How to configure content filter by ip address on SonicWall TZ215 (SonicOS 5.9.0.4-127)

I'm trying to change the content filter policy on one computer. All other computers on the network use the default CFS policy which is assigned as default to the LAN Zone and has been working fine.
On the LAN Zone Enforce Content Filtering Service is ticked and assigned to the Default policy that has the highest restrictions in terms of categories allowed.
The new policy that I want to assign to just a single machine has a more relaxed policy with a couple more categories allowed access.
Under "Security Services > Content Filter I have ticked "Enable Policy per IP Address Range" and I have the main LAN IP address range assigned to the Default policy and the IP address of the relaxed machine assigned to the relaxed CFS Policy.

The problem is that it now seems to allow all computers to access the more relaxed policy.

I am not connected to the admin console of the SonicWall from the machine I am testing from. I have tried to logout of the admin console totally and then test.

Is there a step I have missed to configure content filter by IP Address?
LVL 1
Milkybar-kidAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskySD-WAN SimplifiedCommented:
I don't have a sonicwall in front of me at the moment but by memory I've done this in the application firewall rules section
http://help.mysonicwall.com/sw/eng/6005/ui2/25800/Security_Services_securityServicesCFView.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
carlmdCommented:
Take a look at the following, specifically the section on Assigning CFS Policies on IP Addresses.

https://support.software.dell.com/sonicwall-e-class-nsa-series/kb/sw7969
0
Aaron TomoskySD-WAN SimplifiedCommented:
That article is for IP address ranges. If you want to do it that way, you need three ranges. The lower range, your ip exception, and the upper range.

If you try it the application firewall rule way it think you will find it easier for your setup.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Milkybar-kidAuthor Commented:
Thank you for the replies.
I had a lok at the link that you sent Aaron regarding application firewall rules. This is something that I will take a look at for future reference. With a cursory glance it seemed to involve creating network zones which would mean restructuring the network topology which I want to avoid at this stage. However your comment regarding the adding the three ranges seems to have resolved this because I only had two ip ranges defined which took care of the devices in the safe policy range with the single IP having the more relaxed content filter policy above that.  I have now added another IP range above that completing the whole subnet and at first testing this seems to work. I will need to wait until tomorrow to confirm for sure.
0
Milkybar-kidAuthor Commented:
I've been tryin to make this work via app rules but can't get to grips with the exclusion requirements.
Under Security Services > Content Filter I have changes CFS Policy Assignment to Via App Rules
I have checked the box  for Enable HTTPS Content Filtering in the CFS tab
Under Firewall > Match Objects I have created a default CFS Rule that blocks many categories including Social Networking
I have created an App Rule that sets up a CFS Policy with the Default rule and this seems to operate OK

I have also created address objects for the two computers I want to allow access to social media and put them in an Address Object Group called Social Networkers and I have created an Allow/Forbid List containing Facebook and Twitter (initially). But these computers are still blocked from viewing. How is the precedence set for rules with exclusions?

The other problem I now face is that CFS is not working for https even though I have checked the box Enable HTTPS Content Filtering in the CFS tab - but it is not blocking https so why is that?- I have followed this article
https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=8802
0
Milkybar-kidAuthor Commented:
I used App Control Advanced in the end.
Good learning exercise and this post set me off in the right direction.
Even with App Rules everything works fine except with https using IE (Firefox and Chrome are OK)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.