How CFS Works

CFS must be licensed and enabled before you can use it. For more information about global CFS settings, exclusions, and custom categories, see the SonicOS Security Services Administration documentation.

An outline of how CFS works is as follows:

1. A packet arrives and is examined by CFS.
2. CFS checks it against the CFS Exclusion addresses configured on the POLICY | Security Services > Content Filter page and allows it through if a match is found, meaning that the source address is excluded from content filtering.

3. CFS checks its policies to find the first policy that matches these conditions in the packet:

   • Source zone
   • Destination zone
   • Included Source Address object/group, but not matching the Excluded Source Address object/group
   • Included User/Group, but not matching the Excluded User/Group
   • Schedule

   • Enabled state

4. CFS uses the CFS Profile defined in the matching policy to do the filtering and returns the corresponding action for this packet.

   If no policy is matched, the packet is passed through without any action by CFS.

5. CFS performs the action defined in the CFS Action Object for the matching policy.