CFS Policy Management Overview

When a CFS policy assignment is implemented using the App Rules method, it is controlled by App Rules CFS policies in the App Rules > Policies page instead of by Users and Zones.

While the App Rules method of CFS management offers more control and flexibility, you can still choose the previous user/zone management method to perform content filtering.

Topics:
Choosing CFS Policy Management Type
Enabling App Rules and CFS
Policies and Precedence: How Policies are Enforced

Choosing CFS Policy Management Type

The choice of which policy management method to use — User and Zone Screens or App Rules — is made on the Security Services > Content Filter page.

 
* 
NOTE: While the App Rules method of CFS management offers more control and flexibility, you can still choose the previous user/zone management method to perform content filtering.

Enabling App Rules and CFS

Before the services begin to filter content, you must enable them:
1
Navigate to the Security Services > Content Filter page.

2
Ensure Content Filter Service is selected from the Content Filter Type drop-down menu.
3
On SonicOS 6.2.3 and higher, by default, Google Safe Search is not enabled. To enable Google Safe Search globally even if the Enable Safe Search Enforcement setting is disabled in a policy, select the Enforce Google Safe Search checkbox.
* 
NOTE: Google has deprecated the Google SSL Search function, which was available on SonicOS 6.2.2.2 and earlier, and replaced it with the Google Safe Search function. The Google SSL Search function, therefore, is disabled by default on the Google side, and selecting the Disable Google SSL Search option in SonicOS 6.2.2.2 is not necessary. This option will be removed in future 6.2.2.x and higher releases.
4
Select Via App Rules from the CFS Policy Assignment drop-down menu.
5
Click the Accept button to apply the change.
6
Navigate to the Firewall > App Rules page.

7
Select the Enable App Rules checkbox.

Policies and Precedence: How Policies are Enforced

This section provides an overview of policy enforcement mechanism in CFS to help you create a streamlined set of rules without unnecessary redundancy or conflicting rule logic enforcement.

Each allowed/forbidden list is stored as a tree, and domain names are searched against the tree. Each domain is searched through these trees in order: the allowed list, the forbidden list, the keyword list, then the three lists again if there are user-/group-specific policies configured.

Topics:
Policy Enforcement Across Different Groups
Policy Enforcement Within The Same Group
Policy Enforcement Across Different Groups

The basic default behavior for CFS policies assigned to different groups is to follow standard most-specific/least-restrictive logic, meaning:

The most specific rule is always given the highest priority.

Example

A rule applying to the Engineering group (a specific group) is given precedence over a rule applying to the All group (the least specific group.)

Policy Enforcement Within The Same Group

The basic default behavior for CFS policies within the same group is to follow an additive logic, meaning:

Rules are enforced additively.

Example
CFS policy 1 disallows porn, gambling, and social networking
CFS policy 2 applies bandwidth management to sports and adult content to 1Mbps

The end result of these policies is that sports and adult content are bandwidth managed, even though the first policy implies that they are not allowed.