. Your message can be up to 100 characters long. The default message is This site has been blocked by the network administrator.
4
Optionally, in the Base64-encoded Logo Icon field, you can specify a Base 64-encoded GIF icon to be displayed as well.
* 
NOTE: Ensure the icon is valid and make the size as small as possible. The recommended size is 400 x 65.
5
To see a preview of your customized message and logo, click the Preview button. The Web Site Blocked dialog displays.

* 
NOTE: To use the default message, click the Default Blocked Page button.
6
Close the Web Site Blocked window.
7
Click the Accept button.

Using Botnet Filter Diagnostics

The Security Services > Botnet Filter page has a Diagnostics section containing:

Show Resolved Locations

When you click on the Show Resolved Locations button, a table of resolved IP addresses displays with this information:

Index
IP Address
Is Botnet? (whether the location is a Botnet command and control server)
Domain

Botnet Cache Statistics

The Geo-IP Cache Statistics table contains this information:

Location Server IP
Resolved Entries
Unresolved Entries
Total Entries
Location Map Count

Check BOTNET Server Lookup

The Botnet Filter also provides the ability to look up IP addresses to determine:

Domain name or IP address
DNS Server used
Country of origin and whether the server is classified as a Botnet server
* 
NOTE: The Botnet Server Lookup tool can also be accessed from the System > Diagnostics page.
To look up a Botnet server:
1
Scroll to the Check BOTNET Server Lookup section at the bottom of the Security Services > Botnet Filter page.

2
Enter the IP address in the Lookup IP field.
3
Click Go. Details on the IP address are displayed below the Result heading.

* 
NOTE: If you believe that a certain address is marked as a Botnet server incorrectly, or if you believe an address should be marked as a Botnet server, report this issue at the SonicWall Botnet IP Status Lookup tool by either clicking on the link in the Note at the bottom of the Security Services > Botnet Filter page or going to: http://botnet.global.sonicwall.com/.