Content filtering

We have content filtering on a tz210. All of a sudden it started blocking content for everyone instead of allowing everything for the manager and owner of the company as setup in the LDAP policies.
What settings would I be missing that may have been accidentally changed?
raffie613Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Peter WilsonITCommented:
Did you update the firmware or did your CGSS license expire?

So you have SSO enabled? How have you configured CFS to function, via AppRules or via LDAP Groups?

If you have set it up without AppRules then make sure correct CFS engine is selected.

Go to Security Services > Content Filter
Make sure SonicWALL CFS is selected from the Content Filter Type menu.
0
raffie613Author Commented:
it is setup with LDAP groups. was working fine yesterday. now is blocking even the admin users.
0
Peter WilsonITCommented:
Ok, so nothing has changed and your licensing has not been reset and/or is not expired?

Are you also using SSO or just LDAP, in other words are users required to login to the web page to authenticate in order to browse or are they automatically via AD?

This can occur in the event the client and the SSO agent looses connectivity or CFS can't reach SonicWALL cloud for whatever reasons...bad hops, etc.

For SSO there can be various causes...here are some areas to look at:

1. Set the DC Security Log + NetAPI + WMI option in your TSA Clients settings.
NetAPI will provide faster, though possibly slightly less accurate, performance. WMI will provide slower, though possibly more accurate, performance. WMI is pre-installed on Windows Server 2003+, Windows 2000+. Both NetAPI and WMI can be manually downloaded and installed. NetAPI and WMI provide information about users that are logged into a workstation, including domain users, local users, and Windows services.
 
2. Aggressive Polling times may be causing the Sonicwall to drop users too quickly, as well as creating unnecessary network traffic. Usually the default should be left as is unless issues occur. If this is increased to too high a number, it will cause load on the Sonicwall with unnecessary User connections being left active. The Polling Rates are configured under Users > Settings > Configure SSO  > Users tab > Polling rate (minutes):

3. Create a address object for the all the terminal service agents that you have and group them together, then:
 Under users>setting configure for the SSO > under Enforcement  > SSO Bypass >” Bypass the Single Sign On process for traffic from“ and then select the group that we have just created for the TSA Agent.

4. Install the SSO Agent on a non-DC server local to the hosts as ping times for the Agents to successfully communicate with the Sonicwall must be less than 40 MS, otherwise the connection between the Agent and the Sonicwall will drop, causing the Agent not to contact the Sonicwall and causing CFS to block all user traffic while it waits to setup the next successful connection.

5.To negate the issue of the Agents losing connectivity temporarily and being blocked by CFS, try going to the Users > Settings > Configure SSO > SSO Agents > General Settings and setting the “Don’t block user traffic while waiting for SSO” option.


For CFS redundancy go the Content Filter > configure and check Enable CFS Server Failover.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

raffie613Author Commented:
So SSO means it authenticates when they sign into the webpage? I don't want that. I only want it to stop other employees from viewing  non work related sites but not for the owner .

Should i reboot the Sonicwall? Could that help the filter settings kick back in?

Thanks
0
Peter WilsonITCommented:
No SSO means that when they login to Windows that AD DS authenticates them and that authentication is then sent to SonicWALL simultaneously so that users don't have to login to a web page to authenticate the session.

Rebooting the firewall is always a good first step.
0
raffie613Author Commented:
also, when i am in the sonicwall admin portal I can get to any page. as soon as I close the web interface, it starts blocking pages again.
0
raffie613Author Commented:
CAn I use LDAP and have the ability to override blocked pages with a password as well OR I have to have one or the other?

Thanks.
0
raffie613Author Commented:
UPDATE !
When i go into the LDAP configuration, I am getting a LDAP communication error when testing connectivity. Where should I look for the breakdown?

Thanks.
0
raffie613Author Commented:
ok, I turned off the TLS and that made the LDAP able to reconnect.

Also found the SSO agent was not running on the LDAP server so it was unable to authenticate on that side which i think was the original problem.

Thanks for the help.

Do you know how I can make it so admin users are able to type in  a password to bypass the content block on other computers they are not signed in to?

Thanks
0
Peter WilsonITCommented:
Great!

Just put the admins in a separate CFS policy/group that allows them full access.
0
raffie613Author Commented:
I did that. now how can i make it so if the admins are on are regular user machine, they can type in  a password to unblock the webpage?

Thanks.
0
Peter WilsonITCommented:
Only if you enforce authentication otherwise it will occur on the group level and they will have access based on their associated group by default.

Make sense?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Content Management

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.