Security_Services_securityServicesCFView
Security Services > Content Filter
The Security Services > Content Filter page allows you to configure the Restrict Web Features and Trusted Domains settings, which are included with SonicOS. You can activate and configure SonicWALL Content Filtering Service (SonicWALL CFS) as well as a third-party Content Filtering product from the Security Services > Content Filter page.
Note SonicWALL Content Filtering Service is a subscription service upgrade. You can try a FREE TRIAL of SonicWALL directly from your SonicWALL management interface. See Activating a SonicWALL CFS FREE TRIAL.
For complete SonicWALL Content Filtering Service documentation, see the SonicWALL Content Filtering Service Administrator’s Guide available at
http://www.sonicwall.com/us/Support.html.
This chapter contains the following sections:
• SonicWALL CFS Implementation with App Rules
• Legacy Content Filtering Examples
• Configuring Legacy SonicWALL Filter Properties
• Configuring Websense Enterprise Content Filtering
SonicWALL CFS Implementation with App Rules
The latest iteration of the CFS feature allows the administrator to use the power of SonicWALL’s App Rules feature in order to increase create a more powerful and flexible solution.
Note While the new App Rules method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering. Information on implementing the CFS feature using the previous method can be found in the SonicOS Administrator’s Guide.
New Features for CFS 3.0 Management Using App Rules
• App Rules - is now included as part of the CFS rule creation process.to implement more granular, flexible and powerful content filter policy control, creating CFS policy allow lists utilizing App Rules framework.
• Application Objects - Users/groups, address objects and zones can be assigned for individual CFS policies.
• Bandwidth Management - CFS specifications can be included in bandwidth management policies based on CFS website categories. This also allows use of ‘Bandwidth Aggregation’ by adding a per-action bandwidth aggregation method.
New Features Applicable to All CFS 3.0 Management Methods
• SSL Certificate Common Name - HTTPS Content Filtering is significantly improved by adding the ability to use an SSL certificate common name, in addition to server IP addresses.
• New CFS Categories - Multimedia, Social Networking, Malware, and Internet Watch Foundation CAIC are now included in the CFS list.
SonicWALL Legacy Content Filtering Service
SonicWALL Content Filtering Service (CFS) enforces protection and productivity policies for businesses, schools and libraries to reduce legal and privacy risks while minimizing administration overhead. SonicWALL CFS utilizes a dynamic database of millions of URLs, IP addresses and domains to block objectionable, inappropriate or unproductive Web content. At the core of SonicWALL CFS is an innovative rating architecture that cross references all Web sites against the database at worldwide SonicWALL co-location facilities. A rating is returned to the SonicWALL SuperMassive and then compared to the content filtering policy established by the administrator. Almost instantaneously, the Web site request is either allowed through or a Web page is generated by the SonicWALL SuperMassive informing the user that the site has been blocked according to policy.
With SonicWALL CFS, network administrators have a flexible tool to provide comprehensive filtering based on keywords, time of day, trusted and forbidden domain designations, and file types such as Cookies, Java™ and ActiveX® for privacy. SonicWALL CFS automatically updates the filters, making maintenance substantially simpler and less time consuming.
SonicWALL CFS can also be customized to add or remove specific URLs from the blocked list and to block specific keywords. When a user attempts to access a site that is blocked by the SonicWALL SuperMassive, a customized message is displayed on the user’s screen. SonicWALL SuperMassive can also be configured to log attempts to access sites on the SonicWALL Content Filtering Service database, on a custom URL list, and on a keyword list to monitor Internet usage before putting new usage restrictions in place.
SonicWALL CFS Premium blocks 56 categories of objectionable, inappropriate or unproductive Web content. SonicWALL CFS Premium provides network administrators with greater control by automatically and transparently enforces acceptable use policies. It gives administrators the flexibility to enforce custom content filtering policies for groups of users on the network. For example, a school can create one policy for teachers and another for students.
Note For complete SonicWALL Content Filtering Service documentation, see the SonicWALL Content Filtering Service Administrator’s Guide available at http://www.sonicwall.com/us/Support.html
CFS 3.0 Policy Management Overview
When a CFS policy assignment is implemented using the App Rules method, it is controlled by App Rules CFS policies in the App Rules > Policies page instead of by Users and Zones.
While the new App Rules method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering.
This section includes the following sub-sections:
• Choosing CFS Policy Management Type
• Bandwidth Management Methods
• Policies and Precedence: How Policies are Enforced
The choice of which policy management method to use – Via User and Zone Screens or Via App Rules – is made in the Security Services > Content Filter page.
Note While the new App Rules method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering.
