Avatar of plainsschools

asked on 

Facebook getting through Sonicwall


I am hoping someone will be able to tell me how I can block facebook from our sonicwall.  I have tried implementing key words, using a drop page rule (which worked for a while), blocking social networking with content filtering but now regardless of my efforts I can't seem to block it.  It even blocked it when I tried to submit this question because facebook is in the keywords but it wont block the facebook webpage.  The Sonicwall "engineers" from whatever outsourced call center have been no help whatsoever.

We are a small public school and our policy does not allow for the use of facebook.  I am not looking for a lecture on why we should leave it open, as has happened before, this is our policy and I would like to figure out a way to get our sonicwall to restrict it.  We have a sonicwall TZ210 with enhanced sonic OS and content filtering.  Thank you for any suggestions you may have.

I would also like information on how to get the sonicwall (if possible) to filter google images as safesearch isnt filtering anything as soon as a user logs into their google acount.  Thanks for the input.
Hardware FirewallsNetwork SecurityNetworkingNetworking Hardware-OtherNetwork Operations

Avatar of undefined
Last Comment
Blue Street Tech
Avatar of Wayne88
Flag of Canada image

How were you trying to block it?  Did you do it this way: How to block Facebook?

Just Facebook or all Social Media Sites?  You can use content filtering to block socila media sites such as FACEBOOK, TWITTER, etc.

Hi plainsschools,

Make sure your firmware is current.

Disregard keywords - this is old school and should only be used in specific circumstances. Removal all of them. SonicWALL uses dynamic categories based on algorithmic data in the cloud.

Do you have CGSS (Comprehensive Gateway Security Service) licensed or just CFS (Content Filtering Service)?

Depending on your strategy - Global CFS policy or VLAN/Zone based CFS policy deployment might change things here but I'm going to take a simplified approach and describe how to do this on a global (one policy for all manner) level.

How are you using CFS by App Rules or by Users and Zone Screens?

If you have CGSS licenses and are deploying via Users & Zones, you need to do the following:

CFS Settings:

RE: Basic CFS Setup
1) Navigate to "Security Services > Content Filter".
2) Click the "Configure" button.
3) In the dialogue window that opens, you should be on the CFS tab.
4) Make sure the Enable HTTPS Content Filtering and Enable CFS Server Failover are both enabled.
5) Then in the Custom List tab is where your Keyword blocking should be cleared and your Forbidden Domains should have facebook.com.
6) Now go to the Policy tab and click on Default Policy. In there go to settig and make sure all the Sources (Allowed Domains, Forbidden Domains, and Keywords) all read Global.
7) Check the box that is labeled "Enable Safe Search Enforcement" and click the "OK" button to clear the dialogue and save the change.
8) Click the "OK" button on the previous dialogue to clear it as well.
Remember in CFS URIs include all sub-domains. So you don't need to put www.facebook.com but rather only facebook.com otherwise it will only block www.facebook.com and not secure.facebook.com, facebook.com or *.facebook.com.
Avatar of plainsschools


We have CGSS minus analyzer and sonicOS expanded. We are currently attempting to block it by content filtering social media sites (which it catches all of them but Facebook) and I also have an app rule setup to drop the page when that url is requested via https. I'll look at your recommendation shortly. Thanks
Look up your Zones (Network > Zones) and make sure they (CFS and App Control) is being applied to both the WAN, LAN and if you have a WLAN. You should see green checks under those columns for each Zone. If you don't click the configure button to the far right of each zone and enable them.
Avatar of plainsschools


Diverse it-

Ok those are set correctly except I can't enforce CFS on WAN, the box is greyed out...
My bad, I was talking about both App Control and CFS. App Control should be enforced on all Zones and CFS should be enforced on all Zones, EXCEPT the WAN Zone. This is by design.

Verify that the correct policy selected for CFS in each Zone (by hovering over it in the Zones page)?
Avatar of plainsschools


Ok got it the Facebook filter is now working I had missed a check mark and in my custom list I had www.facebook.com, dropped the www and it worked. Any ideas on google images? We can't block gmail logins because we have a class on Google docs where they use it....

At least I have Facebook blocked again that's a huge bonus.
Yeah, I posted
Remember in CFS URIs include all sub-domains. So you don't need to put www.facebook.com but rather only facebook.com otherwise it will only block www.facebook.com and not secure.facebook.com, facebook.com or *.facebook.com.
Avatar of Wayne88
Flag of Canada image

Excellent detail!
Thanks Wayne!
Avatar of Blue Street Tech
Blue Street Tech
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of plainsschools


Yeah I went through all of that but the safe search is not being unforced... Google images still lets pretty much anything right through.
Refresh your page...I updated my last post and I'm not sure if you saw it all.

