icon for the entry. To delete all trusted domains, click Delete All. To edit a trusted domain entry, click the Edit 
icon.Security_Services_securityServicesCFView
Security Services > Content Filter
The Security Services > Content Filter page allows you to configure the Restrict Web Features and Trusted Domains settings, which are included with SonicOS. You can activate and configure SonicWALL Content Filtering Service (SonicWALL CFS) as well as a third-party Content Filtering product from the Security Services > Content Filter page.
SonicWALL Content Filtering Service is a subscription service upgrade. You can try a FREE TRIAL of SonicWALL directly from your SonicWALL management interface. See Activating a SonicWALL CFS FREE TRIAL.
For complete SonicWALL Content Filtering Service documentation, see the SonicWALL Content Filtering Service Administrator’s Guide available at
http://www.sonicwall.com/us/Support.html.
This section contains the following subsections:
• SonicWALL CFS Implementation with App Rules
• Legacy Content Filtering Examples
• Configuring Legacy SonicWALL Filter Properties
• Configuring Websense Enterprise Content Filtering
Restrictions
Note Content Filtering Service (CFS) consent is not supported in Wire Mode.
SonicWALL CFS Implementation with App Rules
The latest iteration of the CFS feature allows the administrator to use the power of SonicWALL’s App Rules feature in order to increase create a more powerful and flexible solution.
Note While the new App Rules method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering. Information on implementing the CFS feature using the previous method can be found in the SonicOS Administrator’s Guide.
New Features for CFS 3.0 Management Using App Rules
• App Rules - is now included as part of the CFS rule creation process.to implement more granular, flexible and powerful content filter policy control, creating CFS policy allow lists utilizing App Rules framework.
• Application Objects - Users/groups, address objects and zones can be assigned for individual CFS policies.
• Bandwidth Management - CFS specifications can be included in bandwidth management policies based on CFS website categories. This also allows use of ‘Bandwidth Aggregation’ by adding a per-action bandwidth aggregation method.
New Features Applicable to All CFS 3.0 Management Methods
• SSL Certificate Common Name - HTTPS Content Filtering is significantly improved by adding the ability to use an SSL certificate common name, in addition to server IP addresses.
• New CFS Categories - Multimedia, Social Networking, Malware, and Internet Watch Foundation CAIC are now included in the CFS list.
Legacy Content Filtering Service
Content Filtering Service (CFS) enforces protection and productivity policies for businesses, schools and libraries to reduce legal and privacy risks while minimizing administration overhead. CFS utilizes a dynamic database of millions of URLs, IP addresses and domains to block objectionable, inappropriate or unproductive Web content. At the core of CFS is an innovative rating architecture that cross references all Web sites against the database at worldwide co-location facilities. A rating is returned to the firewall and then compared to the content filtering policy established by the administrator. Almost instantaneously, the Web site request is either allowed through or a Web page is generated by the firewall informing the user that the site has been blocked according to policy.
With CFS, network administrators have a flexible tool to provide comprehensive filtering based on keywords, time of day, trusted and forbidden domain designations, and file types such as Cookies, Java™ and ActiveX® for privacy. CFS automatically updates the filters, making maintenance substantially simpler and less time consuming.
CFS can also be customized to add or remove specific URLs from the blocked list and to block specific keywords. When a user attempts to access a site that is blocked by the firewall, a customized message is displayed on the user’s screen. Firewalls can also be configured to log attempts to access sites on the Content Filtering Service database, on a custom URL list, and on a keyword list to monitor Internet usage before putting new usage restrictions in place.
CFS Premium blocks 56 categories of objectionable, inappropriate or unproductive Web content. CFS Premium provides network administrators with greater control by automatically and transparently enforces acceptable use policies. It gives administrators the flexibility to enforce custom content filtering policies for groups of users on the network. For example, a school can create one policy for teachers and another for students.
Note For complete Content Filtering Service documentation, see the Content Filtering Service Administrator’s Guide available at http://www.sonicwall.com/us/Support.html
CFS 3.0 Policy Management Overview
When a CFS policy assignment is implemented using the App Rules method, it is controlled by App Rules CFS policies in the App Rules > Policies page instead of by Users and Zones.
While the new App Rules method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering.
This section includes the following sub-sections:
• Choosing CFS Policy Management Type
• Bandwidth Management Methods
• Policies and Precedence: How Policies are Enforced
Choosing CFS Policy Management Type
The choice of which policy management method to use – Via User and Zone Screens or Via App Rules – is made in the Security Services > Content Filter page.
Note While the new App Rules method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering.
Before the services begin to filter content, you must enable them:
1. Navigate to the Security Services > Content Filter page in the SonicOS management interface.
2. Select ‘Via App Rules’ from the CFS Policy Assignment drop-down list.
3. Click the Accept button to apply the change.
4. Navigate to the Firewall > App Rules page.
5. Check the box to Enable App Rules.
Bandwidth Management feature can be implemented in two separate ways:
• Per Policy Method
– The bandwidth limit specified in a policy is applied individually to each policy
– Example: two policies each have an independent limit of 500kb/s, the total possible bandwidth between those two rules is 1000kb/s
• Per Action Aggregate Method
– The bandwidth limit action is applied (shared) across all policies to which it is applied
– Example: two policies share a BWM limit of 500kb/s, limiting the total bandwidth between the two policies to 500kb/s
Bandwidth Aggregation Method is selected in the App Rules Action Settings screen when the Action type is set as Bandwidth Management.
Policies and Precedence: How Policies are Enforced
This section provides an overview of policy enforcement mechanism in CFS 3.0 to help the policy administrator create a streamlined set of rules without unnecessary redundancy or conflicting rule logic enforcement.
Policy Enforcement Across Different Groups
The basic default behavior for CFS policies assigned to different groups is to follow standard most specific / least restrictive logic, meaning:
The most specific rule is always given the highest priority
Example
A rule applying to the “Engineering” group (a specific group) is given precedence over a rule applying to the “All” group (the least specific group.)
Policy Enforcement Within The Same Group
The basic default behavior for CFS policies within the same group is to follow an additive logic, meaning:
Rules are enforced additively
Example
CFS policy 1 disallows porn, gambling, and social networking
CFS policy 2 applies bandwidth management to sports and adult content to 1Mbps
The end result of these policies is that sports and adult content are bandwidth managed, even though the first policy implies that they are not allowed.
CFS 3.0 Configuration Examples
This section provides configuration examples using App Rules feature to create and manage CFS policies:
• Applying Policies to Multiple Groups
• Creating a CFS custom Category
To create a CFS Policy for blocking forbidden content:
• Create an Application Object
• Create an App Rules Policy to Block Forbidden Content
Create an application object containing forbidden content:
1. Navigate to the Firewall > Match Objects page in the SonicOS management interface.
2. Click the Add New Match Object button, the Add/Edit Match Object window displays.
3. Enter a descriptive Object Name, such as ‘Forbidden Content’.
4. Select ‘CFS Category List’ from the Match Object Type drop-down list.
5. Use the checkboxes to select the categories you wish to add to the forbidden content list.
6. Click the OK button to add the object to the Application Objects list.
Create an App Rules Policy to Block Forbidden Content
Create an App Rules policy to block content defined in the Application Object:
1. Navigate to the Firewall > App Rules page in the SonicOS management interface.
2. Click the Add Policy button, the Add/Edit App Rules Policy window displays.
3. Enter a descriptive name for this action in the Policy Name field, such as ‘Block Forbidden Content’.
4. Select ‘CFS’ from the Policy Type drop-down list.
5. From the Application Object drop-down list, select the object you created in the previous section. In the case of our example, this object is named ‘Forbidden Content’.
6. From the Action drop-down list, select ‘CFS block page’ to display a pre-formatted ‘blocked content’ page when users attempt to access forbidden content.
7. Optionally, select the Users/Groups who this policy is to be Included or Excluded on from the drop-down list. Our example uses the defaults of including ‘all’ and excluding ‘none’.
8. Optionally, select a Schedule of days and times when this rule is to be enforced from the drop-down list. Our example uses ‘Always On’ to always enforce this policy.
9. Optionally, select the checkbox for Log using CFS message format if you wish for the logs to use this format instead of the standard App Rules format.
10. Optionally, select the appropriate Zone where the policy is to be enforced. Our example uses ‘LAN’ to enforce the policy on all traffic traversing the local network.
