For general information on Content Filter Service, see
Security Services > Content Filter
.
You can customize SonicWALL content filtering features included with SonicOS from the
SonicWALL Filter Properties
window. A valid subscription to SonicWALL CFS Premium on a SonicWALL security appliance running SonicOS Enhanced allows you to create custom policies to apply to specified user groups. The Default
CFS Premium policy is used as the content filtering basis for all users not assigned to a specific custom policy.
|
|
Note
|
SonicWALL recommends that you make the
Default
CFS Premium policy the most restrictive policy. Custom CFS policies are subject to content filter inheritance. This means that all custom CFS policies inherit the filters from the Default
CFS policy. To ensure proper content filtering, the Default
CFS policy should be configured to be the most restrictive policy, then each custom policy should be configured to grant privileges that are otherwise restricted by the Default
policy.
|
To display the
SonicWALL Filter Properties
window, select SonicWALL CFS
from the Content Filter Type
drop-down list on the Security Services > Content Filter
page, and then click Configure
. The SonicWALL Filter
Properties
window is displayed. For configuration information about the filter properties settings, see the following sections:
The
CFS
tab allows you to enable IP-based HTTPS Content Filtering, block or allow traffic to sites when the server is unavailable, and set preferences for your URL cache.
The
Settings
section allows you to enable HTTPS content filtering, select what you want the firewall to do if the server is unavailable, and what it should do when access is attempted to a forbidden Web site.
|
|
•
|
Enable IP based HTTPS Content Filtering
- Select this checkbox to enable HTTPS content filtering. HTTPS content filtering is IP-based, and will not inspect the URL. While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HTTPS filtered pages will be silently blocked. You must provide the IP address for any HTTPS Web sites to be filtered.
|
|
|
•
|
If Server is unavailable for (seconds)
- Sets the amount of time after the content filter server is unavailable before the SonicWALL security appliance takes action to either block access to all Web sites or allow traffic to continue to all Web sites.
|
|
|
Note
|
If the server is unavailable, the firewall can allow access to Web sites in the cache memory. This means that by selecting the Block traffic to all Web sites
checkbox, the firewall will only block Web sites that are not in the cache memory.
|
|
|
–
|
Block traffic to all Web sites
- Select this feature if you want the SonicWALL security appliance to block access to all Web sites until the content filter server is available.
|
|
|
–
|
Allow traffic to all Web sites
- Select this feature if you want to allow access to all Web sites when the content filter server is unavailable. However, Forbidden Domains and Keywords, if enabled, are still blocked.
|
|
|
•
|
If URL marked as Forbidden
- If you have enabled blocking by Categories and the URL is blocked by the server, there are two options available.
|
|
|
–
|
Block Access to URL
- Selecting this option prevents the browser from displaying the requested URL to the user.
|
|
|
–
|
Log Access to URL
- Selecting this option records the requested URL in the log file.
|
The URL Cache section allows you to configure the URL cache size on the SonicWALL security
appliance.
|
|
Tip
|
A larger URL cache size can provide noticeable improvements in Internet browsing response times.
|
If you believe that a Web site is rated incorrectly or you wish to submit a new URL to be rated,
you can click the here
link to display the SonicWALL CFS URL Rating Review Request
form for submitting the request. This can also be used to view the rating of a URL.
In
the SonicWALL CFS URL Rating Review Request
form, enter a URL and then click Submit
. A description of the URL is displayed. You can then select Rating Request
to request that a URL be rated or that the rating be changed.
The
Policy
tab is only visible if the SonicWALL appliance has a current subscription to SonicWALL CFS Premium. The Policy
tab allows you to modify the Default
CFS policy and create custom CFS policies, which you can then apply to specific user groups in the Users >
Local Groups
page. The Default
CFS policy is always inherited by every user. A custom CFS policy allows you to modify the default CFS configuration to tailor content filtering policies for particular user groups on your network.
|
|
Note
|
To ensure proper content filtering, the Default
CFS policy should be configured to be the most restrictive policy, and then each custom policy should be configured to grant privileges that are otherwise restricted by the Default
policy.
|
Custom CFS policies can only be created when the appliance has a valid subscription for
SonicWALL CFS Premium.
