For general information on Content Filter Service, see Security Services > Content Filter .
You can customize SonicWALL content filtering features included with SonicOS from the SonicWALL Filter Properties dialog. A valid subscription to SonicWALL CFS Premium on a firewall running SonicOS allows you to create custom policies to apply to specified user groups. The Default CFS Premium policy is used as the content filtering basis for all users not assigned to a specific custom policy.
|
NOTE: SonicWALL recommends that you make the Default CFS Premium policy the most restrictive policy. CFS custom policies are subject to content filter inheritance. This means that all CFS custom policies inherit the filters from the Default CFS policy. To ensure proper content filtering, the Default CFS policy should be configured to be the most restrictive policy, then each custom policy should be configured to grant privileges that are otherwise restricted by the Default policy.
|
|
1
|
Select Content Filter Service from the Content Filter Type drop-down menu on the Security Services > Content Filter page.
|
|
2
|
For configuration information about the filter properties settings, see the following sections:
|
•
|
The CFS tab allows you to enable IP-based HTTPS Content Filtering, block or allow traffic to sites when the server is unavailable, and set preferences for your URL cache.
|
•
|
The Settings section allows you to enable HTTPS content filtering, select what you want the firewall to do if the server is unavailable, and what it should do when access is attempted to a forbidden Web site.
|
•
|
Enable HTTPS Content Filtering - Select this checkbox to enable HTTPS content filtering. HTTPS content filtering is IP- and hostname-based, and does not inspect the URL. While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HTTPS filtered pages are blocked silently. You must provide the IP address for any HTTPS web sites to be filtered.
|
|
•
|
Enable CFS Server Failover—Select this checkbox to provide CFS server redundancy and high availability.
|
|
•
|
Enable CFS Wire Mode—Select this checkbox to enable CFS for Wire Mode deployments.
|
|
•
|
If Server is unavailable for (seconds) - Sets the amount of time after the content filter server is unavailable before the firewall takes action to either block access to all Web sites or allow traffic to continue to all Web sites. The default is 5 seconds.
|
|
NOTE: If the server is unavailable, the firewall can allow access to Web sites in the cache memory. This means that by selecting the Block traffic to all Web sites checkbox, the firewall will only block Web sites that are not in the cache memory.
|
|
•
|
Block traffic to all Web sites - Select this feature if you want the firewall to block access to all Web sites until the content filter server is available.
|
|
•
|
Allow traffic to all Web sites - Select this feature if you want to allow access to all Web sites when the content filter server is unavailable. If Forbidden URI (Universal Resource Identifier) and Forbidden Keywords are enabled, however, they are still blocked. This option is selected by default.
|
|
•
|
If URL marked as Forbidden - If you have enabled blocking by Categories and the URL is blocked by the server, there are two options available, both of which are selected by default:
|
|
•
|
Block Access to URL - Selecting this option prevents the browser from displaying the requested URL to the user.
|
|
•
|
Log Access to URL - Selecting this option records the requested URL in the log file.
|
|
•
|
Custom list searching order — you can specify which list is searched first:
|
|
•
|
“Allowed URL” first (default)
|
The URL Cache section allows you to configure the URL cache size on the firewall. The default size is 768 KBs.
If you believe that a Web site is rated incorrectly or you wish to submit a new URL to be rated, you can click the here link to display the SonicWALL CFS URL Rating Review Request form for submitting the request. This can also be used to view the rating of a URL.
In the SonicWALL CFS URL Rating Review Request form, enter a URL and then click the Submit button. A description of the URL is displayed. You can then select Rating Request to request that a URL be rated or that the rating be changed.
