Solved

How to configure content filter by ip address on SonicWall TZ215 (SonicOS 5.9.0.4-127)

Posted on 2014-07-28
6
1,635 Views
Last Modified: 2014-08-25
I'm trying to change the content filter policy on one computer. All other computers on the network use the default CFS policy which is assigned as default to the LAN Zone and has been working fine.
On the LAN Zone Enforce Content Filtering Service is ticked and assigned to the Default policy that has the highest restrictions in terms of categories allowed.
The new policy that I want to assign to just a single machine has a more relaxed policy with a couple more categories allowed access.
Under "Security Services > Content Filter I have ticked "Enable Policy per IP Address Range" and I have the main LAN IP address range assigned to the Default policy and the IP address of the relaxed machine assigned to the relaxed CFS Policy.

The problem is that it now seems to allow all computers to access the more relaxed policy.

I am not connected to the admin console of the SonicWall from the machine I am testing from. I have tried to logout of the admin console totally and then test.

Is there a step I have missed to configure content filter by IP Address?
0
Comment
Question by:Milkybar-kid
  • 3
  • 2
6 Comments
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 500 total points
Comment Utility
I don't have a sonicwall in front of me at the moment but by memory I've done this in the application firewall rules section
http://help.mysonicwall.com/sw/eng/6005/ui2/25800/Security_Services_securityServicesCFView.html
0
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
Take a look at the following, specifically the section on Assigning CFS Policies on IP Addresses.

https://support.software.dell.com/sonicwall-e-class-nsa-series/kb/sw7969
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
That article is for IP address ranges. If you want to do it that way, you need three ranges. The lower range, your ip exception, and the upper range.

If you try it the application firewall rule way it think you will find it easier for your setup.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:Milkybar-kid
Comment Utility
Thank you for the replies.
I had a lok at the link that you sent Aaron regarding application firewall rules. This is something that I will take a look at for future reference. With a cursory glance it seemed to involve creating network zones which would mean restructuring the network topology which I want to avoid at this stage. However your comment regarding the adding the three ranges seems to have resolved this because I only had two ip ranges defined which took care of the devices in the safe policy range with the single IP having the more relaxed content filter policy above that.  I have now added another IP range above that completing the whole subnet and at first testing this seems to work. I will need to wait until tomorrow to confirm for sure.
0
 
LVL 1

Author Comment

by:Milkybar-kid
Comment Utility
I've been tryin to make this work via app rules but can't get to grips with the exclusion requirements.
Under Security Services > Content Filter I have changes CFS Policy Assignment to Via App Rules
I have checked the box  for Enable HTTPS Content Filtering in the CFS tab
Under Firewall > Match Objects I have created a default CFS Rule that blocks many categories including Social Networking
I have created an App Rule that sets up a CFS Policy with the Default rule and this seems to operate OK

I have also created address objects for the two computers I want to allow access to social media and put them in an Address Object Group called Social Networkers and I have created an Allow/Forbid List containing Facebook and Twitter (initially). But these computers are still blocked from viewing. How is the precedence set for rules with exclusions?

The other problem I now face is that CFS is not working for https even though I have checked the box Enable HTTPS Content Filtering in the CFS tab - but it is not blocking https so why is that?- I have followed this article
https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=8802
0
 
LVL 1

Author Closing Comment

by:Milkybar-kid
Comment Utility
I used App Control Advanced in the end.
Good learning exercise and this post set me off in the right direction.
Even with App Rules everything works fine except with https using IE (Firefox and Chrome are OK)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now