Beruflich Dokumente
Kultur Dokumente
NSA 5600
Most Specific / Lease Restrictive are the default evaluation process of CFS policies assigned to different
groups/users. Most Specific always has the highest priority (i.e. CFS policy for All group
is least specific, CFS policy for local/authenticated group is more specific; CFS policy for a user
is most specific. When policies are at the same level of specificity, the least restrictive option has the
highest precedence.
When multiple CFS policies are assigned to the same group, the evaluation logic is additive:
Example:
CFS policy 1: Engineering is not allowed to access porn, gambling, and adult content.
CFS policy 2: Apply BWM for Engineering when accessing Sports, Multimedia, and Social Networking at
1 Mbps.
The result of the above policies is that Sports access will be bandwidth managed at 1 Mbps when
accessed by a member of Engineering group even through CFS policy 1 implies that Sports should be
allowed for Engineering.
In this scenario, three user groups are defined and a CFS policy is created for each user group with
allowed/forbidden lists for each.
The following are the User Groups created with their respective CFS allowed/forbidden lists and
allowed/blocked CFS categories.
1. Full Access:
2. Restricted Access:
3. Limited Access:
If Single Sign On (SSO) is not used, create the following LAN to WAN rules. For more info on configuring
CFS with LDAP & SSO click here
Enabling CFS via App Rules and enable HTTPS Content Filtering.
If the option Log using CFS message format is checked on the Application Firewall policy
under Firewall > App Rules, blocked messages would be logged in the following format: