Content Filtering Service (CFS) 4.0 Overview
12/06/2018 1995 25128
Starting with Sonic OS 6.2.6 SonicWall firewalls introduce Content Filtering Service 4.0. In this new version CFS is optimized and enhanced by including framework and workflow redesign, UI ease of use, improved filtering options, handling smaller packet sizes, etc.
This article describes all aspects of configuring Content Filtering Service 4.0.
Content Filter page
On the Manage > Security Configuration > Security Services > Content Filter page, users are given a choice to select the Content Filter type between SonicWall CFS and Websense Enterprise. By default the type is SonicWall CFS.
Unlike previous CFS versions CFS4.0 is implemented by CFS Policies. Hence the options in SonicWall Filter Properties window are moved to Content Filter page and optimized under Global Settings section. The option Enable Content Filtering Service is added to enable/disable CFS globally.
To make the configurations reusable and easy to manage, three objects are introduced in CFS. They are URI List Objects, CFS Action Objects and CFS Profile Objects. You can navigate to Manage > Policies > Objects > Content Filter Objects page to configure them.
URI List Objects
With this object, users can add the domains, URIs into the list, and set this list as custom Allowed or Forbidden. The lists will have higher priority than the category. CFS will check the lists before checking for the category for an URI. And wildcard character "*" is supported in the URI string, for instance *.google.com.
The URL List Object will be used by a CFS Profile Object.
CFS Action Objects
This object defines how CFS will deal with the packet after it is filtered.
Wipe Cookies: The cookies inside the HTTP request will the removed to protect privacy.
Note: If Wipe Cookies is enabled, it may break the Safe Search Enforcement function for some search engines.
There are five actions supported in CFS:
Block: Users can define the blocking page to display if the connection is blocked.
Passphrase: Users can define the passphrase page to display and the password needed before continue.
Confirm: Users can define the confirm page to display.
BWM: Users can configure "Bandwidth Aggregation Method" as Per Policy or Per Action. Users can also configure the detailed BWM status and objects for "Egress Bandwidth Management" and "Ingress Bandwidth Management".
Threat API: Shows Threat API Block page message.
The Action Objects will be used by CFS Policy.
CFS Profile Objects
CFS Profile Object defines what kind of operation will be triggered for each HTTP/HTTPS connections and will be used by CFS Policy.
URI List Searching Order: When searching the URL inside Allowed/Forbidden URL lists, we will start the searching from which one.
Category Configuration: For each category, users can define the operation for it if the URI is belonged to the category. By default, the operation for category 1 ~ 12 is blocked, the operation for other categories is allowed.
Enable Smart Filtering for Embedded URI: Google Translate https://translate.google.com provides the capability to translate one site from one language to another. Because the website to be translated is embedded inside Google Translate URI, user can bypass CFS with it. With this new feature, if users want CFS to detect the embedded URI inside Google Translate, users can enable this option and then the embedded URI will be filtered.
Enable Safe Search enforcement: When searching from these websites www.google.com, www.yahoo.com, www.bing.com, www.dogpile.com, www.lycos.com, www.ask.com, Safe Search will be turned on.
Enable YouTube Restrict Mode: When accessing to YouTube, student can only view the video predefined by the school administrator. If enabling this option, user will need to provide a valid school ID.
Note: All these options only support for the HTTP request. For the HTTPS request, DPI-SSL needs to be used cooperatively.
Users are able to define matching conditions to hit a CFS Policy: Enabled, Source Zone, Destination Zone, Address Object, Users/Groups, Schedule, CFS Profile, and CFS Action.
If a packet is detected and all these conditions are matched, it will be filtered by the corresponding CFS Profile. Then the CFS Action will be invoked after filtering.
There is priority for each CFS Policy. The matched CFS Policy with higher priority will always be checked earlier.
CFS Customer Category
Users can customize the ratings for certain URI. When CFS checks the ratings for one URI, it will check the user ratings first, then check for the ratings from backend. When users try to add/edit a custom category, they will need to input a valid URI, and select up to 4 kinds of categories for this URI.
Comparing with the previous version, CFS 4.0 separates the websense configuration from SonicWall CFS. This is to avoid confusion between the two Content Filter Types.
- An option added to enable/disable CFS globally.
- Define URI List object, Profile object and Action object, which can be reused in multiple policies.
- Merge via Zones mode and via App Rules mode into one.
- Support wildcard "*" matching for URI List.
- Introduce Passphrase and Confirm operations in CFS action object.
- Support more commands in html page editing, which including GET, HEAD, POST, PUT, CONNECT, OPTIONS, DELETE, REPORT, COPY and MOVE.
- Support BWM.
- Consent feature is per policy.