Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Upgrade from CFS 3.0 App Rules Mode to CFS 4.0

03/26/2020 1,322 People found this article helpful 97,881 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This article will provide an example to discuss the differences in policy settings between CFS 3.0 and CFS 4.0 and describe upgrading from CFS 3.0 App Rules mode to CFS 4.0.

    Note: there are no significant changes for Websense between CFS4.0 and the previous releases, the upgrading process for Websense will not be discussed.

    Cause

    As there are big changes between the new 4.0 and the old 3.0 CFS (e.g. Users and Zones mode and App Rules mode are handled by CFS policies in CFS4.0), although the firmware will do its best to automatically migrate almost all the polices, the resulting policies may not exactly match the original policies when upgrading from CFS 3.0 to CFS 4.0.  

    • The complete objects are configured differently than when they were configured in CFS 3.0
    • CFS 3.0 employed some settings that are no longer used and are discarded when migrating to CFS 4.0.

     

    Resolution

    Upgrading CFS 3.0 to 4.0 for App Rules mode

    There are two sections which will be discussed here:

    • Merging Process for CFS 3.0 (App Rules Mode) to CFS 4.0
    • Upgrading Steps for CFS 3.0 (App Rules Mode) to CFS 4.0

    For CFS upgrading demonstration, here uses the following example (6 users in 3 groups and configured with 4 different CFS App Rules):

    Image

    The Result can be tested as below when before and after upgrading.

    Image

    1. Merging Process for CFS 3.0 (App Rules Mode) to CFS 4.0

    For each App Rule whose Policy Type is CFS and Action is CFS Block Page, HTTP Block page or BWM, CFS 4.0, SonicOS executes the following steps to automatically complete the policy merging process. To migrate from App Rules mode:

    a. CFS URI List Objects generated from Allow/Excluded and Forbidden/Included lists of current App Rules are assigned to the Profile Object as Allowed URL List and to Forbidden URL List, respectively.

    In CFS 3.0, the Allow/Excluded and Forbidden/Included lists are configured at Firewall | Match Objects page.

    Image

    In CFS 4.0, after Upgrading, the lists will be merged to URI List Objects area at Firewall | Content Filter Objects page.

    Image

    b. The CFS Action Object is generated according to the following criteria:

    • If the action of a current App Rule is a CFS Block Page, the old global CFS blocking page content of CFS 3.0  is the block page content of this Action Object.

    In CFS 3.0, the CFS Block page is defined at Security Services | Content Filter page.

    Image

    In CFS 4.0, after Upgrading the CFS Block Page will be merged to CFS Action Objects area at Firewall | Content Filter Objects page. Click the relevant action in CFS Action Objects area, and select tab Block.

    Image

    • If the action of a current App Rule is HTTP Block Page, the block page of current App Rule of CFS 3,0 is the block content of this Action Object.

    In CFS 3.0, the HTTP Block page is defined at Firewall | Action Objects page.

    Image

     In CFS 4.0, after Upgrading the HTTP Block Page will be merged to CFS Action Objects area at Firewall | ContentFilter Objects page but the color setting will be abandoned.  Click the relevant action in CFS Action Objects area, and select tab Block.

    Image

    • If the action of a current App Rule is BWM, the BWM values are used for this Action Object.

    In CFS 3.0, the BWM is defined at Firewall | Action Objects page.

    Image

     In CFS 4.0, after Upgrading the BWM action will be merged to CFS Action Objects area at Firewall | ContentFilter Objects page. Click the relevant action in CFS Action Objects area, and select tab BWM.

    Image

    c. The CFS Profile Object is generated from the CFS Match Objects and  the action defined in CFS App Rule of CFS 3.0 and the above CFS URI List Objects of CFS 4.0 :

    In CFS 3.0, the CFS Category List  is defined at Firewall | Match Objects page.  

    Image

    In CFS 4.0, the CFS Category is merged to CFS Profile Objects at  Firewall | Content Filter Objects page.

    Image

    NOTES:    Depending on the selected categories in the App Rule’s Match Object, they are set as either Block or BWM in the Profile Object according to the relevant App Rules.

    For CFS Forbidden/Included list, if the action using BWM in CFS 3.0, then the Forbidden URI List will be set to None after upgrading.

    d. The App Rule name is used as the Policy name. To generate a CFS Policy, the following should take place:

    Image

    NOTE: After all App Rules have been migrated to CFS Policies, CFS attempts to keep the same priorities, generating a Default CFS Policy at the end of the list.

    2. Upgrading Steps for CFS 3.0 (App Rules Mode) to CFS 4.0

    When going to upgrade from CFS 3.0 (App Rules Mode) to CFS 4.0, please follow the below steps.

    1. Navigate to System | Setting page | Export the original settings for backup. 

    Image

    2. Upgrade the firmware to CFS 4.0.

    3. After upgrading, as some of the generated CFS objects and policies might be duplicated and the priority order of some new policies might be wrong. Administrators should clean and adjust the priorities. When go to Security Services | Content Filter page, automatically generated CFS policies are listed as below.

    Image


    In this case, after upgrading the policy CFS_Paul_BW is not triggered as policy CFS_Group_2A has higher priority. So administrator should adjust the priority of CFS_Paul_BW higher to ensure the CFS behaviors are the same as before upgrading. Click the priority icon for policy CFS_Paul_BW, and input 2 to make the priority higher than policy CFS_Group_2A.

    Image

    Notes: 1. Before upgrading, please check your original firmware version, if you are using SonicOS 6.2.5, we recommend you to upgrade to 6.2.5.1 firstly then upgrade to the firmware with CFS 4.0.

                 2. If there are amount of CFS policies generated, to adjust the priority of these auto generated policies may take time. We also recommend that you can follow the below steps after upgrading.

    • Keep the automatically generated CFS URI List Objects and CFS Action Objects.
    • Remove the generated CFS Policies and CFS Profile Objects.
    • Create the CFS Profile Objects and CFS Polices from scratch, providing descriptive names for each object. 

                 3.  SonicOS does not support downgrade from CFS 4.0 to CFS 3.0 so far.

    Related Articles

    • Client VPN hanging at acquiring IP using SonicWall DHCP
    • GVC stuck on acquiring IP for some users
    • App Control fails by schema error when editing VPN category

    Categories

    • Firewalls > SonicWall SuperMassive 9000 Series > Content Filtering Service
    • Firewalls > SonicWall NSA Series > Content Filtering Service
    • Firewalls > TZ Series > Content Filtering Service

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:a39913c6a0ef126b3331d1fb2ef6d8e7-77