Tips on configuring custom CFS allow/forbidden lists
12/20/2019 1496 26005
Custom List of the SonicWall CFS allows an administrator to enter specific domain names to be allowed or blocked. Custom list also allows you to enter keywords which are useful to block access to any web site whose URL contains any listed keyword. Keyword blocking will also prevent the uploading of any form requests that contain a listed keyword, such as a web site search.
Listed here are some tips when configuring the ccustom list tab of the Content Filtering window.
SonicWall CFS matches the suffix of a domain with what is entered under Allowed or Forbidden Domains. For example, if google.com is entered under Forbidden Domains, then access to mail.google.com or docs.google.com is blocked. Conversely, entering mail.google.com in the Custom List will not match google.com.
Keeping with the above criteria, it is not required to enter wildcard characters, such as *, before a domain.
EXAMPLE:*.google.com is not required to be entered to block sites ending with google.com. Entering google.com will suffice.
Adding Http or Https before a domain name is not required and may not result in a match.
Check for redundancy. If you already have an entry to block access to "yahoo.com", you do not need a second entry to block access to mail.yahoo.com.
SonicWall CFS inspects packets which have HTTP headers and matches what is in the Host field of such a HTTP header. Generally, HTTP Host field contains the domain name ending with a top-level domain (TLD). For example, example.com, example.org etc. In cases where the HTTP server is being accessed on a non-standard port - standard being TCP port 80 - the HTTP host field will have the port number along with the domain name.
EXAMPLE: website.com:8080. As earlier mentioned, the SonicWall CFS matches content by suffix due to which entering website.com in the Allowed/Forbidden Domains will not match with the HTTP Host field of website.com:8080. In such cases, website.com:8080 must be entered in the Allowed/Forbidden Domains.
Keyword Blocking functions slightly different from Allowed/Forbidden domains in that it inspects both the HTTP host field as well as the HTTP URI field of the HTTP header.
EXAMPLE: the keyword "resource" will block access to http://en.wikipedia.org/wiki/Resource.
Keyword Blocking can be used to block specific contents within a website (HTTP). A more practical example would be to block composing mail from within Webmail by adding "compose" in Keyword Blocking. The maximum characters allowed within Keyword Blocking is 15. Another limitation would be that HTTPS Content Filtering is not applicable to Keyword Blocking. Therefore, the methods listed above are applicable to HTTP traffic only.
Speaking of blocking HTTPS content, SonicWall CFS endeavours to block HTTPS websites using HTTPS Content Filtering. This feature of CFS inspects what is visible in the SSL handshake process. Specifically, the server name extension in the client hello or server hello messages and the certificate name in the certificate message during the handshake process. HTTPS content filtering was introduced in SonicOS Enhanced 188.8.131.52.
HTTPS Content Filtering may block HTTPS content (inspecting only what is visible in the handshake process) but sometimes it doesn't work because most of the website details are encrypted. To achieve this goal, you may need the DPI-SSL: 170505782716496