Steps taken by CFS engine for web traffic

Description


The SonicWall Content Filtering Service (CFS) delivers content filtering enforcement for educational institutions, businesses, libraries, and government agencies. With Content Filter policies and objects, you can control the websites students and employees can access using their IT-issued computers while behind the organization’s firewall.

To be able to configure it right and understand the best way to set it up, the flow of events taking place within CFS engine is essential.

Resolution

CFS must be licensed and enabled before you can use it.

An outline of how CFS works is as follows:

  1. A packet arrives and is examined by CFS.
  2. CFS checks it against the CFS Exclusion addresses configured on the MANAGE | Security Services | Content Filter page and allows it through if a match is found, meaning that the source/destination address is excluded from content filtering.Image
  3. CFS checks its policies to find the first policy that matches these conditions in the packet:

    Source zone
    Destination zone
     Included Source Address object/group, but not matching the Excluded Source Address object/group
    Included User/Group, but not matching the Excluded User/Group
    Schedule
    Enabled state

    The CFS policies are arranged based on priority. Once a policy matches, all subsequent policies are not checked.Image

  4. Once the matching policy is found, it checks if the URL requested is already in the allowed or forbidden URL list/group for that policy and takes the necessary action. The order in which the lists are checked is also configurable on the CFS profile itself.ImageImageImage

  5. It checks if the URL is added to any custom category on the firewall and takes action for that category based on the profile.Image

  6. If it is in neither of them, it determines the category of the website by contacting the CFS web server and takes the action listed for that specific category. Also, if a URL belongs to multiple categories and even one of them is allowed, the website will be allowed.Image

    NOTE: If no policy is matched, the packet is passed through without any action by CFS.


  7. CFS uses the CFS Profile defined in the matching policy to do the filtering and returns the corresponding action for this packet.
  8. CFS performs the action defined in the CFS Action Object for the matching policy.

Related Articles

  • How to block ICMP (Ping ) using Application control
    Read More
  • SonicWall GEN8 TZ and NSa Firewalls FAQ
    Read More
  • How to configure Link Aggregation
    Read More

Categories

Firewalls
NSa Series
Firewalls
SonicWall NSA Series
Firewalls
TZ Series
not finding your answers?
Ask the Community