Transcription
SonicWall ManagementServices Content FilterAdministration
Contents1Configuring Content Filtering Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3About CFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3CFS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Google Safe Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Three Approaches to Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Configuring CFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Defining Trusted Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Defining Block Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .CFS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4566Creating a Custom List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Adding Domains or Keywords to Custom List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Removing Domains or Keywords to Custom List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12CFS Exclusion List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13CFS IP Address Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14CFS Custom Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Web Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Configuring N2H2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Configuring Websense Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Management Services Content Filter AdministrationContents2
1Configuring Content Filtering ServiceNOTE: The CFS configuration pages described in this document apply only to appliances running SonicOS6.2.5 Enhanced and below.NOTE: Proper licensing must be in place to support the legacy CFS described here.This document covers configuration of legacy SonicWall Content Filtering Service (SonicWall CFS) and two thirdparty content filtering database services, Websense Enterprise and N2H2.About CFSThe SonicWall Content Filtering Service (CFS) delivers content filtering enforcement for educational institutions,businesses, libraries, and government agencies. With Content Filter policies and objects, you can control thewebsites students and employees access using their IT-issued computers while behind the organization’sfirewall. CFS compares requested websites against massive cloud databases that contain millions of rated URIs,IP addresses, and websites.CFS SettingsTo configure the CFS settings:1 Navigate to MANAGE SECURITY Content Filter Settings.Management Services Content Filter AdministrationConfiguring Content Filtering Service3
2 Under CONTENT FILTER TYPE, choose the following filters: Content Filter System N2H2 Websense Enterprise Enforce Google Safe SearchGoogle Safe SearchThe three main approaches are mutually exclusive, but Google Safe Search works with all of them. EnablingGoogle Safe Search enables a search feature which filters out offensive content from Google searches.Three Approaches to Content FilteringThe following subsections detail configuration of content filtering with SonicOS tools available before release ofSonicOS Enhanced 6.2.5.Additional sections detail configuration of third-party database approaches: Configuring N2H2 CFS IP Address RangeConfiguring CFSNavigate to MANAGE PRIVACY Content Filter Settings. To configure CFS with utilities available in SonicOSEnhanced 6.2.5 and earlier, first enable Content Filter System in the Content Filter Type section.NOTE: Configuration settings on this Settings page apply to N2HS and Websense Enterprise configurationsas well as Content Filter Service.The next choice is whether to define application of CFS across your network based on Zones, or on App Rules.For reference, App Rules are defined in SETUP Firewall App Rules, while enforcement by users is defined inSETUP Users Local Groups CONFIGURE for SonicOS 6.2 and earlier. Enforcement by zone is applied with acheck box in SETUP Network Zones CONFIGURE.Management Services Content Filter AdministrationConfiguring Content Filtering Service4
You can then apply CFS and restrictions on Web features (Java/Active X/cookies) for different network interfacesareas: LAN/Workport and DMZ/HomePort/WAN/OPT.Defining Trusted DomainsThe next section of SECURITY Content Filter Settings allows definition of specific domains to not besubjected to content filtering. Note that the check box over the list allows web features (Java, Active X, andcookies) to be enabled and disabled for these domains.To enter the domain name, click on Add, then enter the names inter-spaced with semi-colons, and no spaces.Note that lists of domains to be trusted may be imported. Click on Import. .Complete all of the changes by clicking on Update. Click on Reset to return to the state of settings prior to yoursession.Management Services Content Filter AdministrationConfiguring Content Filtering Service5
Defining Block PagesAs the display at Content Filter Settings shows, there are two different methods of defining block pages. WEB PAGE TO DISPLAY WHEN BLOCKING applies to units running SonicOS Enhanced 5.2 andabove. MESSAGE TO DISPLAY WHEN BLOCKING applies to units running SonicOS Enhanced 5.1 andbelow.CFS SettingsThis section supports settings for SonicWall CFS, N2H2, and Websense Enterprise.These consist of: Enable HTTPS — Select this checkbox to enable HTTPS content filtering. HTTPS content filtering is IP- andhost name-based, and does not inspect the URL. While HTTP content filtering can perform redirects toenforce authentication or provide a block page, HTTPS filtered pages are blocked silently. You mustprovide the IP address for any HTTPS websites to be filtered.Management Services Content Filter AdministrationConfiguring Content Filtering Service6
