Security_Services_securityServicesCFView

Security Services > Content Filter

The Security Services > Content Filter page allows you to configure the Restrict Web Features and Trusted Domains settings, which are included with SonicOS Enhanced. You can activate and configure SonicWALL Content Filtering Service (SonicWALL CFS) as well as a third-party Content Filtering product from the Security Services > Content Filter page.

 
Note
SonicWALL Content Filtering Service is a subscription service upgrade. You can try a FREE TRIAL of SonicWALL directly from your SonicWALL management interface. See Activating a SonicWALL CFS FREE TRIAL .

For complete SonicWALL Content Filtering Service documentation, see the SonicWALL Content Filtering Service Administrator’s Guide available at
http://www.sonicwall.com/us/Support.html .

This chapter contains the following sections:

 
“SonicWALL CFS Implementation with Application Control”
 
“Legacy Content Filtering Examples”
 
“Configuring Legacy SonicWALL Filter Properties”
 
“Configuring Websense Enterprise Content Filtering”

SonicWALL CFS Implementation with Application Control

The latest iteration of the CFS feature allows the administrator to use the power of SonicWALL’s Application Control feature in order to increase create a more powerful and flexible solution.

 
Note
While the new Application Control method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering. Information on implementing the CFS feature using the previous method can be found in the SonicOS Enhanced Administrator’s Guide.

New Features for CFS 3.0 Management Using Application Control

 
Application Control - is now included as part of the CFS rule creation process.to implement more granular, flexible and powerful content filter policy control, creating CFS policy allow lists utilizing Application Control framework.
 
Application Objects - Users/groups, address objects and zones can be assigned for individual CFS policies.
 
Bandwidth Management - CFS specifications can be included in bandwidth management policies based on CFS website categories. This also allows use of ‘Bandwidth Aggregation’ by adding a per-action bandwidth aggregation method.

New Features Applicable to All CFS 3.0 Management Methods

 
SSL Certificate Common Name - HTTPS Content Filtering is significantly improved by adding the ability to use an SSL certificate common name, in addition to server IP addresses.
 
New CFS Categories - Multimedia, Social Networking, Malware, and Internet Watch Foundation CAIC are now included in the CFS list.

SonicWALL Legacy Content Filtering Service

SonicWALL Content Filtering Service (CFS) enforces protection and productivity policies for businesses, schools and libraries to reduce legal and privacy risks while minimizing administration overhead. SonicWALL CFS utilizes a dynamic database of millions of URLs, IP addresses and domains to block objectionable, inappropriate or unproductive Web content. At the core of SonicWALL CFS is an innovative rating architecture that cross references all Web sites against the database at worldwide SonicWALL co-location facilities. A rating is returned to the SonicWALL security appliance and then compared to the content filtering policy established by the administrator. Almost instantaneously, the Web site request is either allowed through or a Web page is generated by the SonicWALL security appliance informing the user that the site has been blocked according to policy.

With SonicWALL CFS, network administrators have a flexible tool to provide comprehensive filtering based on keywords, time of day, trusted and forbidden domain designations, and file types such as Cookies, Java™ and ActiveX® for privacy. SonicWALL CFS automatically updates the filters, making maintenance substantially simpler and less time consuming.

SonicWALL CFS can also be customized to add or remove specific URLs from the blocked list and to block specific keywords. When a user attempts to access a site that is blocked by the SonicWALL security appliance, a customized message is displayed on the user’s screen. SonicWALL security appliance can also be configured to log attempts to access sites on the SonicWALL Content Filtering Service database, on a custom URL list, and on a keyword list to monitor Internet usage before putting new usage restrictions in place.

SonicWALL CFS Premium blocks 56 categories of objectionable, inappropriate or unproductive Web content. SonicWALL CFS Premium provides network administrators with greater control by automatically and transparently enforces acceptable use policies. It gives administrators the flexibility to enforce custom content filtering policies for groups of users on the network. For example, a school can create one policy for teachers and another for students.

 
Note
For complete SonicWALL Content Filtering Service documentation, see the SonicWALL Content Filtering Service Administrator’s Guide available at http://www.sonicwall.com/us/Support.html

CFS 3.0 Policy Management Overview

When a CFS policy assignment is implemented using the Application Control method, it is controlled by Application Control CFS policies in the Firewall > App Rules page instead of by Users and Zones.

While the new Application Control method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering.

This section includes the following sub-sections:

 
Bandwidth Management Methods — page 956
 
Choosing CFS Policy Management Type — page 955
 
Enabling Application Control and CFS — page 955
 
Bandwidth Management Methods — page 956
 
Policies and Precedence: How Policies are Enforced — page 957

The CFS App Control Policy Settings Screen

There are multiple changes/additions to the CFS policy creation window when used in conjunction with Application Control. The table and image in this section provide information on Application Control interface for CFS.

 

Policy Name

A friendly name for the policy. If applying a single policy to multiple groups, it is often a good idea to include the group name in this field.

Policy Type

Select “CFS” to show the content filtering options.

Address

Address or address group to which this policy is applied. The default value is “Any”, which is also the most common selection for CFS policies.

Exclusion Address

Address or address group to exclude from this policy. The default value is “None”, which is also the most common selection for CFS policies.

Application Object

Select the relevant application object, this object dictates the type of content which will trigger the policy to be enforced. These objects are user-created in the
Firewall > Match Objects screen.

Action

Select the action to perform. These can be pre-defined actions such as “CFS block page”, or custom actions which you may define in the Firewall > Action Objects screen.

Users/Groups

Choose individual users or groups to Include (default: All) or Exclude (default: None) from this policy.

Schedule

Select a specific schedule to dictate when this policy is to be enforced. The default value is “Always on”.

Enable Logging

Select to enable logging of any actions taken on behalf of this policy. This option is selected by default.

Log Using CFS Message Format

Select to use the legacy CFS logging format. This option is not selected by default.

Log Redundancy Filter (seconds)

Dictates the sensitivity of the log-redundancy filter. Select “Use Global Settings” (default) or enter your own per-policy setting in seconds.

Zone

Select a specific zone on which this policy is to be enforced. The default value is “Any”.

CFS Allow List

Select a custom allow list to allow selected resources. The default value is “None”.

CFS Forbidden List

Select a custom forbidden list to deny selected resources. The default value is “None”.

Enable Safe Search Environment

Select this option to require the strictest filtering on all searches on search engines like Google and Yahoo that offer some form of safe-search filtering. This option is not selected by default.

Choosing CFS Policy Management Type

The choice of which policy management method to use Via User and Zone Screens or Via Application Control – is made in the Security Services > Content Filter page.

 
Note
While the new Application Control method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering.

Enabling Application Control and CFS

Before the services begin to filter content, you must enable them:

Step 1
Navigate to the Security Services > Content Filter page in the SonicOS management interface.
Step 2
Select ‘Via App Rules’ from the CFS Policy Assignment dropdown list.

Step 3
Click the Accept button to apply the change.
Step 4
Navigate to the Firewall > App Rules page.
Step 5
Check the box to Enable App Rules .

Bandwidth Management Methods

Bandwidth Management feature can be implemented in two separate ways:

 
Per Policy Method
 
The bandwidth limit specified in a policy is applied individually to each policy
 
Example: two policies each have an independent limit of 500kb/s, the total possible bandwidth between those two rules is 1000kb/s
 
Per Action Aggregate Method
 
The bandwidth limit action is applied (shared) across all policies to which it is applied
 
Example: two policies share a BWM limit of 500kb/s, limiting the total bandwidth between the two policies to 500kb/s

Bandwidth Aggregation Method is selected in the Action Object Settings screen when the Action type is set as Bandwidth Management . and the Bandwidth Management Type is set to WAN on the Firewall Settings > BWM page. For more information about the Bandwidth Management Type settings, see the “Actions Using Bandwidth Management” section .

Policies and Precedence: How Policies are Enforced

This section provides an overview of policy enforcement mechanism in CFS 3.0 to help the policy administrator create a streamlined set of rules without unnecessary redundancy or conflicting rule logic enforcement.

Policy Enforcement Across Different Groups

The basic default behavior for CFS policies assigned to different groups is to follow standard most specific / least restrictive logic, meaning:

The most specific rule is always given the highest priority

 
Example
A rule applying to the “Engineering” group (a specific group) is given presidence over a rule applying to the “All” group (the least specific group.)

Policy Enforcement Within The Same Group

The basic default behavior for CFS policies within the same group is to follow an additive logic, meaning:

Rules are enforced additively

 
Example
CFS policy 1 disallows porn, gambling, and social networking
CFS policy 2 applies bandwidth management to sports and adult content to 1Mbps
The end result of these policies is that sports and adult content are bandwidth managed, even though the first policy implies that they are allowed.

CFS 3.0 Configuration Examples

This section provides configuration examples using Application Control feature to create and manage CFS policies:

 
Blocking Forbidden Content — page 957
 
Bandwidth Managing Content — page 960
 
Applying Policies to Multiple Groups — page 962
 
Creating a Custom CFS Category — page 964

Blocking Forbidden Content

To create a CFS Policy for blocking forbidden content:

 
Create an Application Object — page 958
 
Create an Application Control Policy to Block Forbidden Content — page 959

Create an Application Object

Create an application object containing forbidden content:

Step 1
Navigate to the Firewall > Match Objects page in the SonicOS management interface.
Step 2
Click the Add New Match Object button, the Add/Edit Match Object window displays.
Step 3
Enter a descriptive Object Name , such as ‘Forbidden Content’.
Step 4
Select ‘CFS Category List’ from the Match Object Type dropdown list.
Step 5
Use the checkboxes to select the categories you wish to add to the forbidden content list.

Step 6
Click the OK button to add the object to the Application Objects list.

Create an Application Control Policy to Block Forbidden Content

Create an Application Control policy to block content defined in the Application Object:

Step 1
Navigate to the Firewall > App Rules page in the SonicOS management interface.
Step 2
Click the Add Policy button, the Add/Edit Application Firewall Policy window displays.
Step 3
Enter a descriptive name for this action in the Policy Name field, such as ‘Block Forbidden Content’.
Step 4
Select ‘CFS’ from the Policy Type dropdown list.
Step 5
From the Application Object dropdown list, select the object you created in the previous section. In the case of our example, this object is named ‘Forbidden Content’.
Step 6
From the Action dropdown list, select ‘CFS block page’ to display a pre-formatted ‘blocked content’ page when users attempt to access forbidden content.
Step 7
Optionally , select the Users/Groups who this policy is to be Included or Excluded on from the dropdown list. Our example uses the defaults of including ‘all’ and excluding ‘none’.
Step 8
Optionally , select a Schedule of days and times when this rule is to be enforced from the dropdown list. Our example uses ‘Always On’ to always enforce this policy.
Step 9
Optionally , select the checkbox for Log using CFS message format if you wish for the logs to use this format instead of the standard Application Control format.
Step 10
Optionally , select the appropriate Zone where the policy is to be enforced. Our example uses ‘LAN’ to enforce the policy on all traffic traversing the local network.
Step 11
Optionally , select a CFS Allow List to enforce on this particular policy.
Step 12
Optionally , select the appropriate CFS Forbidden List to enforce on the particular policy.

Step 13
Click the OK button to create this policy.

Bandwidth Managing Content

To create a CFS Policy for applying BWM to non-productive content:

 
Create an Application Object — page 958
 
Create a Bandwidth Management Action Object — page 960
 
Create an Application Control Policy to Block Forbidden Content — page 959

Create an Application Object for Non-Productive Content

Create an application object containing non-productive content:

Step 1
Navigate to the Firewall > Match Objects page in the SonicOS management interface.
Step 2
Click the Add New Match Object button, the Add/Edit Match Object window displays.
Step 3
Enter a descriptive Object Name , such as ‘Non-Productive Content’.
Step 4
Select ‘CFS Category List’ from the Match Object Type dropdown list.
Step 5
Use the checkboxes to select the categories you wish to add to the content list.

Step 6
Click the OK button to add the object to the Application Objects list.

