[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4858
  • Last Modified:

Content Filtering rules and setup on Sonicwall NSA 2400

Hello,
We are in process of switching over from ISA 2004 to Sonicwall NSA 2400.
As far as licensing is concerned we purchased everything but the Spam prevention as we already have something in place.
I`d like to find a proper way of setting up content filtering rules for a variety of User Groups on the NSA appliance. I was able to create a "Test" policy where I checked categories that I want blocked (Security Services -> Content Filter -> "SonicWALL CFS"->Configure -> Policy tab) then I went to Zones and verified that "TEST" policy was assigned to "LAN"
Unfortunately I can only assign one content filtering policy to LAN... This raises a question, if I plan to have 6 content policies, do I add the same "LAN” 6  times in the Zones and then assign the corresponding policy  to it? Doesn't sound right....
I’m not sure if  I am going the right way about it, can somebody explain in basic terms the easier way to go about it and perhaps some step by step instructions if possible ?
We did install SSO on one of the servers.

Thank you in advance.
0
technomic
Asked:
technomic
2 Solutions
 
SonicJoshCommented:
Depending on how you want it setup,  you can apply policies to groups under Users->Local Groups then select configure on a groups of users and that policy will be enforced on those users.  I would set the policy for the LAN zone to default.

If you are using an Active Directory environment, you can select the "import from LDAP" button on the bottom of the Local Groups page to import security groups from LDAP into the local groups in the SonicWALL.  For instance, you can create a security group in Active Directory called "CFS - Restricted" and put AD users in the group that you want restricted then import that group into the SonicWALL via the Import from LDAP button and you can apply a CFS policy to that group.  Then, all users in that group will be content filtered.  

Also, for the import from LDAP to work, you have to go to Users->Settings and configure the "Authentication method for login:" for LDAP.

I hope this helps a little.

Josh
0
 
VCBoothCommented:
You need to set LDAP on your SonicWALL to point to your active directory and be able to see the groups and individual users.

Then download Directory Connector from your MySonicWALL.com account (Free Downloads) - install on as many servers as possible.  Note it doesn't have to be a server but a machine that is constantly reachable - I personally prefer servers.

On the SonicWALL set up SSO Agent (Single Sign On) so your users don't need to always authenticate with the SonicWALL.  UNLESS YOU HAVE A SINGLE POLICY THE SONICWALL NEEDS A USER TO AUTHENTICATE to know who he/she is etc.

SSO agent points to the directory connector(s) you have set up.

Make sure Windows firewall or another product is not running on individual machines - they will stop SSO agent from working properly.  Also set SSO agent to WMI (right click on the directory connector to do this)

Now you can add your users to Active Directory groups for internet access and ONLY THEN can you import them into your Local Groups from AD.  The above suggestion is the way to do it, but would only work if you had setup LDAP and SSO.

Set your DEFAULT policy to block EVERYTHING.  Everybody is a member of the default policy.

Set various other policies to allow only what you want that group to see.

SonicWALL work on the MOST PERMISSIVE basis.  A user can be a member of more than one group.

If Fred is in Group A and that allows Search Engines only, Daisy is in Group B that allows Social Media only and You are in Group A and B then you will see both Search Engines and Social Media.

Hope that helps.

These are good links - read and carry on from the bottom of the pages:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5946

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5948



0
 
technomicAuthor Commented:
Guys,
I apologize for a delay. I haven't had a chance to try both of the solutions, but I will definetely check them out as soon as I get around to it.
Thanks and I appreciate the help.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now