Enable CFS Server Failover — Select this checkbox to provide CFS server redundancy and highavailability. Enable CFS Wire Mode — Select this checkbox to enable CFS for Wire Mode deployments. If Sever is Unavailable for (seconds) — Sets the amount of time after the content filter server isunavailable before the firewall takes action to either block access to all Web sites or allow traffic tocontinue to all Web sites. The default is 5 seconds.NOTE: If the server is unavailable, the firewall can allow access to websites in the cache memory. Thismeans that by selecting the Block traffic to all Web sites checkbox, the firewall only blocks websites thatare not in the cache memory. Block traffic to all websites — Select this feature if you want the firewall to block access to all websitesuntil the content filter server is available. Allow traffic to all websites — Select this feature if you want to allow access to all websites when thecontent filter server is unavailable. If Forbidden URI (Universal Resource Identifier) and ForbiddenKeywords are enabled, however, they are still blocked. This option is selected by default. If URL marked forbidden — If you have enabled blocking by Categories and the URL is blocked by theserver, there are two options available that can be selected by default: Block access to URL — Selecting this option prevents the browser from displaying the requestedURL to the user. Log access to URL — Selecting this option records the requested URL in the log file. Custom list searching order — you can specify which list is searched first: “Allowed URL” first (default) “Forbidden URL” firstURL CacheThe URL Cache section allows you to configure the URL cache size on the firewall. The default size is 768 KBs.NOTE: A larger URL cache size can noticeably improve internet browsing response times.Click on Update, or to restore settings to before this session, click on Reset.Web Usage ConsentThe Consent section allows you to enforce content filtering on designated computers and provide optionalfiltering on other computers. Consent can be configured to require the user to agree to the terms outlined in anAcceptable Use Policy window before Web browsing is allowed.Management Services Content Filter AdministrationConfiguring Content Filtering Service7
To enable the Consent properties, check the box next to Require Consent. Maximum Web Usage (minutes) — In an environment where there are more users than computers, suchas a classroom or library, time limits are often imposed. The firewall can be used to remind users whentheir time has expired by displaying the page defined in the Consent page URL field. Enter the time limit,in minutes, in the Maximum Web usage field. The minimum time is 1 minute, the maximum is 9999, andthe default is 15. Entering a value of 0 (zero) disables this feature. Consent Page URL (optional filtering) — When users open a Web browser on a computer requiringconsent, they are shown a consent page and given the option to access the internet with or withoutcontent filtering. This page must reside on a Web server and be accessible as a URL by users on thenetwork. It can contain the text from or links to an Acceptable Use Policy (AUP). This page must containlinks to two pages contained in the firewall, which, when selected, tell the firewall if the user wishes tohave filtered or unfiltered access:IMPORTANT: Use your SonicWall LAN IP address instead of 192.168.168.168. Unfiltered access link must be 192.168.168.168/iAccept.html Filtered access link must be 192.168.168.168/iAcceptFilter.htmlIMPORTANT: All of the following pages must reside on a Web server and be accessible as a URL by userson the network. Consent Accepted URL (filtering off)— When a user accepts the terms outlined in the Consentpage and chooses to access the internet without the protection of Content Filtering, they areshown a Web page confirming their selection. Enter the URL of this page in the Consent Accepted(filtering off) field. Consent Accepted URL (filtering on) — When a user accepts the terms outlined in the Consentpage and chooses to access the internet with the protection of Content Filtering, they are showna Web page confirming their selection. Enter the URL of this page in the Consent Accepted(filtering on) field. Consent Accepted Redirect Page URL (filtering off) — optional: If a URL is entered in this field,when a user accepts the terms in the Consent page and chooses to have unfiltered access, theyare redirected to this URL.Management Services Content Filter AdministrationConfiguring Content Filtering Service8
Mandatory IP FilteringAt the bottom of the Content Filter Settings page is a Mandatory IP Filtering section.When a user opens a Web browser on a computer using mandatory content filtering, a consent page isdisplayed. You must create the Web page that appears when the Web browser is opened. The page can containtext from an Acceptable Use Policy and notification that violations are logged or blocked.This Web page must reside on a Web server and be accessible as a URL by users on the LAN. This page must alsocontain a link to a page contained in the firewall that tells the device that the user agrees to have filteringenabled. The link must be 192.168.168.168/iAcceptFilter.html, where the SonicWall LAN IP address is usedinstead of 192.168.168.168.Enter the URL of this page in the Consent Page URL (mandatory filtering) field and click OK. When the firewall isupdated, a message confirming the update is displayed at the bottom of the Web browser window.Complete SettingsClick on Update, or to restore settings to before this session, click on Reset.Creating a Custom ListNOTE: The settings on this page do not apply if N2H2 or Websense data bases are selected on the Settingspage.Navigate to Content Filter Custom List. You can customize your URL list to include allowed domains, forbiddendomains, and blocked keywords. By customizing your URL list, you can include specific domains to be accessed,blocked, and include specific keywords to block sites.Custom List of the SonicWall CFS allows an administrator to enter specific domain names to be allowed orblocked. Custom List also allows you to enter keywords which are useful to block access to any website whoseURL contains any listed keyword. Keyword blocking also prevents the uploading of any form requests thatcontain a listed keyword, such as a website search.Management Services Content Filter AdministrationConfiguring Content Filtering Service9
