How to configure CFS (content filtering service) on NSSP 13700?
07/12/2021 0 1338
SonicWall CFS compares requested websites against a massive database in the cloud containing millions of rated URLs, IP addresses, and websites. It provides administrators with the tools to create and apply policies that allow or deny access to sites based on individual or group identity, or by the time of day, for over 50 pre-defined categories.
NOTE: During the initial release, NSSP 13700 only supports Global mode and not Policy mode.
Let us discuss the various components of CFS:
Content Filtering type:
Navigate to Policy|Security Services|Content Filter, users are given a choice to select the content filter type: SonicWall CFS and Websense Enterprise.
By default, the type is SonicWall CFS.
Websense configuration can be done under the Policy|Security Services|Content Filter with content filter type as Websense Enterprise.
You would need to mention the IP address or domain name to connect to the Websense server with the port number.
In this, we have the option to Enable/Disable Content Filtering Services Globally.
On the CFS exclusion, we can Exclude Administrator from the Content Filtering Policies, and we can use address objects of the IP addresses for the exclusion.
With the Administrator excluded, if a machine is accessing the firewall UI using a SonicWall administrator account, that machine will be bypassed completely from CFS.
CFS custom Category:
Navigate to Policy|Security Services|Content Filter page and you can Enable CFS custom Category.
In this section, users can add custom categories and customize the ratings for a certain URI, When CFS checks the ratings for one URI, it will check the user ratings first, then check for the ratings from the backend. When users try to add/edit a custom category, they will need to input a valid URI and select up to 4 kinds of categories for this URI.
CFS URI Lists:
Navigate to Objects|Match objects|URI Lists, to configure CFS URI objects which can be used to add the domains, URLs into the list, and set this list as custom Allowed or Forbidden.
The URI list can be grouped together as well, and this list will have higher priority than the CFS category and it will check the list before checking for the category for an URI.
Users can also add Wildcard character “*” is supported in the URI string, for instance *.yahoo.com
The URI list object will be used in the CFS Profile objects under Content Filter.
You can add either domain, URI or Keyword type of list. After adding them, you can clock on Save to save it.
Navigate to Object|Profile Objects|Content Filter for the CFS default profile.
CFS Profile object defines the type of operation which will be triggered for each HTTP/HTTPS connection and this same profile will be used in the CFS policy.
URI list Configuration:
Allowed URI List and Forbidden URI listcan be selected according to the URI list object created, when searching the URL insideAllowed/ForbiddenURL lists, we will start the searching from which one.
For each category, users can define the operation for it if the URI is belonged to the category. By default, the operation for category 1 ~ 12 is blocked, the operation for other categories is allowed.
We have multiple advanced options the CFS profile object which includes:
Enable HTTPS Content Filtering: Please make sure that this option is enabled so that the necessary action can be taken even for HTTPS websites. This option is disabled by default.
Enable Smart Filtering for Embedded URI: Google Translate https://translate.google.com provides the capability to translate one site from one language to another. Because the website to be translated is embedded inside Google Translate URI, user can bypass CFS with it. With this new feature, if users want CFS to detect the embedded URI inside Google Translate, users can enable this option and then the embedded URI will be filtered.
Enable Safe Search enforcement: When searching from these websites www.google.com, www.yahoo.com, www.bing.com, www.dogpile.com, www.lycos.com, www.ask.com, Safe Search will be turned on.
Enable YouTube Restrict Mode: When accessing to YouTube, student can only view the video predefined by the school administrator. If enabling this option, user will need to provide a valid school ID. NOTE: The last three options are only supported for the HTTP request. For the HTTPS request, DPI-SSL needs to be used cooperatively.
We can also define the Web usage content under Consent in CFS profile Objects.
CFS Action Objects:
Navigate to Object|Action objects|Content filer Actions to define how CFS deal with the packet after it is filtered.
There are four actions supported in CFS:
Block: Users can define the blocking page to display if the connection is blocked.
Passphrase: Users can define the passphrase page to display and the password needed before continue.
Confirm: Users can define the confirm page to display.
BWM: Users can configure Bandwidth Aggregation Method as Per Policy or Per Action. Users can also configure the detailed BWM status and objects for Egress Bandwidth Management and Ingress Bandwidth Management. TIP: The Action Objects will be used by the CFS Policy.
Content Filer Policies:
Navigate to Policy|Rules and Policies|Content Filer Rules and add the CFS policies with the specific URI list objects and action objects.
By default, a CFS default policy exists with the CFS default profile and CFS default action, Users can either edit the existing Policy or can add the new policy as well.
Users can define matching conditions to hit a CFS Policy: Enabled, Source Zone, Destination Zone, Address Object, Users/Groups, Schedule, CFS Profile, and CFS Action.
If a packet is detected and all these conditions are matched, it will be filtered by the corresponding CFS Profile. Then the CFS Action will be invoked after filtering.
There is priority for each CFS Policy. The matched CFS Policy with higher priority will always be applied first.
Any new policy created is added here with the least priority. The arrows on the CFS policy can be used to alter the priority. The lower the number the higher the priority.