11. Optionally, select a CFS Allow List to enforce on this particular policy.
12. Optionally, select the appropriate CFS Forbidden List to enforce on the particular policy.
13. Click the OK button to create this policy.
To create a CFS Policy for applying BWM to non-productive content:
• Create an Application Object for Non-Productive Content
• Create a Bandwidth Management Action Object
• Create an App Rules Policy to Manage Non-Productive Content
Create an Application Object for Non-Productive Content
Create an application object containing non-productive content:
1. Navigate to the Firewall > Match Objects page in the SonicOS management interface.
2. Click the Add New Match Object button, the Add/Edit Match Object window displays.
3. Enter a descriptive Object Name, such as ‘Non-Productive Content’.
4. Select ‘CFS Category List’ from the Match Object Type drop-down list.
5. Use the checkboxes to select the categories you wish to add to the content list.
6. Click the OK button to add the object to the Application Objects list.
Create a Bandwidth Management Action Object
This section details creating a custom Action Object for bandwidth management.
Note Although app rules contains pre-configured action objects for bandwidth management, a custom action object provides more control, including the ability to manage bandwidth per policy or per action.
To create a new BWM action:
1. Navigate to the Firewall > Action Objects page in the SonicOS management interface.
2. Click the Add New Action Object button, the Add/Edit Action Object window displays.
3. Enter a descriptive Action Name for this action.
4. Select ‘Bandwidth Management’ from the Action drop-down list.
5. Select from the Bandwidth Aggregation Method drop-down list:
a. Per Policy - to apply this limit to each individual policy.
b. Per Action - to share this action limit across all policies to which it is applied.
6. Create the desired settings for Inbound Bandwidth Management and Outbound Bandwidth Management.
7. Click the OK button to create this object.
Create an App Rules Policy to Manage Non-Productive Content
Create an App Rules policy to block content defined in the Application Object:
1. Navigate to the Firewall > App Rules page in the SonicOS management interface.
2. Click the Add Policy button, the Add/Edit App Rules Policy window displays.
3. Enter a descriptive name for this action in the Policy Name field.
4. Select ‘CFS’ from the Policy Type drop-down list.
5. From the Application Object drop-down list, select the object you created in the previous section. In the case of our example, this object is named ‘Nonproductive Content’.
6. From the Action drop-down list, select ‘Bandwidth Management - 100k’ to apply this custom BWM rule when users attempt to access non-productive content.
Note If you chose not to create a custom BWM object, you may use one of the pre-defined BWM objects (BWM high, BWM medium, or BWM low).
7. Optionally, select the Users/Groups who this policy is to be Included or Excluded on from the drop-down list. Our example uses the defaults of including ‘all’ and excluding ‘none’.
8. Optionally, select a Schedule of days and times when this rule is to be enforced from the drop-down list. Our example uses the pre-defined ‘Work Hours’ selection to enforce this policy only during weekday work hours.
9. Optionally, select the checkbox for Log using CFS message format if you wish for the logs to use this format instead of the standard App Rules format.
10. Optionally, select the appropriate Zone where the policy is to be enforced. Our example uses ‘LAN’ to enforce the policy on all traffic traversing the local network.
11. Click the OK button to create this policy.
Applying Policies to Multiple Groups
This section details applying a single policy to multiple user groups. CFS allows the administrator to apply one policy to different groups, allowing for variation (in time restrictions, exclusions, etc...) in the way it is applied to users.
Create a Group-Specific App Rules Policy
Create an App Rules policy to block content defined in the Application Object:
1. Navigate to the Firewall > App Rules page in the SonicOS management interface.
2. Click the Add Policy button, the Add/Edit App Rules Policy window displays.
3. Enter a descriptive name for this action in the Policy Name field. For easy identification, this name can include the user group to which you are applying the policy.
4. Select ‘CFS’ from the Policy Type drop-down list.
5. Select an Application Object from the drop-down list. Our example uses ‘Nonproductive Content’.
6. Select an Action form the drop-down list.Our example uses the pre-defined ‘BWM Medium’ action to manage bandwidth of the applicable content.
7. Select the Users/Groups who this policy is to be Included or Excluded on from the drop-down list. Our example uses the ‘Trusted Users’ group, although you may choose a different, or custom group depending on your needs.