The Policy tab is only visible if the firewall has a current subscription to SonicWALL CFS Premium. The Policy tab allows you to modify the Default CFS policy and create CFS custom policies, which you can then apply to specific user groups in the Users > Local Groups page. The Default CFS policy is always inherited by every user. A CFS custom policy allows you to modify the default CFS configuration to tailor content filtering policies for particular user groups on your network.
|
NOTE: To ensure proper content filtering, the Default CFS policy should be configured to be the most restrictive policy, and then each custom policy should be configured to grant privileges that are otherwise restricted by the Default policy.
|
The following sections describe how to configure policies from the Policy tab:
|
1
|
|
2
|
Enter a name for the policy in the Name field.
|
|
3
|
Click the URL List tab. By default, all non-N/A categories are selected.
|
|
4
|
In the Select Forbidden Categories list, clear any category to which you want to allow access.Select the Select all categories check box if you want to block all categories, or clear the box to deselect all categories and then selectively check only those you want to designate forbidden.
|
|
5
|
Click the Settings tab.
|
|
6
|
Under Custom List Settings, select any of the following settings:
|
|
•
|
Source Of Allowed Domains - from this drop-down menu, select the source of allowed domains/URLs that are listed on the Custom List tab:
|
|
•
|
|
•
|
Global (default)
|
|
•
|
Source Of Forbidden Domains - from this drop-down menu, select the source of forbidden domains/URLs that are listed on the Custom List tab:
|
|
•
|
|
•
|
Global (default)
|
|
•
|
Source Of Keyword - from this drop-down menu, select the source to enable keyword blocking for the keywords that are listed in the Forbidden Keyword field on the Custom List tab.
|
|
•
|
|
•
|
Global (default)
|
|
7
|
Under Safe Search Enforcement Settings, select Enable Safe Search Enforcement to enable the safe search function for all search engines. This setting is disabled by default.
|
|
8
|
To configure the schedule for Content Filtering enforcement, select a schedule from the drop-down menu under Filter Forbidden URLs by time of day. The default is Always on; when selected, Content Filtering is enforced at all times.
|
|
9
|
Click the Custom List tab.
|
|
10
|
Enter a URI in the Allowed URI field. A URI can be up to 80 characters.
|
|
11
|
Click the Add button.
|
|
13
|
Enter a URL in the Forbidden URI field. A URI can be up to 80 characters.
|
|
14
|
Click the Add button.
|
|
16
|
Enter a keyword in the Forbidden Keyword field. Each keyword can be up to 16 characters, and you can add up to 100 keywords.
|
|
17
|
Click the Add button.
|
|
19
|
Click OK.
|
The Default policy is displayed in the Policies table of the Policies tab.
|
1
|
Navigate to the Security Services > Content Filter page.
|
|
2
|
In the Content Filter Type section, click the Configure button. The Filter Properties dialog displays.
|
|
3
|
Click the Policy tab.
|
|
4
|
Click the Edit icon in the Configure column for the Default policy. The Edit CFS Policy dialog is displayed.
|
|
5
|
Click the URL List tab.
|
|
6
|
|
7
|
Click the Settings tab.
|
|
8
|
Under Custom List Settings, select the desired option for the following settings:
|
The available options for each of the above settings are:
|
•
|
Global - For this policy, the global Custom List policy will be used to determine Allowed Domains, Forbidden Domains, or Keywords. This is the default setting.
|
|
•
|
Per Policy - For this policy, the Allowed URIs, Forbidden URIs, or Forbidden Keywords defined in the local Custom List tab will be used to determine Allowed Domains, Forbidden Domains, or Keywords.
|
|
•
|
None - For this policy, no Allowed URIs, Forbidden URIs, or Forbidden Keywords defined on the local Custom List tab or in the global Custom List will be used.
|
|
9
|
Under Safe Search Enforcement Settings, optionally select the Enable Safe Search Enforcement checkbox. For search engines providing this feature, safe searches will be enforced, preventing search results from including websites rated as violent, racist, pornographic and other objectionable ratings.
|
|
10
|
Under You Tube for Schools, select the Enable You Tube for Schools checkbox and type in the ID in the School ID field. For more information about configuring You Tube for Schools, see YouTube for Schools Content Filtering Support .
|
|
11
|
Under Filter Forbidden URLs by time of day, the drop-down menu is set to Always on and dimmed so it cannot be changed.
|
|
12
|
Click the Custom List tab.
|
|
13
|
Enter a URI in the Allowed URI field. A URI can be up to 80 characters.
|
|
14
|
Click the Add button.
|
|
16
|
Enter a URL in the Forbidden URI field. A URI can be up to 80 characters.
|
|
17
|
Click the Add button.
|
|
19
|
Enter a keyword in the Forbidden Keyword field. Each keyword can be up to 16 characters, and you can add up to 100 keywords.
|
|
20
|
Click the Add button.
|
|
22
|
Click OK.
|
You can customize your URL list to include Allowed URI and Forbidden URI. By customizing your URL list, you can include specific URLs to be accessed, blocked, and include specific keywords to block sites. The settings available on the Custom List tab are different for an appliance with a valid SonicWALL CFS Premium subscription than they are for an appliance with no CFS Premium license. The image below shows the Custom List tab for an appliance with an active CFS Premium subscription.
For an appliance with or without a CFS Premium subscription, the use of these globally defined custom lists are controlled by each Policy. To enable or disable any of custom lists on this page, see Enabling or Disabling Allowed/Forbidden URI or Forbidden Keyword Blocking .
In either the Allowed URI list or the Forbidden URI list, you can specify paths, but not pages. For example:
|
•
|
www.example.org/wiki/Main_Page is valid.
|
|
•
|
example.org/resource.txt is not valid.
|
|
CAUTION: Do not include the prefix http:// in either the Allowed URI or Forbidden URI fields. All subdomains are affected. For example, entering yahoo.com applies to mail.yahoo.com and my.yahoo.com.
|
|
1
|
To allow access to a Web site that is blocked by the Content Filter Service, in the Allowed URI field, enter the host name, such as www.ok-site.com. You can add up to 1,024 entries, and each entry can be up to 80 characters long.
|
|
2
|
Click Add.
|
|
3
|
To block a Web site that is not blocked by the Content Filter Service, enter the host name, such as www.bad-site.com into the Forbidden URI field. You can add up to 1,024 entries, and each entry can be up to 80 characters long.
|
|
4
|
Click Add.
|
|
5
|
To enable blocking using keywords, in the Forbidden Keyword field, enter the keyword to block. A keyword can contain up to 16 characters, and you can add up to 100 keywords.
|
|
6
|
Click Add.
|
|
7
|
Click OK.
|
|
2
|
Click Remove.
|
|
4
|
You can define an Allowed URI list, a Forbidden URI list, and a Forbidden Keyword list globally and within a policy. The use of globally defined custom lists or custom lists defined within the policy are controlled on a per-policy basis. Without a current SonicWALL CFS Premium subscription, these settings are available on the Custom List tab at the bottom of the page.
|
1
|
On the Security Services > Content Filter page, select Content Filter Service under Content Filter Type.
|
|
2
|
|
3
|
Click the Policy tab.
|
|
4
|
Click the Edit icon in the Configure column of the Policy on which to enable or disable these features. The Edit CFS Policy dialog displays.
|
|
5
|
Click the Settings tab.
|
|
6
|
Under Custom List Settings, select any of the following settings:
|
|
•
|
Source Of Allowed Domains - Select Global for this setting to disable the allowed domains/URLs that are listed on the local Custom List tab for the policy. The domains in the policy Allowed URI list will not be exempt from content filtering. Select Per Policy for this setting to allow access to the domains/URLs that are listed in the Allowed URI field on the local Custom List tab for the policy.
|
|
•
|
Source Of Forbidden Domains - Select Per Policy for this setting to enable filtering (blocking) of forbidden domains/URLs that are listed on the local Custom List tab for the policy, or select Global to ignore the locally defined Forbidden URI list and use the globally defined one instead.
|
|
•
|
Source Of Keyword - Select Per Policy for this setting to enable keyword blocking for the keywords that are listed in the Forbidden Keyword field on the local Custom List tab for the policy, or select Global to ignore the locally defined Forbidden Keyword list and use the globally defined one instead.
|
|
7
|
Click OK.
|
|
1
|
On the Custom List tab, at the bottom of the page, select any of the following settings:
|
|
•
|
Source Of Allowed Domains - Select Global for this setting to disable the allowed domains/URLs that are listed on the local Custom List tab for the policy. The domains in the policy Allowed URI list will not be exempt from content filtering. Select Per Policy for this setting to allow access to the domains/URLs that are listed in the Allowed URI field on the local Custom List tab for the policy.