In the Settings section of this page, there are three check boxes: Enable Allowed/Forbidden Domains — Enables domain discrimination as defined below. Enable Keyword Blocking — Prevents access to websites with keywords in URL or search. Disable all web traffic except for Allowed Domains — Restricts access to allowed domains only.Selecting the Disable all web traffic except for Allowed Domains check box causes the SonicWall securityappliance to allow Web access only to sites on the Allowed Domains list. With careful screening, this can benearly 100% effective at blocking pornography and other objectionable material.Adding Domains or Keywords to Custom ListTo allow access to a website that is blocked by the Content Filter List:1 Click Add in the Allowed URI section of the Custom List page. The Add Allowed URI dialog box displays.2 Enter the host name, such as www.ok-site.com, into the URI field. Use semicolon (;) as delimiterwithout spaces to list more than one URI.Management Services Content Filter AdministrationConfiguring Content Filtering Service10
CAUTION: Do not include the prefix http:// in either the Allowed URI or Forbidden URI fields. Allsubdomains are affected. For example, entering yahoo.com applies to mail.yahoo.com andmy.yahoo.com.3 Click Update. You can add up to 1,024 entries to the Allowed URI list by repeating the above steps foreach entry.4 Click on Import to upload a .txt file with one Allowed URI per line.5 To block a website that is not blocked by the Content Filter Service, click Add in the Forbidden URIsection. The Add Forbidden URI dialog box displays.6 Enter the host name, such as www.bad-site.com, into the Forbidden URI field.7 Click Update. You can add up to 1,024 entries to the Forbidden URI list by the above steps.8 Click on Import to upload a .txt file with one Forbidden URI per line.9 To enable blocking using Keywords, click Add under Keywords. The Add Keyword entry dialog displays.10 Enter the keyword to block in the Keyword field.11 Click Update. You can add up to 100 entries to the Keyword blocking list by repeating the above steps.Removing Domains or Keywords to Custom ListTo remove a trusted or forbidden domain, select it from the appropriate list, and click Delete.Management Services Content Filter AdministrationConfiguring Content Filtering Service11
PoliciesNOTE: The settings on this page do not apply if N2H2 or Websense data bases are selected on the Settingspage.1 Navigate to the SECURITY Content Filter Policies page.2 Click on Add to get the add content filter dialog box.3 Enter the information below in the text fields provided in the dialog box. Name — Provide a policy name. Allowed URI List — Select a URI list object, accessing all the URIs in this object will be allowed. Forbidden URI List — Select a URI list object, accessing all the URIs in this object will beforbidden.Management Services Content Filter AdministrationConfiguring Content Filtering Service12
Operation for Forbidden URI — Select a value in drop list to control searching URI in. Allow URIlist firstly, or Forbidden URI list firstly. Under CATEGORY CONFIGURATION, choose the content CATEGORY you want to Block or Allowunder OPERATION. Under Operation, choose Allow from the drop-down list. You can also click the Set to All orDefault buttons.NOTE: The Policies page applies only to units running SonicOS 6.2.5 Enhanced and below.CFS Exclusion ListNOTE: The settings on this page do not apply if N2H2 or Websense data bases are selected on the Settingspage.The CFS exclusion list allows you to specify an IP address or IP address range that is excluded from websiteblocking. The settings for this page apply to units running SonicOS Enhanced 6.2.5 and below.To configure the CFS Exclusion List:1 Navigate to SECURITY Content Filter CFS Exclusion List.2 Under CFS EXCLUSION RANGE SETTINGS, click Do not bypass CFS blocking for the Administrator If youdo not want CFS blocking to bypass the Administrator.3 Click Enable CFS Exclusion list to enable CFS block list exclusions.4 To exclude an address object from CFS only, click CFS only.5 To exclude an address object from CFS and user authentication in an access rule, click CFS and userauthentication in access rule.Management Services Content Filter AdministrationConfiguring Content Filtering Service13
NOTE: Steps 4 and 5 apply only to unites running SonicOS 5.8.2 Enhanced and above.6 Click Update.7 Select an address object from the drop-down list.NOTE: Step 7 applies only to units running SonicOS 5.9 Enhanced.8 Under CFS EXCLUSION IP ADDRESS RANGE SEARCH, choose the following: In the text fields next to the search icon, do the following: Select From Address or To Address to indicate the beginning or ending IP addresses. Select Equals, Starts with, Ends with, or Contains from the drop-down list. Enter Search text in the text field provided. Click Search or Clear.9 Under the CFS EXCLUSION IP ADDRESS RANGE table, check the IP addresses under the FROM ADDRESSand TO ADDRESS columns. To configure the IP addresses, use the CONFIGURE column. Click Add and the CFS RANGE dialog window displays. Enter the IP address From and the IPAddress To in the text fields provided and click Update. Click Delete and then click OK in the dialog window that displays to delete the selected CFSExclude Range.NOTE: Multiple IP address ranges can be deleted at the same time by selecting multiple checkboxes.Step 9 applies only to units running SonicOS Enhanced 6.1 and SonicOS Enhanced 5.8 orolder.CFS IP Address RangeAppliances with SonicWall CFS can assign specific CFS policies to ranges of IP addresses. This provides the abilityto segment CFS policies within a single zone. The settings in the CFS IP Address Range page only apply to unitsrunning between SonicOS 5.8 and SonicOS 6.2.5 Enhanced.To configure the CFS IP Addr
2Under CONTENT FILTER TYPE, choose the following filters: Content Filter System N2H2 Websense Enterprise Enforce Google Safe Search Google Safe Search The three main approaches are mutually exclusive, but Google Safe Search works with all of them. Enabling