Create a Bandwidth Management Action Object

This section details creating a custom Action Object for bandwidth management.

 
Note
Although Application Control contains pre-configured action objects for bandwidth management, a custom action object provides more control, including the ability to manage bandwidth per policy or per action.

To create a new BWM action:

Step 1
Navigate to the Firewall > Action Objects page in the SonicOS management interface.
Step 2
Click the Add New Action Object button, the Add/Edit Action Object window displays.
Step 3
Enter a descriptive Action Name for this action.
Step 4
Select ‘Bandwidth Management’ from the Action dropdown list.
Step 5
Select from the Bandwidth Aggregation Method dropdown list:
a.
Per Policy - to apply this limit to each individual policy.
b.
Per Action - to share this action limit across all policies to which it is applied.

Step 6
Create the desired settings for Inbound Bandwidth Management and Outbound Bandwidth Management .
Step 7
Click the OK button to create this object.

Create an Application Control Policy to Manage Non-Productive Content

Create an Application Control policy to block content defined in the Application Object:

Step 1
Navigate to the Firewall > App Rules page in the SonicOS management interface.
Step 2
Click the Add Policy button, the Add/Edit Application Firewall Policy window displays.
Step 3
Enter a descriptive name for this action in the Policy Name field.
Step 4
Select ‘CFS’ from the Policy Type dropdown list.
Step 5
From the Application Object dropdown list, select the object you created in the previous section. In the case of our example, this object is named ‘Nonproductive Content’.
Step 6
From the Action dropdown list, select ‘Bandwidth Management - 100k’ to apply this custom BWM rule when users attempt to access non-productive content.
 
Note
If you chose not to create a custom BWM object, you may use one of the pre-defined BWM objects (BWM high, BWM medium, or BWM low).
Step 7
Optionally , select the Users/Groups who this policy is to be Included or Excluded on from the dropdown list. Our example uses the defaults of including ‘all’ and excluding ‘none’.
Step 8
Optionally , select a Schedule of days and times when this rule is to be enforced from the dropdown list. Our example uses the pre-defined ‘Work Hours’ selection to enforce this policy only during weekday work hours.
Step 9
Optionally , select the checkbox for Log using CFS message format if you wish for the logs to use this format instead of the standard Application Control format.
Step 10
Optionally , select the appropriate Zone where the policy is to be enforced. Our example uses ‘LAN’ to enforce the policy on all traffic traversing the local network.

Step 11
Click the OK button to create this policy.

Applying Policies to Multiple Groups

This section details applying a single policy to multiple user groups. CFS allows the administrator to apply one policy to different groups, allowing for variation (in time restrictions, exclusions, etc...) in the way it is applied to users.

To apply a policy to multiple groups:

 
Enable CFS Custom Categories — page 964
 
Add a New CFS Custom Category Entry — page 964

Create a Group-Specific Application Control Policy

Create an Application Control policy to block content defined in the Application Object:

Step 1
Navigate to the Firewall > App Rules page in the SonicOS management interface.
Step 2
Click the Add Policy button, the Add/Edit Application Firewall Policy window displays.
Step 3
Enter a descriptive name for this action in the Policy Name field. For easy identification, this name can include the user group to which you are applying the policy.
Step 4
Select ‘CFS’ from the Policy Type dropdown list.
Step 5
Select an Application Object from the dropdown list. Our example uses ‘Nonproductive Content’.
Step 6
Select an Action form the dropdown list.Our example uses the pre-defined ‘BWM Medium’ action to manage bandwidth of the applicable content.
Step 7
S elect the Users/Groups who this policy is to be Included or Excluded on from the dropdown list. Our example uses the ‘Trusted Users’ group, although you may choose a different, or custom group depending on your needs.
Step 8
Select a Schedule appropriate for this group. Our example uses the pre-defined ‘Work Hours’ schedule.

With this the selections in this example, Nonproductive Content will be Bandwidth Managed for Trusted Users only during Work Hours .

Step 9
Click the OK button to create this policy. The new policy displays in the Application Firewall Policies list.

Step 10
Repeat steps 2-9 with variations required by your implementation in order to create a policy for each required group.