8. Select a Schedule appropriate for this group. Our example uses the pre-defined ‘Work Hours’ schedule.
With this the selections in this example, Nonproductive Content will be Bandwidth Managed for Trusted Users only during Work Hours.
9. Click the OK button to create this policy. The new policy displays in the App Rules Policies list.
10. Repeat steps 2-9 with variations required by your implementation in order to create a policy for each required group.
Creating a CFS custom Category
This section details creating a CFS custom category entry. CFS allows the administrator not only to create custom Policies, but also allows for custom domain name entries to the existing CFS rating categories. This allows for insertion of CFS custom -managed content into the existing and very flexible category structure.
Custom Categories have the following limits:
• You can create up to 64 custom categories
• You can add an unlimited number of manual entries to each custom category.
• You can enter up to 500 domains manually across all custom categories.
• Multiple custom categories can reference the same mapped category.
To create a new CFS custom category:
• Enable CFS Custom Categories
• Add a New CFS Custom Category Entry
1. Navigate to the Security Services > Content Filter page in the SonicOS management interface.
2. Scroll down and click the CFS Custom Category section and select the Enable CFS Custom Category checkbox.
3. Click the Accept button to save your changes and enable the Custom Category feature.
Add a New CFS Custom Category Entry
1. Again in the Security Services > Content Filter page, scroll down to the CFS Custom Category section and click the Add... button.
2. Enter a descriptive Name for the custom entry.
3. Choose the pre-defined Category to which this entry will be added.
4. Enter a domain name into the Content field.
Note All subdomains of the domain entered are affected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my.yahoo.com”, hence it is not necessary to enter all FQDN entries for subdomains of a parent domain.
5. Click the OK button to add this custom entry.
Legacy Content Filtering Examples
The following sections describe how to configure the settings on the Security Services > Content Filter page using legacy Content Filtering methods.
Note It is not possible to create advanced rules which utilize bandwidth management and application filter policy control when using the ‘legacy’ method of Content Filtering. For advanced rule creation, see the CFS 3.0 Policy Management Overview section.
• CFS Policy per IP Address Range
• Web Page to Display when Blocking
If CFS is activated, the Content Filter Status section displays the status of the Content Filter Server, as well as the date and time that your subscription expires. The expiration date and time is displayed in Universal Time Code (UTC) format.
You can also access the SonicWALL CFS URL Rating Review Request form by clicking on the here link in If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here.
If SonicWALL CFS is not activated, you must purchase a license subscription for full content filtering functionality, including CFS custom Policies. If you do not have an Activation Key, you must purchase SonicWALL CFS from a SonicWALL reseller or from your mysonicwall.com account (limited to customers in the USA and Canada).
Activating SonicWALL CFS
If you have an Activation Key for your SonicWALL CFS subscription, follow these steps to activate SonicWALL CFS:
WARNING You must have a mysonicwall.com account and your firewall must be registered to activate SonicWALL Client Anti-Virus.
1. Click the SonicWALL Content Filtering Subscription link on the Security Services > Content Filtering page. The mysonicwall.com Login page is displayed.
2. Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your firewall is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the SonicWALL Content Filtering Subscription link.
3. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL CFS subscription is activated on your SonicWALL.
4. When you activate SonicWALL CFS at mysonicwall.com, the SonicWALL CFS activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWALL.
Activating a SonicWALL CFS FREE TRIAL
You can try a FREE TRIAL of SonicWALL CFS by following these steps:
1. Click the FREE TRIAL link on the Security Services > Content Filter page. The mysonicwall.com Login page is displayed.
2. Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the FREE TRIAL link.
3. Click FREE TRIAL in the Manage Service column in the Manage Services Online table. Your SonicWALL CFS trial subscription is activated on your SonicWALL.
4. Select Security Services > Content Filter to display the Content Filter page for configuring your SonicWALL Content Filtering Service settings.
There are two types of content filtering available on the firewall. These options are available from the Content Filter Type menu.
• SonicWALL CFS - Selecting Content Filter Service as the Content Filter Type allows you to access SonicWALL CFS functionality that is included with SonicOS, and also to configure CFS custom Policies that are available only with a valid subscription. You can obtain more information about SonicWALL Content Filtering Service at
http://www.sonicwall.com/products/cfs.html
• Websense Enterprise - Websense Enterprise is a third party content filter list supported by Dell SonicWALL network security appliances.
