How to Configure CFS with App Rules
03/26/2020
47
14952
DESCRIPTION:
How to Configure CFS with App Rules
RESOLUTION:
NOTE: CFS 4.0 does not allow usage of CFS Via App rules. This article applies only to CFS 3.0
1. Navigate to the Security Services | Content Filter.
2. Change CFS Policy Assignment to Via App Rules and click on Accept to save the change.
3. Click on Configure under Content Filter Service

4. Under the CFS tab, enable the check boxes under Enable HTTPS Content Filtering and Enable CFS Server Failover.
Note: If DPI-SSL Client Inspection is enabled with Content Filter, Enable HTTPS Content Filtering must be unchecked.
5. Click on OK

6. Navigate to the Users | Settings
This SonicWall has been set up for LDAP and SSO authentication. For a KB article on how to configure LDAP and SSO Authentication, read the sections on LDAP and SSO in Using Multiple Custom content Filter policies with LDAP and SSO to restrict Internet access (CFS + LDAP + SSO)

7. Go to the Users | Local Groups
Shown here are two user groups imported from LDAP, Teachers Group and Students Group.

For this KB article, we use the following scenario:
- Create Two CFS Rules - Teachers and Students .
- The Teachers Policy must be the least restrictive with only a few categories blocked.
- The Students Policy must have all categories blocked except Education and Email.
Note: The default action will be to provide all machines with the Students policy unless a teacher is logged in.
Technically, the Students group is not required to be imported to the firewall in this scenario.
8. Create Student List Match Object
- Click on Add New Match Object again
- Let's call this Students List
- Set Match Object Type as CFS Category List
- Enable the check box Select All Categories and uncheck Education and Email
- Click on OK to save
|  9. Create Teachers List Match Object |
- Click on Add New Match Object again
- Let's call this Teachers List
- In the CFS Category List check categories 1 to 12 and then categories 48 and 58.
- Click on OK to save.
|  |
Let us now create Match Objects for the Allowed and Forbidden domains.
10. Create Students Allowed Domains
- Click on Add New Match Object
- Under Name, enter Students - Allowed Domains.
- Set Match Object Type to CFS Allow/Forbidden List.
- Under Content, enter google.com and click on Add.
- Click on OK to save.
|
 |
11. Create Students Allowed Domains
- Click on Add New Match Object
- Under Name, enter Teachers - Allowed Domains.
- Under Match Object Type, select CFS Allow/Forbidden List.
- Set Match Type to Partial Match
- Under Content, enter youtube.com and click on Add.
- Enter ytimg.com and click on Add.
- Click on OK to save.
|  12. Create a Match Object to block a website for both user groups. |
- Click on Add New Match Object
- Under Name, enter All - Blocked Domains.
- Set Match Object Type to CFS Allow/Forbidden List.
- Under Content, enter microsoft.com,ecomm.co.uk and wellsfargo.com and click on Add after each
- Click on OK to save.
|  |
Create App Rules policies
13. Create Students Policy
- Click on Add New Policy
- Under Policy Name, enter Students Policy
- Set Policy Type to CFS
- Under Match Object, select Students List.
- Set Action Object to CFS Block Page.
- Under Users/Groups, select Any under Included.
- Under Users/Groups select Teachers-Group under Excluded
- Set the Zone field to Any. Note: CFS using App Rules is not required to be enabled on the zones page because the zone can be selected here under the Zone field.
- Under CFS Allow/Excluded List, select Students - Allowed Domains
- Under CFS Forbidden/Included List, select All - Blocked Domains
Leave the remaining options as it is and click on OK to create this policy
|  |
14. Create Teachers Policy
- Now let's create another Policy
- Under Policy Name, enter Teachers Policy
- Set Policy Type to CFS
- Under Match Object, select Teachers List
- Set Action Object as CFS Block Page
- Under Users/Groups, select Teachers Group
- Under CFS Allow/Excluded List, select Teachers - Allowed Domains
- Under CFS Forbidden/Included List, select All - Blocked Domains
|  |
This concludes the configuration of CFS using App Rules.
Test the configuration
Login to a host as a user in the Teachers group.
- Try to access a website under a category allowed for this user, like com
- Try to access a website in the Social Networking category, which is blocked for this user, like facebook.com.
- Try to access the sites under the Forbidden List, microsoft.com, ecomm.co.uk, wellsfargo.com
Login to a host as a user in the Students group.
- Try to access a website under Education category which is allowed for this user, like stanford.edu.
- Try to access a website in the Social Networking category, like facebook.com, which is blocked for this user,
- Try to access the sites under the Forbidden List, microsoft.com, ecomm.co.uk, wellsfargo.com
When accessing a website over HTTPS, CFS will block it but will not display a block page, unless DPI-SSL Client Inspection is enabled.