Most IT Network Administrators are tasked with putting a content filter into place to resolve a myriad of HR issues. Several years ago, I selected a SonicWall NSA to do this for my organization because it did a good job with VPN, Firewall, and UTM in addition to content filtering. One thing that I have noticed with SonicWall is that whenever you think you know exactly how to do something, upgrade and you’ll have to figure it out again. This article gives a pretty good description of how to configure SonicWall Content Filtering on SonicOS version 220.127.116.11. If you are using a different version, I suspect that at a minimum the general steps in this article will help you along. This article also assumes that you have purchased the SonicWall Content Filtering option with your device.
Configure SonicWall Content Filtering – Step 1
The first step in configuring the SonicWall content filtering service (CFS)
is to navigate to the section in the SonicOS menu. Just navigate down into the “Security Services” area and find the Content Filter option. This will drop you into the Content Filter page. Once here, you will want to find the
Content Filter Type area. Choose “Content Filter Service” then hit the Configure Button. This will then take you to the SonicWall Filter Properties page which has 4 tabs. We should be on the CFS tab. Here, we would likely want to check the “Enable HTTPS Content Filtering” and “Block Access to URL” options. You should also probably think over the behavior that you want the SonicWall device to perform if somehow it cannot reach the SonicWall CFS services.
In my case, I chose to “Allow traffic to all Web sites” because I didn’t want the unavailability of SonicWall’s CFS services to shutdown my zones protected by CFS services.
Define SonicWall CFS Policy
We now switch to the “Policy” tab to begin configuring the specific policy. If we don’t have a policy defined yet to modify, we hit the “add” button. Otherwise, we choose the pencil button next to the policy that we need to edit. The first page will allow us to name our policy, the On the Policy tab, we select the URL List tab.
The URL List tab is where we choose which categories we wish to block on this specific policy.
The example above shows a typical “Forbidden Categories” section in the SonicWall Content Filtering Service definition. Once we have selected the appropriate categories for our organizations, we go to the “Settings” tab.
Exceptions to SonicWall Content Filter Policies
The most important part of this page is the custom list settings. You may want to add exceptions to the policy. This Settings tab is where you decide if the exceptions will be set globally or per policy. In the screen below, we can choose to have our Allowed Domains (whitelist) and our Forbidden Domains (blacklist) on either a per policy or a global basis.
One final feature that the Settings page gives you is the ability to specify the time of day that the filter will be used. This gives you the opportunity to allow different browsing habits for off-hours vs work hours, etc…
Next comes the “Custom List” tab. If we choose the per policy option on the settings tab, then this is where we add our white listed/black listed domains. You can see the domains listed below under the Allowed and Forbidden domain sections. Sorry for the blotches in the image. I had to purify my image before I could post it here.
If we chose the Global allow and forbidden list on the settings page, then we edit the global list on the CFS page / Custom List which will define the policy for all policies that are configured for global allowed / forbidden domain listings.
Apply the Content Filter Policy to a Zone
Finally, once we get the SonicWall Content Filter Services Policy configured, we need to put it in place so that it is used. We apply a policy in SonicWall to a specific zone. We choose the zone by going to the Network area of the main SonicOS menu, and choosing “zones”. This will display all of the zones configured in our SonicWall device. We will then choose the zone to apply our policy to. In my case, I chose the “LAN” zone as shown below.
Clicking on the Pencil button for our zone allows us to change the properties of the zone, including the Content Filter Services policy that we want to put on the zone.
First, we select the check box to Enforce Content Filtering Services.
Then, we select our CFS policy from the listing.
Putting the SonicWall CFS Policy in Place
When we hit the OK button, it applies our SonicWall Content Services Filtering policy to the zone. With our policy in place, workstations and other systems protected by the CFS policy will then be blocked from sites in the categories we chose. Browsers that attempt to contact web pages blocked by the policy will receive a screen similar to the image below.
Any you find web pages or other destinations being blocked that you think should not be, you can simply add their domains to the appropriate allowed / forbidden list as mentioned above.