Procedure Best Practices SonicWALL

NSA 5600

Different Users/User Groups:

Most Specific / Lease Restrictive are the default evaluation process of CFS policies assigned to different
groups/users. Most Specific always has the highest priority (i.e. CFS policy for All group
is least specific, CFS policy for local/authenticated group is more specific; CFS policy for a user
is most specific. When policies are at the same level of specificity, the least restrictive option has the
highest precedence.

Multiple Policies assigned to same group:

When multiple CFS policies are assigned to the same group, the evaluation logic is additive:

Example:

CFS policy 1: Engineering is not allowed to access porn, gambling, and adult content.

CFS policy 2: Apply BWM for Engineering when accessing Sports, Multimedia, and Social Networking at
1 Mbps.

The result of the above policies is that Sports access will be bandwidth managed at 1 Mbps when
accessed by a member of Engineering group even through CFS policy 1 implies that Sports should be
allowed for Engineering.

In this scenario, three user groups are defined and a CFS policy is created for each user group with
allowed/forbidden lists for each.

The following are the User Groups created with their respective CFS allowed/forbidden lists and
allowed/blocked CFS categories.

1. Full Access:

Categories Blocked 1 to 12, 16 & 28. Remaining Categories are allowed.

Forbidden Domains: Gmail.com, Facebook.com, Orkut.com

2. Restricted Access:

Categories Allowed: 20,27,33,34,41,48,58. Remaining Categories are blocked.

Forbidden Domains: Gmail.com, Facebook.com, Orkut.com

3. Limited Access:

Categories Allowed 29 & 30. Remaining Categories are blocked.

Allowed Domains: ESPN.go.com

Setting User Authentication in the SonicWALL
The following users groups are created in the Users > Local Groups page. If using LDAP, the user
groups can be imported from Active Directory. For more info on configuring LDAP click here

If Single Sign On (SSO) is not used, create the following LAN to WAN rules. For more info on configuring
CFS with LDAP & SSO click here
 Enabling CFS via App Rules and enable HTTPS Content Filtering.

Login to the SonicWALL Management GUI.

Navigate to the Security Services > Content Filter page.
Set CFS Policy Assignment to Via App Rules.
Click on Accept to save the change.
Click on the Configure button under Content Filter Type > SonicWALL CFS
Check the box under Enable HTTPS Content Filtering.
 Creating CFS Category Objects

Navigate to Firewall > Match Objects

Create the following Objects.
Creating CFS Allowed / Forbidden objects
Create the following objects under Firewall > Match Objects
 Creating Application Firewall Policies for CFS.

Navigate to Firewall > App Rules

Check the box under Enable App Rules
Create the following policies.
How to Test:
Test by going online from a PC behind the SonicWALL. You will be prompted for a username and
password (If not using SSO). Depending on group membership, the user will be either blocked or
allowed to the requested site.

The following messages would be logged in Log > View page.

If the option Log using CFS message format is checked on the Application Firewall policy
under Firewall > App Rules, blocked messages would be logged in the following format: