• SonicOS 7 Profile Objects
• Endpoint Security
• Bandwidth
• Quality of Service (QoS) Marking
  • Classification
  • Marking
  • Conditioning
    • Site to Site VPN over QoS Capable Networks
    • Site to Site VPN over Public Networks
  • 802.1p and DSCP QoS
    • Enabling 802.1p
    • DSCP Marking
      • DSCP Marking and Mixed VPN Traffic
      • Configure for 802.1p CoS 4 – Controlled load
      • QoS Mapping
      • Managing QoS Marking
  • Glossary
• Content Filter
  • Managing CFS Profile Objects
    • About CFS Profile Objects
    • About UUIDs for CFS Profile Objects
    • Configuring CFS Profile Objects
      • Advanced Screen
      • Consent Screen
      • Custom Header Screen
    • Editing a CFS Profile Object
    • Deleting CFS Profile Objects
  • Applying Content Filter Objects
• DHCP Option
  • Configuring DHCP Option Objects
    • RFC-Defined DHCPV4 Option Numbers
    • RFC-Defined DHCPV6 Option Numbers
  • Editing DHCP Option Objects
  • Deleting DHCP Option Objects
• AWS
  • AWS Objects
    • About Address Object Mapping with AWS
    • Viewing Instance Properties in SonicOS
    • Creating a New Address Object Mapping
    • Enable Mapping
    • Configuring Synchronization
    • Configuring Regions to Monitor
    • Verifying AWS Address Objects and Groups
• SonicWall Support
  • About This Document

Advanced Screen

This screen is one of the four screens in Add CFS Profile Object dialog. To open the dialog, navigate to Object > Profile Objects > Content Filterpage and click the Add button at the top of the page. Then click Advanced tab.

By default, none of the options are selected.

1. To enable content filtering for HTTPS sites, select the Enable HTTPS Content Filtering option. This policy-based HTTPS content filtering option is available in SonicOS 6.5.3 or higher. It replaces the global HTTPS content filtering option in previous versions on the Policy > Security Services > Content Filter page.

   When DPI-SSL client inspection is enabled and Content Filter is selected for inspection, then that inspection takes precedence and the policy-based HTTPS content filtering setting is ignored. Specifically, when the Enable SSL Client Inspection and Content Filter options are enabled on the Policy > DPI-SSL page, then the Enable HTTPS Content Filtering option in the CFS policy is ignored. In this case, DPI-SSL will decrypt the connection and send it as plain text to CFS later for filtering.

   HTTPS content filtering is IP based and does not inspect the URL, but uses other methods to obtain the URL rating. When this option is enabled, CFS performs URL rating lookup in this order:

   1. Searches the client hello for the Server Name, which CFS uses to obtain the URL rating.
   2. If the Server Name is not available, searches the SSL certificate for the Common Name, which CFS uses to obtain the URL rating.
   3. If neither Server Name nor Common Name is available, CFS uses the IP address to obtain the URL rating.

   While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HTTPS filtered pages will be silently blocked.

2. To detect the embedded URL inside Google Translate (https://translate.google.com) and filter the embedded URI, select the Enable Smart Filtering for Embedded URI option.

   This feature requires enabling Client DPI-SSL with content filter.

   This feature takes effect only on Google Translate, which works on currently rated embedded web sites.

3. To enforce Safe Search when searching on any of the following websites, select the Enable Safe Search Enforcement option:

   • www.yahoo.com
   • www.ask.com
   • www.dogpile.com
   • www.lycos.com

   This enforcement cannot be configured at the policy level as the function employs DNS redirection to HTTPS sites. For HTTPS sites, client DPI-SSL with content filter must be enabled.

4. To enable Threat API, select the Enable Threat API Enforcement option.

   After SonicOS receives the initial threat list and creates a Threat URI List Object, the Threat URI List Object is referenced by Enable Threat API Enforcement.

5. To override the Safe Search option for Google inside each CFS Policy and its corresponding CFS Action, select the Enable Google Force Safe Search option.

   Typically, Safe Search happens automatically and is powered by Google, but when this option is enabled, SonicOS rewrites the Google domain in the DNS response to the Google Safe Search virtual IP address.

   This feature takes effect only after the DNS cache of the client host is refreshed.

6. To access YouTube in Restrict (Safe Search) mode, select the Enable YouTube Restrict Mode option.

   YouTube provides a new feature to screen videos that may contain inappropriate content flagged by users and other signals. When this feature is enabled, SonicOS rewrites the DNS response for the YouTube domain to its Safe Search virtual IP address.

   This feature takes effect only after the DNS cache of the client host is refreshed.

7. To override the Safe Search option for Bing inside each CFS Policy and its corresponding CFS Action, select the Enable Bing Force Safe Search option.

   When this feature is enabled, SonicOS rewrites the DNS response for the Bing domain to its Safe Search virtual IP address.

   This feature takes effect only after the DNS cache of the client host is refreshed.

8. Click Save.