User manual SONICWALL CONTENT FILTERING SERVICE 3.0 OVERVIEW REV A

[. . . ] Allowed actions on this policy type include: ­ HTTP Block Page ­ Manage Bandwidth ­ No Action ­ CFS Block Page ­ Packet Monitor Allowed Zones include: ­ LAN ­ DMZ ­ SSLVPN ­ VPN ­ WLAN Note CFS Message Format Checkbox ­ By default, messages are logged in Application Firewall format. This checkbox allows you to log using message format standard for CFS. Content Filtering Service 3. 0 3 CFS 3. 0 Policy Management Overview CFS 3. 0 Policy Management Overview When a CFS policy assignment is implemented using the Application Firewall method, it is controlled by Application Firewall CFS policies in the Application Firewall > Policies page instead of by Users and Zones. While the new Application Firewall method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering. This section includes the following sub-sections: · · · · · Bandwidth Management Methods -- page 7 Choosing CFS Policy Management Type -- page 6 Enabling Application Firewall and CFS -- page 6 Bandwidth Management Methods -- page 7 Policies and Precedence: How Policies are Enforced -- page 8 The CFS Application Firewall Policy Settings Screen There are multiple changes/additions to the CFS policy creation window when used in conjunction with Application Firewall. [. . . ] Check the box to Enable Application Firewall. 6 Content Filtering Service 3. 0 CFS 3. 0 Policy Management Overview Bandwidth Management Methods Bandwidth Management feature can be implemented in two separate ways: · Per Policy Method ­ The bandwidth limit specified in a policy is applied individually to each policy ­ Example: two policies each have an independent limit of 500kb/s, the total possible bandwidth between those two rules is 1000kb/s · Per Action Aggregate Method ­ The bandwidth limit action is applied (shared) across all policies to which it is applied ­ Example: two policies share a BWM limit of 500kb/s, limiting the total bandwidth between the two policies to 500kb/s 500kb/s BWM Limit Per Policy Policy 1 www Policy 2 exe 500kb/s BWM Limit Per Action Policy 1 Policy 2 www exe Bandwidth Aggregation Method is selected in the Application Firewall Action Settings screen when the Action type is set as Bandwidth Management. Content Filtering Service 3. 0 7 CFS 3. 0 Policy Management Overview Policies and Precedence: How Policies are Enforced This section provides an overview of policy enforcement mechanism in CFS 3. 0 to help the policy administrator create a streamlined set of rules without unnecessary redundancy or conflicting rule logic enforcement. Policy Enforcement Across Different Groups The basic default behavior for CFS policies assigned to different groups is to follow standard most specific / least restrictive logic, meaning: The most specific rule is always given the highest priority · Example A rule applying to the "Engineering" group (a specific group) is given presidence over a rule applying to the "All" group (the least specific group. ) Policy Enforcement Within The Same Group The basic default behavior for CFS policies within the same group is to follow an additive logic, meaning: Rules are enforced additively · Example CFS policy 1 disallows porn, gambling, and social networking CFS policy 2 applies bandwidth management to sports and adult content to 1Mbps The end result of these policies is that sports and adult content are bandwidth managed, even though the first policy implies that they are allowed. 8 Content Filtering Service 3. 0 CFS 3. 0 Configuration Examples CFS 3. 0 Configuration Examples This section provides configuration examples using Application Firewall feature to create and manage CFS policies: · · · · Blocking Forbidden Content -- page 9 Bandwidth Managing Content -- page 11 Applying Policies to Multiple Groups -- page 14 Creating a Custom CFS Category -- page 15 Blocking Forbidden Content To create a CFS Policy for blocking forbidden content: · · Create an Application Object -- page 9 Create an Application Firewall Policy to Block Forbidden Content -- page 10 Create an Application Object Create an application object containing forbidden content: Step 1 Step 2 Step 3 Step 4 Step 5 Navigate to the Firewall > Match Objects page in the SonicOS management interface. Click the Add New Match Object button, the Add/Edit Match Object window displays. Select `CFS Category List' from the Match Object Type dropdown list. Use the checkboxes to select the categories you wish to add to the forbidden content list. Step 6 Click the OK button to add the object to the Application Objects list. Content Filtering Service 3. 0 9 CFS 3. 0 Configuration Examples Create an Application Firewall Policy to Block Forbidden Content Create an Application Firewall policy to block content defined in the Application Object: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Navigate to the Firewall > App Rules page in the SonicOS management interface. Click the Add Policy button, the Add/Edit Application Firewall Policy window displays. Enter a descriptive name for this action in the Policy Name field, such as `Block Forbidden Content'. From the Application Object dropdown list, select the object you created in the previous section. In the case of our example, this object is named `Forbidden Content'. From the Action dropdown list, select `CFS block page' to display a pre-formatted `blocked content' page when users attempt to access forbidden content. Optionally, select the Users/Groups who this policy is to be Included or Excluded on from the dropdown list. Our example uses the defaults of including `all' and excluding `none'. Optionally, select a Schedule of days and times when this rule is to be enforced from the dropdown list. Click the Add New Action Object button, the Add/Edit Action Object window displays. Per Action - to share this action limit across all policies to which it is applied. Step 6 Step 7 Create the desired settings for Inbound Bandwidth Management and Outbound Bandwidth Management. Click the OK button to create this object. 12 Content Filtering Service 3. 0 CFS 3. 0 Configuration Examples Create an Application Firewall Policy to Manage Non-Productive Content Create an Application Firewall policy to block content defined in the Application Object: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Navigate to the Firewall > App Rules page in the SonicOS management interface. Click the Add Policy button, the Add/Edit Application Firewall Policy window displays. From the Application Object dropdown list, select the object you created in the previous section. In the case of our example, this object is named `Nonproductive Content'. From the Action dropdown list, select `Bandwidth Management - 100k' to apply this custom BWM rule when users attempt to access non-productive content. Note If you chose not to create a custom BWM object, you may use one of the pre-defined BWM objects (BWM high, BWM medium, or BWM low). Optionally, select the Users/Groups who this policy is to be Included or Excluded on from the dropdown list. Our example uses the defaults of including `all' and excluding `none'. Optionally, select a Schedule of days and times when this rule is to be enforced from the dropdown list. [. . . ] CFS allows the administrator not only to create custom Policies, but also allows for custom domain name entries to the existing CFS rating categories. This allows for insertion of custom CFS-managed content into the existing and very flexible category structure. To create a new CFS custom category: · · Enable CFS Custom Categories -- page 15 Add a New CFS Custom Category Entry -- page 15 Enable CFS Custom Categories Step 1 Step 2 Step 3 Navigate to the Security Services > Content Filter page in the SonicOS management interface. Scroll down and click the CFS Custom Category section and select the Enable CFS Custom Category checkbox. [. . . ]