Before the services begin to filter content, you must enable them:
Step 1 Navigate to the Security Services > Content Filter page in the SonicOS management interface.
Step 2 Select ‘Via App Rules’ from the CFS Policy Assignment drop-down list.
Step 3 Click the Accept button to apply the change.
Step 4 Navigate to the Firewall > App Rules page.
Step 5 Check the box to Enable App Rules.
Bandwidth Management feature can be implemented in two separate ways:
• Per Policy Method
– The bandwidth limit specified in a policy is applied individually to each policy
– Example: two policies each have an independent limit of 500kb/s, the total possible bandwidth between those two rules is 1000kb/s
• Per Action Aggregate Method
– The bandwidth limit action is applied (shared) across all policies to which it is applied
– Example: two policies share a BWM limit of 500kb/s, limiting the total bandwidth between the two policies to 500kb/s
Bandwidth Aggregation Method is selected in the App Rules Action Settings screen when the Action type is set as Bandwidth Management.
This section provides an overview of policy enforcement mechanism in CFS 3.0 to help the policy administrator create a streamlined set of rules without unnecessary redundancy or conflicting rule logic enforcement.
Policy Enforcement Across Different Groups
The basic default behavior for CFS policies assigned to different groups is to follow standard most specific / least restrictive logic, meaning:
The most specific rule is always given the highest priority
• Example
A rule applying to the “Engineering” group (a specific group) is given precedence over a rule applying to the “All” group (the least specific group.)
Policy Enforcement Within The Same Group
The basic default behavior for CFS policies within the same group is to follow an additive logic, meaning:
Rules are enforced additively
• Example
CFS policy 1 disallows porn, gambling, and social networking
CFS policy 2 applies bandwidth management to sports and adult content to 1Mbps
The end result of these policies is that sports and adult content are bandwidth managed, even though the first policy implies that they are allowed.
CFS 3.0 Configuration Examples
This section provides configuration examples using App Rules feature to create and manage CFS policies:
• Blocking Forbidden Content — page 787
• Bandwidth Managing Content — page 788
• Applying Policies to Multiple Groups — page 790
• Creating a Custom CFS Category — page 791
To create a CFS Policy for blocking forbidden content:
• Create an Application Object — page 788
• Create an App Rules Policy to Block Forbidden Content — page 788
Create an application object containing forbidden content:
Step 1 Navigate to the Firewall > Match Objects page in the SonicOS management interface.
Step 2 Click the Add New Match Object button, the Add/Edit Match Object window displays.
Step 3 Enter a descriptive Object Name, such as ‘Forbidden Content’.
Step 4 Select ‘CFS Category List’ from the Match Object Type drop-down list.
Step 5 Use the checkboxes to select the categories you wish to add to the forbidden content list.
Step 6 Click the OK button to add the object to the Application Objects list.
Create an App Rules Policy to Block Forbidden Content
Create an App Rules policy to block content defined in the Application Object:
Step 1 Navigate to the Firewall > App Rules page in the SonicOS management interface.
Step 2 Click the Add Policy button, the Add/Edit App Rules Policy window displays.
Step 3 Enter a descriptive name for this action in the Policy Name field, such as ‘Block Forbidden Content’.
Step 4 Select ‘CFS’ from the Policy Type drop-down list.
Step 5 From the Application Object drop-down list, select the object you created in the previous section. In the case of our example, this object is named ‘Forbidden Content’.
Step 6 From the Action drop-down list, select ‘CFS block page’ to display a pre-formatted ‘blocked content’ page when users attempt to access forbidden content.
Step 7 Optionally, select the Users/Groups who this policy is to be Included or Excluded on from the drop-down list. Our example uses the defaults of including ‘all’ and excluding ‘none’.
Step 8 Optionally, select a Schedule of days and times when this rule is to be enforced from the drop-down list. Our example uses ‘Always On’ to always enforce this policy.
Step 9 Optionally, select the checkbox for Log using CFS message format if you wish for the logs to use this format instead of the standard App Rules format.
Step 10 Optionally, select the appropriate Zone where the policy is to be enforced. Our example uses ‘LAN’ to enforce the policy on all traffic traversing the local network.
Step 11 Optionally, select a CFS Allow List to enforce on this particular policy.
Step 12 Optionally, select the appropriate CFS Forbidden List to enforce on the particular policy.
Step 13 Click the OK button to create this policy.
To create a CFS Policy for applying BWM to non-productive content:
• Create an Application Object — page 788
• Create a Bandwidth Management Action Object — page 789
• Create an App Rules Policy to Block Forbidden Content — page 788
Create an Application Object for Non-Productive Content
Create an application object containing non-productive content:
Step 1 Navigate to the Firewall > Match Objects page in the SonicOS management interface.