Clicking the Network > Zones link in Note: Enforce the Content Filtering per zone from the Network > Zone page, displays the Network > Zones page for enabling SonicWALL Content Filtering Service on network zones.
Restrict Web Features enhances your network security by blocking potentially harmful Web applications from entering your network.
Restrict Web Features are included with SonicOS. Select any of the following applications to block:
• ActiveX - ActiveX is a programming language that embeds scripts in Web pages. Malicious programmers can use ActiveX to delete files or compromise security. Select the ActiveX check box to block ActiveX controls.
• Java - Java is used to download and run small programs, called applets, on Web sites. It is safer than ActiveX since it has built-in security mechanisms. Select the Java check box to block Java applets from the network.
• Cookies - Cookies are used by Web servers to track Web usage and remember user identity. Cookies can also compromise users' privacy by tracking Web activities. Select the Cookies check box to disable Cookies.
• Access to HTTP Proxy Servers - When a proxy server is located on the WAN, LAN users can circumvent content filtering by pointing their computer to the proxy server. Check this box to prevent LAN users from accessing proxy servers on the WAN.
Trusted Domains can be added to enable content from specific domains to be exempt from Restrict Web Features.
If you trust content on specific domains and want them to be exempt from Restrict Web Features, follow these steps to add them:
1. Select the Do not block Java/ActiveX/Cookies to Trusted Domains checkbox.
2. Click Add. The Add Trusted Domain Entry window is displayed.
3. Enter the trusted domain name in the Domain Name field.
4. Click OK. The trusted domain entry is added to the Trusted Domains table.
To keep the trusted domain entries but enable Restrict Web Features, clear Do not block Java/ActiveX/Cookies to Trusted Domains. To delete an individual trusted domain, click on the Delete icon for the entry. To delete all trusted domains, click Delete All. To edit a trusted domain entry, click the Edit icon.
IP address ranges can be manually added to or deleted from the CFS Exclusion List. Content filtering is disabled for IP addresses in the CFS Exclusion List. These address ranges are treated as trusted domains. Select Enable CFS Exclusion List to enable this feature.
The Do not bypass CFS blocking for the administrator checkbox controls content filtering for administrators. By default, when the administrator (“admin” user) is logged into the SonicOS management interface from a system, CFS blocking is suspended for that system’s IP address for the duration of the authenticated session. If you prefer to provide content filtering and apply CFS policies to the IP address of the administrator’s system, select the Do not bypass CFS blocking for the administrator checkbox.
Adding Trusted Domains to the CFS Exclusion List
To add a range of IP addresses to the CFS Exclusion List, perform these tasks:
1. Select the Enable CFS Exclusion List checkbox.
2. Click Add. The Add CFS Range Entry window is displayed.
3. Enter the first IP address in the range in the IP Address From: field and the last address in the IP Address To: field.
4. Click OK.
5. Click Accept on the Security Services > Content Filter page. The IP address range is added to the CFS Exclusion List.
Modifying or Temporarily Disabling the CFS Exclusion List
To modify or temporarily disable the CFS Exclusion List, perform these tasks:
1. To keep the CFS Exclusion List entries but temporarily allow content filtering to be applied to these IP addresses, clear the Enable CFS Exclusion List checkbox.
2. To edit a trusted domain entry, click the Edit 
icon.
3. To delete an individual trusted domain, click on the Delete 
icon for the entry.
4. To delete all trusted domains, click Delete All.
CFS Policy per IP Address Range
To configure a CFS custom policy for a range of IP addresses, perform these tasks:
1. Scroll down to the CFS Policy per IP Address Range section and select the Enable Policy per IP Address Range checkbox.
2. Click Add. The Add CFS Policy per IP Address Range window is displayed.
3. Enter the first IP address in the range in the IP Address From: field and the last address in the IP Address To: field.
4. Select the CFS policy to apply to this IP address range in the CFS Policy: pull-down window.
5. Optionally add a comment about this IP address range in the Comment: field.
6. Click OK.
Web Page to Display when Blocking
You can fully customize the web page that is displayed to the user when access to a blocked site is attempted. To revert to the default page, click the Default Blocked Page button.
For information on setting up Content Filter Properties, see Configuring Legacy SonicWALL Filter Properties.