|
|
•
|
Source Of Forbidden Domains - Select Per Policy for this setting to enable filtering (blocking) of forbidden domains/URLs that are listed on the local Custom List tab for the policy, or select Global to ignore the locally defined Forbidden URI list and use the globally defined one instead.
|
|
•
|
Source Of Keyword - Select Per Policy for this setting to enable keyword blocking for the keywords that are listed in the Forbidden Keyword field on the local Custom List tab for the policy, or select Global to ignore the locally defined Forbidden Keyword list and use the globally defined one instead.
|
|
2
|
Click OK.
|
Selecting the Disable Web traffic except for Allowed Domains check box causes the firewall to allow Web access only to sites on the Allowed Domains list. With careful screening, this can be nearly 100% effective at blocking pornography and other objectionable material.
The Disable Web traffic except for Allowed Domains check box is not available when the firewall has a valid SonicWALL CFS subscription. In this case, you can configure a CFS Policy to block undesirable Web sites.
The Consent tab allows you to enforce content filtering on designated computers and provide optional filtering on other computers. Consent can be configured to require the user to agree to the terms outlined in an Acceptable Use Policy dialog before Web browsing is allowed.
To enable the Consent properties, select Require Consent.
|
•
|
Maximum Web Usage (minutes) - In an environment where there are more users than computers, such as a classroom or library, time limits are often imposed. The firewall can be used to remind users when their time has expired by displaying the page defined in the Consent page URL field. Enter the time limit, in minutes, in the Maximum Web usage field. The minimum time is 1 minute, the maximum is 9999, and the default is 15. Entering a value of 0 (zero) disables this feature.
|
|
•
|
Consent Page URL (optional filtering) - When a user opens a Web browser on a computer requiring consent, they are shown a consent page and given the option to access the Internet with or without content filtering. This page must reside on a Web server and be accessible as a URL by users on the network. It can contain the text from or links to an Acceptable Use Policy (AUP). This page must contain links to two pages contained in the firewall, which, when selected, tell the firewall if the user wishes to have filtered or unfiltered access:
|
|
•
|
Unfiltered access link must be 192.168.168.168/iAccept.html
|
|
•
|
Filtered access link must be 192.168.168.168/iAcceptFilter.html
|
|
•
|
Consent Accepted URL (filtering off) - When a user accepts the terms outlined in the Consent page and chooses to access the Internet without the protection of Content Filtering, they are shown a Web page confirming their selection. Enter the URL of this page in the Consent Accepted (filtering off) field.
|
|
•
|
Consent Accepted URL (filtering on) - When a user accepts the terms outlined in the Consent page and chooses to access the Internet with the protection of Content Filtering, they are shown a Web page confirming their selection. Enter the URL of this page in the Consent Accepted (filtering on) field.
|
|
•
|
Consent Accepted Redirect Page URL (filtering off) - optional: If a URL is entered in this field, when a user accepts the terms in the Consent page and chooses to have unfiltered access, they are redirected to this URL.
|
|
•
|
Consent Accepted Redirect Page URL (filtering on) - optional: If a URL is entered in this field, when a user accepts the terms in the Consent page and chooses to have filtered access, they are redirected to this URL.
|
This Web page must reside on a Web server and be accessible as a URL by users on the LAN. This page must also contain a link to a page contained in the firewall that tells the device that the user agrees to have filtering enabled. The link must be 192.168.168.168/iAcceptFilter.html, where the SonicWALL LAN IP address is used instead of 192.168.168.168.
Enter the URL of this page in the Consent Page URL (mandatory filtering) field and click OK. When the firewall is updated, a message confirming the update is displayed at the bottom of the Web browser dialog.
The firewall can be configured to enforce content filtering for certain computers on the LAN.
|
1
|
|
2
|
Enter the IP address of the computer in the Add New Address field.
|
|
3
|
Click the OK button.
|
|
4
|
To add more IP addresses to the list, repeat Step 1 through Step 3 for each address. You can enter up to 128 IP address.
|
To delete all of the IP addresses, click Delete All.
|
1
|
Highlight the IP address in the Filtered IP Address table,
|
|
2
|
Click Delete.
|
|
1
|
Highlight the IP address in the Filtered IP Address table.
|
|
2
|
|
4
|
Click OK.
|