Do you have Disable Google SSL Search option on Content Filter page, under Content Filter Type?
Avatar of plainsschools


I don't have a "disable Google search ssl" under content filter type. I only have one pull down with content filter service and the configure button...
It's OK if you don't have a disable Google Search SSL, everything above that I have specified in my comments will do it and then some. Please re-read my comments. The answer is in them. :)

Let me know if you are still having issues!
Avatar of plainsschools


Well I found a work around using our DNS server to force safe search. Thank you to all who contributed.
Thanks for the points...glad I could help.

If you want to ask another question, I'd love to take another crack at it - this works on SonicWALL - have many with this exact setup. Keep in mind DNS can easily be circumvented...ultimately, I try to get this setup in the SonicWALL.

Avatar of plainsschools



We are now having a problem with our sonicwall being too restrictive, I am hoping you can point me in the right direction. It is blocking thunderbird (email client) and several websites clearmymail (email spam filter) neweggbusiness cart etc. I'm guessing this is SSL that is being blocked but I am hoping you can lend me a hand again. Thanks
Hi PlainsSchools,

I'd be happy to help you but this question is closed. For the purpose of finding solutions to specific problems and the integrity of EE database please open up a new question and I'd be happy to help.

Also, here is some more info for this question regarding YouTube filtering for schools I thought would be helpful.

You may want to register for this: https://support.google.com/youtube/answer/2695317?hl=en&ref_topic=2592688&guide=2592683&hl=en&rd=1

SonicWALL has implemented this using SonicWALL Content Filtering Service (CFS), both in CFS Via Users and Zones and CFS using App Rules. When enabled, all access to youtube.com would contain the custom header X-YouTube-Edu-Filter with the school ID specified under CFS. When YouTube sees this header, it will serve a limited EDU-only site to all computers behind the SonicWALL.

Note: The school ID is provided by YouTube and can be obtained by joining YouTube for Schools here:  http://www.youtube.com/schools.  Read more about YouTube for Schools here: How to Access YouTube in Schools

This is how to enable it once you have the School ID from YouTube.

Known Caveats

YouTube for Schools and HTTPS

The SonicWALL CFS implementation of YouTube for Schools does not support HTTPS access to youtube.com. When youtube.com is accessed over HTTPS, the user will have unrestricted access to YouTube content. The following solutions can be implemented to work around this:

Enable Client DPI-SSL with CFS inspection. DPI-SSL feature activation requires separate license and this is supported on NGFW models. Using Client DPI-SSL, SonicWALL can add the custom header -  X-YouTube-Edu-Filter - with the school ID just as it would when YouTube is accessed over HTTP.
    Create a LAN (or DMZ) to WAN Access Rule as under:
        Action: Deny
        Service: HTTPS
        Source: Any
        Destination: Create an FQDN Address Object for youtube.com and ytimg.com and add here......

Multiple School IDs
To configure a different school ID for different CFS policies the user must not be in multiple groups (see below) and the Default CFS policy should not be configured with a school ID.

Membership in Multiple Groups
If a user is a member of multiple groups where one policy allows access to any part of YouTube and the other policy has a YouTube for Schools restriction, the user will be filtered by the YouTube for Schools policy and not be allowed unrestricted access to YouTube.
    When a user is a member of multiple groups that have different YouTube for School IDs, SonicWALL will assign the school ID in the first CFS policy of the policies list.

YouTube for Schools and the YouTube mobile app
YouTube for Schools is currently not available when accessing youtube.com through the mobile YouTube Application. This is a known issue with YouTube and not due to SonicWALL. To block users from accessing YouTube through the mobile app, we suggest enabling the App Control Advanced signatures SID 5982, 7780, 8691, 8692 YouTube mobile apps.


Enabling YouTube for Schools in CFS via Users and Zones

   • Login to the SonicWALL management GUI
   • Navigate to the Security Services > Content Filter page.
   • Click on Configure to open the SonicWALL Filter Properties window
   • Click on Configure on an existing policy.
   • Click on the Settings tab.
   • Enable check box Enable YouTube for Schools
   • Enter the unique ID for your school’s network under School ID.
   • Click on OK to save.

Note: Youtube.com must not be in CFS Forbidden Domains. If any one of the CFS Categories 29, 31 and 48 (Search Engines and Portals, MP3/Streaming and Web Communications) are enabled for blocking, Youtube.com must be allowed under Allowed Domains.

Take care!

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo