How to Configure CFS with App Rules

03/26/2020 61 People found this article helpful 487,001 Views

Description

Resolution

NOTE: CFS 4.0 does not allow usage of CFS Via App rules. This article applies only to CFS 3.0

1. Navigate to the Security Services | Content Filter.

2. Change CFS Policy Assignment to Via App Rules and click on Accept to save the change.
3. Click on Configure under Content Filter Service

4. Under the CFS tab, enable the check boxes under Enable HTTPS Content Filtering and Enable CFS Server Failover.
Note: If DPI-SSL Client Inspection is enabled with Content Filter, Enable HTTPS Content Filtering must be unchecked.
5. Click on OK

6. Navigate to the Users | Settings

This SonicWall has been set up for LDAP and SSO authentication. For a KB article on how to configure LDAP and SSO Authentication, read the sections on LDAP and SSO in Using Multiple Custom content Filter policies with LDAP and SSO to restrict Internet access (CFS + LDAP + SSO)

imported from LDAP, Teachers Group and Students Group.
For this KB article, we use the following scenario:

Create Two CFS Rules - Teachers and Students .
The Teachers Policy must be the least restrictive with only a few categories blocked.
The Students Policy must have all categories blocked except Education and Email.

Note: The default action will be to provide all machines with the Students policy unless a teacher is logged in.
Technically, the Students group is not required to be imported to the firewall in this scenario.

8. Create Student List Match Object

Click on Add New Match Object again
Let's call this Students List
Set Match Object Type as CFS Category List
Enable the check box Select All Categories and uncheck Education and Email
Click on OK to save

Click on Add New Match Object again
Let's call this Teachers List
In the CFS Category List check categories 1 to 12 and then categories 48 and 58.
Click on OK to save.

Let us now create Match Objects for the Allowed and Forbidden domains.

10. Create Students Allowed Domains

Click on Add New Match Object
Under Name, enter Students - Allowed Domains.
Set Match Object Type to CFS Allow/Forbidden List.
Under Content, enter google.com and click on Add.
Click on OK to save.

11. Create Students Allowed Domains

Click on Add New Match Object
Under Name, enter Teachers - Allowed Domains.
Under Match Object Type, select CFS Allow/Forbidden List.
Set Match Type to Partial Match
Under Content, enter youtube.com and click on Add.
Enter ytimg.com and click on Add.
Click on OK to save.

Match Object to block a website for both user groups.

Click on Add New Match Object
Under Name, enter All - Blocked Domains.
Set Match Object Type to CFS Allow/Forbidden List.
Under Content, enter microsoft.com,ecomm.co.uk and wellsfargo.com and click on Add after each
Click on OK to save.

Create App Rules policies

13. Create Students Policy

Click on Add New Policy
Under Policy Name, enter Students Policy
Set Policy Type to CFS
Under Match Object, select Students List.
Set Action Object to CFS Block Page.
Under Users/Groups, select Any under Included.
Under Users/Groups select Teachers-Group under Excluded
Set the Zone field to Any. Note: CFS using App Rules is not required to be enabled on the zones page because the zone can be selected here under the Zone field.
Under CFS Allow/Excluded List, select Students - Allowed Domains
Under CFS Forbidden/Included List, select All - Blocked Domains

Leave the remaining options as it is and click on OK to create this policy

14. Create Teachers Policy

Now let's create another Policy
Under Policy Name, enter Teachers Policy
Set Policy Type to CFS
Under Match Object, select Teachers List
Set Action Object as CFS Block Page
Under Users/Groups, select Teachers Group
Under CFS Allow/Excluded List, select Teachers - Allowed Domains
Under CFS Forbidden/Included List, select All - Blocked Domains

This concludes the configuration of CFS using App Rules.

Test the configuration

Login to a host as a user in the Teachers group.

Try to access a website under a category allowed for this user, like com
Try to access a website in the Social Networking category, which is blocked for this user, like facebook.com.
Try to access the sites under the Forbidden List, microsoft.com, ecomm.co.uk, wellsfargo.com

Login to a host as a user in the Students group.

Try to access a website under Education category which is allowed for this user, like stanford.edu.
Try to access a website in the Social Networking category, like facebook.com, which is blocked for this user,
Try to access the sites under the Forbidden List, microsoft.com, ecomm.co.uk, wellsfargo.com