- Products
- Network Security
- Threat Protection
- Secure Access Service Edge (SASE)
- Cloud Security
- Endpoint Security
- Email Security
- Secure Access
-
Wi-Fi 6 Access Points
SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.
Read More
- Solutions
- Industries
- Use Cases
- Solutions Widgets
- Solutions Content Widgets
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
- Solutions Image Widgets
-
- Partners
- SonicWall Partners
- Partner Resources
- Partner Widgets
- Custom HTML : Partners Content WIdgets
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
- Partners Image Widgets
-
- Support
- Support
- Resources
- Capture Labs
- Support Widget
- Custom HTML : Support Content WIdgets
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
- Support Image Widgets
-
- COMPANY
- PROMOTIONS
- MANAGED SERVICES
- Contact Sales
-
- Menu
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
Steps taken by CFS engine for web traffic
05/28/2020 
3 People found this article helpful
188,095 Views
Description
The SonicWall Content Filtering Service (CFS) delivers content filtering enforcement for educational institutions, businesses, libraries, and government agencies. With Content Filter policies and objects, you can control the websites students and employees can access using their IT-issued computers while behind the organization’s firewall.
To be able to configure it right and understand the best way to set it up, the flow of events taking place within CFS engine is essential.
Resolution
CFS must be licensed and enabled before you can use it.
An outline of how CFS works is as follows:
- A packet arrives and is examined by CFS.
- CFS checks it against the CFS Exclusion addresses configured on the MANAGE | Security Services | Content Filter page and allows it through if a match is found, meaning that the source/destination address is excluded from content filtering.
- CFS checks its policies to find the first policy that matches these conditions in the packet:
Source zone
Destination zone
Included Source Address object/group, but not matching the Excluded Source Address object/group
Included User/Group, but not matching the Excluded User/Group
Schedule
Enabled state
The CFS policies are arranged based on priority. Once a policy matches, all subsequent policies are not checked.
- Once the matching policy is found, it checks if the URL requested is already in the allowed or forbidden URL list/group for that policy and takes the necessary action. The order in which the lists are checked is also configurable on the CFS profile itself.
- It checks if the URL is added to any custom category on the firewall and takes action for that category based on the profile.
- If it is in neither of them, it determines the category of the website by contacting the CFS web server and takes the action listed for that specific category. Also, if a URL belongs to multiple categories and even one of them is allowed, the website will be allowed.
NOTE: If no policy is matched, the packet is passed through without any action by CFS.
CFS uses the CFS Profile defined in the matching policy to do the filtering and returns the corresponding action for this packet.- CFS performs the action defined in the CFS Action Object for the matching policy.
Related Articles
- How to force an update of the Security Services Signatures from the Firewall GUI
- Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.
- How to Setup the SonicWave 600 series
YES
NO