To create new policy:
|
Step 1
|
Click
Add
to display the Add CFS Policy
window.
|
|
Step 2
|
In the
Add CFS Policy
window, on the Policy
tab, enter a name for the policy in the Name
field.
|
|
Step 4
|
In the
Select Forbidden Categories
list, uncheck any category to which you want to allow access. Move your mouse pointer over the Down or Up arrows to automatically scroll through the list of CFS categories. Select the Select all categories
check box if you want to block all categories, or uncheck the box to deselect all categories.
|
|
Step 6
|
Under
Custom List Settings
, select any of the following settings:
|
|
|
–
|
Disable Allowed Domains
- select this setting to disable the allowed domains that are listed on the Custom List
tab in the SonicWALL Filter Properties
window.
|
|
|
–
|
Enable Forbidden Domains
- select this setting to enable forbidden domains that are listed on the Custom List
tab in the SonicWALL Filter Properties
window.
|
|
|
–
|
Enable Keyword Blocking
- select this setting to enable keyword blocking for the URLs that are listed in the Keyword Blocking
section on the Custom List
tab in the SonicWALL Filter Properties
window.
|
|
Step 7
|
Under
Safe Search Enforcement Settings
, select Enable Safe Search Enforcement
to enable the safe browsing options for certain search engines like Google and Yahoo.
|
|
Step 8
|
To configure the schedule for
Content Filtering
enforcement, select one of the following from the drop-down list under Filter Forbidden URLs by time of day
:
|
|
|
–
|
Always
on
- When selected, Content Filtering
is enforced at all times.
|
|
|
–
|
From/To
- When selected, Content Filtering is enforced during the time and days specified. Enter the time period in 24-hour format, and select the starting and ending day of the week that Content Filtering is enforced.
The choices also include work hours and weekend hours.
|
The
Default
policy is displayed in the Policies
table.
To configure the
Default
policy to be the most restrictive:
|
|
Tip
|
Time of Day restrictions only apply to the Content Filter List, Customized blocking and Keyword blocking. Consent and Restrict Web Features are not affected.
|
You can customize your URL list to include
Allowed Domains
and Forbidden Domains
. By customizing your URL list, you can include specific domains to be accessed, blocked, and include specific keywords to block sites. The settings available on the Custom List page are different for an appliance with a valid SonicWALL CFS Premium subscription than they are for an appliance with no CFS Premium license. The image below shows the Custom List page for an appliance with an active CFS Premium subscription.
For an appliance with a CFS Premium subscription, these features are controlled by each
Policy. To enable or disable any of the features on this page, see “Enabling or Disabling on Appliances With a CFS Premium Subscription”
.
For an appliance without a CFS Premium subscription, see
“Enabling or Disabling on Appliances Without a CFS Premium Subscription”
.
To allow access to a Web site that is blocked by the Content Filter List, click
Add
, and enter the host name, such as “www.ok-site.com”, into the Allowed Domains
fields. 1,024 entries can be added to the Allowed Domains
list.
To block a Web site that is not blocked by the
Content Filter Service
, click Add
, and enter the host name, such as “www.bad-site.com” into the Forbidden Domains
field. 1,024 entries can be added to the Forbidden Domains
list.
|
|
Warning
|
Do not include the prefix “http://” in either the Allowed Domains or Forbidden Domains the fields. All subdomains are affected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my.yahoo.com”.
|
To enable blocking using
Keywords
, click Add
under Keyword Blocking
and enter the keyword to block in the Add Keyword
field.
To remove a trusted or forbidden domain, select it from the appropriate list, and click
Delete
. Once the domain has been deleted, the Status
bar displays Ready
.
To remove a keyword, select it from the list and click
Delete
. Once the keyword has been removed, the Status
bar displays Ready
.
Click
OK
when finished.
By default, the
Allowed Domains
list is disabled, and the Forbidden Domains
list and Keyword Blocking
list are enabled. When SonicWALL CFS Premium is licensed on the appliance, these settings are controlled on a per-policy basis. Without a current SonicWALL CFS Premium subscription, these settings are available on the Custom List
tab at the bottom of the page.
To enable or disable the
Allowed/Forbidden Domains
or Keyword Blocking
features when the SonicWALL appliance has a current subscription to SonicWALL CFS Premium:
|
Step 1
|
On the
Security Services > Content Filter
page, select SonicWALL CFS
under Content
Filter Type
and click Configure
.
|
|
Step 2
|
On the
SonicWALL Filter Properties
page, click the Policy
tab.
|
|
Step 4
|
In the
Edit CFS Policy
window, click the Settings
tab.
|
|
Step 5
|
Under
Custom List Settings
, select any of the following settings:
|
|
|
–
|
Disable Allowed Domains
- select this setting to disable the allowed domains that are listed on the Custom List
tab. The domains in the Allowed Domains
list will not be exempt from content filtering.
|
|
|
–
|
Enable Forbidden Domains
- select this setting to enable filtering (blocking) of forbidden domains that are listed on the Custom List
tab.
|
|
|
–
|
Enable Keyword Blocking
- select this setting to enable keyword blocking for the URLs that are listed in the Keyword Blocking
section on the Custom List
tab.
