This article answers and explains how CFS works and why it cannot block connections already established.
Scenario: You apply a CFS policy based on a schedule to allow access to Facebook during lunch time but you cannot block the already established connection to Facebook after the scheduled time has ended.
CFS blocks only new connections being established. Therefore it cannot block already established connections. When your user has a connection to Facebook established already it will not time out on it's own because Facebook refreshes itself every few seconds to keep the page alive. So the connections does not end unless the end user closes the web page or you manually delete the connection under the connections Monitor:
You could also apply App Control through an App Rule with a Schedule that blocks Facebook starting at the same time that the restrictive CFS policy starts being applied. This will work for Facebook as there is a Signature for Facebook inside App Control. But will not work for all other pages that refresh themselves and that does not have a signature on App Control.