Step 2 Click the Add New Match Object button, the Add/Edit Match Object window displays.
Step 3 Enter a descriptive Object Name, such as ‘Non-Productive Content’.
Step 4 Select ‘CFS Category List’ from the Match Object Type drop-down list.
Step 5 Use the checkboxes to select the categories you wish to add to the content list.
Step 6 Click the OK button to add the object to the Application Objects list.
Create a Bandwidth Management Action Object
This section details creating a custom Action Object for bandwidth management.
Note Although app rules contains pre-configured action objects for bandwidth management, a custom action object provides more control, including the ability to manage bandwidth per policy or per action.
To create a new BWM action:
Step 1 Navigate to the Firewall > Action Objects page in the SonicOS management interface.
Step 2 Click the Add New Action Object button, the Add/Edit Action Object window displays.
Step 3 Enter a descriptive Action Name for this action.
Step 4 Select ‘Bandwidth Management’ from the Action drop-down list.
Step 5 Select from the Bandwidth Aggregation Method drop-down list:
a. Per Policy - to apply this limit to each individual policy.
b. Per Action - to share this action limit across all policies to which it is applied.
Step 6 Create the desired settings for Inbound Bandwidth Management and Outbound Bandwidth Management.
Step 7 Click the OK button to create this object.
Create an App Rules Policy to Manage Non-Productive Content
Create an App Rules policy to block content defined in the Application Object:
Step 1 Navigate to the Firewall > App Rules page in the SonicOS management interface.
Step 2 Click the Add Policy button, the Add/Edit App Rules Policy window displays.
Step 3 Enter a descriptive name for this action in the Policy Name field.
Step 4 Select ‘CFS’ from the Policy Type drop-down list.
Step 5 From the Application Object drop-down list, select the object you created in the previous section. In the case of our example, this object is named ‘Nonproductive Content’.
Step 6 From the Action drop-down list, select ‘Bandwidth Management - 100k’ to apply this custom BWM rule when users attempt to access non-productive content.
Note If you chose not to create a custom BWM object, you may use one of the pre-defined BWM objects (BWM high, BWM medium, or BWM low).
Step 7 Optionally, select the Users/Groups who this policy is to be Included or Excluded on from the drop-down list. Our example uses the defaults of including ‘all’ and excluding ‘none’.
Step 8 Optionally, select a Schedule of days and times when this rule is to be enforced from the drop-down list. Our example uses the pre-defined ‘Work Hours’ selection to enforce this policy only during weekday work hours.
Step 9 Optionally, select the checkbox for Log using CFS message format if you wish for the logs to use this format instead of the standard App Rules format.
Step 10 Optionally, select the appropriate Zone where the policy is to be enforced. Our example uses ‘LAN’ to enforce the policy on all traffic traversing the local network.
Step 11 Click the OK button to create this policy.
This section details applying a single policy to multiple user groups. CFS allows the administrator to apply one policy to different groups, allowing for variation (in time restrictions, exclusions, etc...) in the way it is applied to users.
To apply a policy to multiple groups:
• Enable CFS Custom Categories — page 791
• Add a New CFS Custom Category Entry — page 791
Create a Group-Specific App Rules Policy
Create an App Rules policy to block content defined in the Application Object:
Step 1 Navigate to the Firewall > App Rules page in the SonicOS management interface.
Step 2 Click the Add Policy button, the Add/Edit App Rules Policy window displays.
Step 3 Enter a descriptive name for this action in the Policy Name field. For easy identification, this name can include the user group to which you are applying the policy.
Step 4 Select ‘CFS’ from the Policy Type drop-down list.
Step 5 Select an Application Object from the drop-down list. Our example uses ‘Nonproductive Content’.
Step 6 Select an Action form the drop-down list.Our example uses the pre-defined ‘BWM Medium’ action to manage bandwidth of the applicable content.
Step 7 Select the Users/Groups who this policy is to be Included or Excluded on from the drop-down list. Our example uses the ‘Trusted Users’ group, although you may choose a different, or custom group depending on your needs.
Step 8 Select a Schedule appropriate for this group. Our example uses the pre-defined ‘Work Hours’ schedule.
With this the selections in this example, Nonproductive Content will be Bandwidth Managed for Trusted Users only during Work Hours.
Step 9 Click the OK button to create this policy. The new policy displays in the App Rules Policies list.
Step 10 Repeat steps 2-9 with variations required by your implementation in order to create a policy for each required group.