|
To enable or disable the
Allowed/Forbidden Domains
or Keyword Blocking
features when the SonicWALL appliance is not licensed for SonicWALL CFS Premium:
|
Step 1
|
On the
Custom List
tab, at the bottom of the page, select any of the following settings:
|
|
|
–
|
Disable Allowed Domains
- select this setting to disable the allowed domains that are listed on the Custom List
tab. The domains in the Allowed Domains
list will not be exempt from content filtering.
|
|
|
–
|
Enable Forbidden Domains
- select this setting to enable filtering (blocking) of forbidden domains that are listed on the Custom List
tab.
|
|
|
–
|
Enable Keyword Blocking
- select this setting to enable keyword blocking for the URLs that are listed in the Keyword Blocking
section on the Custom List
tab.
|
Selecting the
Disable Web traffic except for Allowed Domains
check box causes the SonicWALL security appliance to allow Web access only to sites on the Allowed Domains
list. With careful screening, this can be nearly 100% effective at blocking pornography and other objectionable material.
The
Disable Web traffic except for Allowed Domains
check box is not available when the SonicWALL appliance has a valid SonicWALL CFS subscription. In this case, you can configure a CFS Policy to block undesirable Web sites.
The
Consent
tab allows you to enforce content filtering on designated computers and provide optional filtering on other computers. Consent can be configured to require the user to agree to the terms outlined in an Acceptable Use Policy
window before Web browsing is allowed.
To enable the
Consent
properties, select Require
Consent
.
|
|
•
|
Maximum Web Usage
(minutes) -
In an environment where there are more users than computers, such as a classroom or library, time limits are often imposed. The SonicWALL security appliance can be used to remind users when their time has expired by displaying the page defined in the Consent
page URL field. Enter the time limit, in minutes, in the Maximum Web usage
field. When the default value of zero (0) is entered, this feature is disabled.
|
|
|
•
|
User Idle Timeout (minutes)
- After a period of Web browser inactivity, the SonicWALL security appliance requires the user to agree to the terms outlined in the Consent page before accessing the Internet again. To configure the value, follow the link to the Users window and enter the desired value in the User Idle Timeout section.
|
|
|
•
|
Consent Page URL (optional filtering)
- When a user opens a Web browser on a computer requiring consent, they are shown a consent page and given the option to access the Internet with or without content filtering. This page must reside on a Web server and be accessible as a URL by users on the network. It can contain the text from, or links to an Acceptable Use Policy (AUP). This page must contain links to two pages contained in the SonicWALL security appliance, which, when selected, tell the SonicWALL security appliance if the user wishes to have filtered or unfiltered access. The link for unfiltered access must be <192.168.168.168/iAccept.html> and the link for filtered access must be <192.168.168.168/iAcceptFilter.html>, where the SonicWALL LAN IP address is used instead of 192.168.168.168"\.
|
|
|
•
|
Consent Accepted URL (filtering off)
- When a user accepts the terms outlined in the Consent
page and chooses to access the Internet without the protection of Content
Filtering
, they are shown a Web page confirming their selection. Enter the URL of this page in the Consent Accepted (filtering off)
field. This page must reside on a Web server and be accessible as a URL by users on the network.
|
|
|
•
|
Consent Accepted URL (filtering on)
- When a user accepts the terms outlined in the Consent
page and chooses to access the Internet with the protection of Content Filtering, they are shown a Web page confirming their selection. Enter the URL of this page in the Consent Accepted (filtering on)
field. This page must reside on a Web server and be accessible as a URL by users on the network.
|
When a user opens a Web browser on a computer using mandatory content filtering, a consent
page is displayed. You must create the Web page that appears when the Web browser is opened. It can contain text from an Acceptable Use Policy, and notification that violations are logged or blocked.
This Web page must reside on a Web server and be accessible as a URL by users on the LAN.
This page must also contain a link to a page contained in the SonicWALL security appliance that tells the device that the user agrees to have filtering enabled. The link must be <192.168.168.168/iAcceptFilter.html>, where the SonicWALL LAN IP address is used instead of 192.168.168.168.
Enter the URL of this page in the
Consent
Page URL (mandatory filtering)
field and click OK
. Once the SonicWALL security appliance has been updated, a message confirming the update is displayed at the bottom of the Web browser window.
The SonicWALL security appliance can be configured to enforce content filtering for certain
computers on the LAN. Click Add
to display the Add Filtered IP Address Entry
window. Enter the IP addresses of these computers in the Add New Address
field and then click the Submit
button. Up to 128 IP addresses can be entered.
To remove a computer from the list of computers to be filtered, highlight the IP address in the
Mandatory Filtered IP Addresses
list and click Delete
.