How to block Facebook and Gmail in CFS 3.0 - SonicOS 5.8 and above.

(SW8808)
Title
How to block Facebook and Gmail in CFS 3.0 SonicOS 5.8 and above.

Resolution
Article Applies To:
Firmware/Software Version: SonicOS Enhanced 5.8.0.0 and above (Gen 5); SonicOS Enhanced 6.1.0.0 and above (Gen 6)
Services: CFS, App Rules

Feature/Application:
This article describes the method to block Gmail.com and Facebook.com using CFS 3.0.
CFS examines the Server Extensions field in the Client Hello message and/or the CN in the Server Hello
message to block HTTPS sites. HTTP sites are blocked by examining the Host field of the GET request. The
following sections describe the methods involved in blocking both HTTP and HTTPS gmail.com and
facebook.com.
Enabling HTTPS Content Filter Globally

Blocking using Forbidden Domains in CFS via Users and Zone Screens

Blocking using Allow/Forbidden Custom List in CFS via App Rules

Procedure to block Gmail and Facebook
Enabling HTTPS Content Filter Globally
Login to the SonicWALL Management GUI

Navigate to the Security Services > Content Filter page

Click on Configure under Content Filter Type with SonicWALL CFS selected.

Check the box Enable HTTPS Content Filtering.

Click on OK to save the settings.

Click To See Full Image.

Blocking using Forbidden Domains in CFS via Users and Zone Screens
Select Via User and Zone Screens under CFS Policy Assignment.

Click on Accept to save the change.

Click To See Full Image.

Click on Configure under Content Filter Type with SonicWALL CFS selected.(for5.8.x.x)
Click onConfigureunderContent Filter TypewithContent Filter Serviceselected.(for 5.9 and above)

Click on the Custom List tab.

Click on Add under Forbidden Domains and enter facebook.com and mail.google.com

Click on OK to save the changes.

Click To See Full Image.

Configuring Custom CFS Policies to inherit the Allow/Forbidden Custom List.
What has been entered under the Forbidden Domains is automatically applicable to the Default policy. To
enforce the same on custom CFS policies their Custom List Settings needs to be manually set to Global.

enforce the same on custom CFS policies their Custom List Settings needs to be manually set to Global.
Edit the custom CFS policy.

Click on the Settings tab.

Set the Source of Forbidden Domains to Global.

Click on OK to save.

Click To See Full Image.

Blocking using Allow/Forbidden Custom List in CFS via App Rules
On the Security Services > Content Filter page,select Via App Rules under CFS Policy Assignment.

Click on Accept to save the change.

Click To See Full Image.

Match Objects
Navigate to Firewall > Match Objects

Click on Add New Match Object

To create a custom list of allowed or forbidden domains, select CFS Allow/Forbidden List under Match Object
Type. You could also load the allow/block list from a file containing the name of the domains. Each entry in
the file should be separated by a line. The maximum size of the file is 8192 bytes.

Click To See Full Image.

Unlike CFS via Users and Zones, Custom List Objects (as above) cannot be used individually in an App Rule. It
can only be used with a CFS Category List Object (see below):

Click To See Full Image.

App Rules
Navigate to the Firewall > App Rules page.

Check the box under Enable App Rules.

Click on Add New Policy and create the following App Rule.

Click To See Full Image.

Log Messages
When SonicWALL CFS blocks HTTPS websites users will not see a blocked page only a connectionreset page.

Click To See Full Image.

However the following messages will appear in the logs:

Click To See Full Image.