How to Configure CFS with App Rules

03/26/2020 47 14952

DESCRIPTION:
How to Configure CFS with App Rules

RESOLUTION:

NOTE:  CFS 4.0 does not allow usage of CFS Via App rules. This article applies only to CFS 3.0

1.  Navigate to the Security Services | Content Filter.

2.  Change CFS Policy Assignment to Via App Rules and click on Accept to save the change.
3.  Click on Configure under Content Filter Service



4.  Under the CFS tab, enable the check boxes under Enable HTTPS Content Filtering and Enable CFS Server Failover.
 Note: If DPI-SSL Client Inspection is enabled with Content Filter, Enable HTTPS Content Filtering must be unchecked.
5.  Click on OK



6.  Navigate to the Users | Settings 

This SonicWall has been set up for LDAP and SSO authentication. For a KB article on how to configure LDAP and SSO Authentication, read the sections on LDAP and SSO in Using Multiple Custom content Filter policies with LDAP and SSO to restrict Internet access (CFS + LDAP + SSO)

7.  Go to the Users | Local Groups

Shown here are two user groups imported from LDAP, Teachers Group and Students Group. 


For this KB article, we use the following scenario:

• Create Two CFS Rules - Teachers and Students .
  
• The Teachers Policy must be the least restrictive with only a few categories blocked.
• The Students Policy must have all categories blocked except Education and Email.
  
  Note:  The default action will be to provide all machines with the Students policy unless a teacher is logged in. 
  Technically, the Students group is not required to be imported to the firewall in this scenario.

8.  Create Student List Match Object
 

Click on Add New Match Object again Let's call this Students List Set Match Object Type as CFS Category List Enable the check box Select All Categories and uncheck Education and Email Click on OK to save

9.  Create Teachers List Match Object

Click on Add New Match Object again Let's call this Teachers List In the CFS Category List check categories 1 to 12 and then categories 48 and 58.  Click on OK to save.

Let us now create Match Objects for the Allowed and Forbidden domains.

10.  Create Students Allowed Domains

Click on Add New Match Object Under Name, enter Students - Allowed Domains. Set Match Object Type to CFS Allow/Forbidden List. Under  Content, enter google.com and click on Add. Click on OK to save.

11.  Create Students Allowed Domains
 

Click on Add New Match Object Under Name, enter Teachers - Allowed Domains. Under Match Object Type, select CFS Allow/Forbidden List. Set Match Type to Partial Match Under Content, enter youtube.com and click on Add. Enter ytimg.com and click on Add. Click on OK to save.

12. Create a Match Object to block a website for both user groups.

Click on Add New Match Object Under Name, enter All - Blocked Domains. Set Match Object Type to CFS Allow/Forbidden List. Under Content, enter microsoft.com,ecomm.co.uk and wellsfargo.com and click on Add after each Click on OK to save.

Create App Rules policies

13.  Create Students Policy
 

Click on Add New Policy Under Policy Name, enter Students Policy Set Policy Type to CFS Under Match Object, select Students List. Set Action Object to CFS Block Page. Under Users/Groups, select Any under Included. Under Users/Groups select Teachers-Group under Excluded Set the Zone field to Any.  Note: CFS using App Rules is not required to be enabled on the zones page because the zone can be selected here under the Zone field. Under CFS Allow/Excluded List, select Students - Allowed Domains Under CFS Forbidden/Included List, select All - Blocked Domains Leave the remaining options as it is and click on OK to create this policy

14.  Create Teachers Policy
 

Now let's create another Policy Under Policy Name, enter Teachers Policy Set Policy Type to CFS Under Match Object, select Teachers List Set Action Object as CFS Block Page Under Users/Groups, select Teachers Group Under CFS Allow/Excluded List, select Teachers - Allowed Domains Under CFS Forbidden/Included List, select All - Blocked Domains

This concludes the configuration of CFS using App Rules.

Test the configuration

Login to a host as a user in the Teachers group.

• Try to access a website under a category allowed for this user, like com
• Try to access a website in the Social Networking category, which is blocked for this user, like facebook.com.
  
• Try to access the sites under the Forbidden List, microsoft.com, ecomm.co.uk, wellsfargo.com

Login to a host as a user in the Students group.

• Try to access a website under Education category which is allowed for this user, like stanford.edu.
• Try to access a website in the Social Networking category, like facebook.com, which is blocked for this user,
  
• Try to access the sites under the Forbidden List, microsoft.com, ecomm.co.uk, wellsfargo.com

When accessing a website over HTTPS, CFS will block it but will not display a block page, unless DPI-SSL Client Inspection is enabled.