Facebook getting through Sonicwall

Hello-

I am hoping someone will be able to tell me how I can block facebook from our sonicwall.  I have tried implementing key words, using a drop page rule (which worked for a while), blocking social networking with content filtering but now regardless of my efforts I can't seem to block it.  It even blocked it when I tried to submit this question because facebook is in the keywords but it wont block the facebook webpage.  The Sonicwall "engineers" from whatever outsourced call center have been no help whatsoever.

We are a small public school and our policy does not allow for the use of facebook.  I am not looking for a lecture on why we should leave it open, as has happened before, this is our policy and I would like to figure out a way to get our sonicwall to restrict it.  We have a sonicwall TZ210 with enhanced sonic OS and content filtering.  Thank you for any suggestions you may have.

I would also like information on how to get the sonicwall (if possible) to filter google images as safesearch isnt filtering anything as soon as a user logs into their google acount.  Thanks for the input.
plainsschoolsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wayne88Commented:
How were you trying to block it?  Did you do it this way: How to block Facebook?

Just Facebook or all Social Media Sites?  You can use content filtering to block socila media sites such as FACEBOOK, TWITTER, etc.

Wayne
0
Blue Street TechLast KnightCommented:
Hi plainsschools,

Make sure your firmware is current.

Disregard keywords - this is old school and should only be used in specific circumstances. Removal all of them. SonicWALL uses dynamic categories based on algorithmic data in the cloud.

Do you have CGSS (Comprehensive Gateway Security Service) licensed or just CFS (Content Filtering Service)?

Depending on your strategy - Global CFS policy or VLAN/Zone based CFS policy deployment might change things here but I'm going to take a simplified approach and describe how to do this on a global (one policy for all manner) level.

How are you using CFS by App Rules or by Users and Zone Screens?

If you have CGSS licenses and are deploying via Users & Zones, you need to do the following:

CFS Settings:

RE: Basic CFS Setup
1) Navigate to "Security Services > Content Filter".
2) Click the "Configure" button.
3) In the dialogue window that opens, you should be on the CFS tab.
4) Make sure the Enable HTTPS Content Filtering and Enable CFS Server Failover are both enabled.
5) Then in the Custom List tab is where your Keyword blocking should be cleared and your Forbidden Domains should have facebook.com.
6) Now go to the Policy tab and click on Default Policy. In there go to settig and make sure all the Sources (Allowed Domains, Forbidden Domains, and Keywords) all read Global.
7) Check the box that is labeled "Enable Safe Search Enforcement" and click the "OK" button to clear the dialogue and save the change.
8) Click the "OK" button on the previous dialogue to clear it as well.
Remember in CFS URIs include all sub-domains. So you don't need to put www.facebook.com but rather only facebook.com otherwise it will only block www.facebook.com and not secure.facebook.com, facebook.com or *.facebook.com.
1
plainsschoolsAuthor Commented:
We have CGSS minus analyzer and sonicOS expanded. We are currently attempting to block it by content filtering social media sites (which it catches all of them but Facebook) and I also have an app rule setup to drop the page when that url is requested via https. I'll look at your recommendation shortly. Thanks
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Blue Street TechLast KnightCommented:
Look up your Zones (Network > Zones) and make sure they (CFS and App Control) is being applied to both the WAN, LAN and if you have a WLAN. You should see green checks under those columns for each Zone. If you don't click the configure button to the far right of each zone and enable them.
1
plainsschoolsAuthor Commented:
Diverse it-

Ok those are set correctly except I can't enforce CFS on WAN, the box is greyed out...
0
Blue Street TechLast KnightCommented:
My bad, I was talking about both App Control and CFS. App Control should be enforced on all Zones and CFS should be enforced on all Zones, EXCEPT the WAN Zone. This is by design.

Verify that the correct policy selected for CFS in each Zone (by hovering over it in the Zones page)?
0
plainsschoolsAuthor Commented:
Ok got it the Facebook filter is now working I had missed a check mark and in my custom list I had www.facebook.com, dropped the www and it worked. Any ideas on google images? We can't block gmail logins because we have a class on Google docs where they use it....

At least I have Facebook blocked again that's a huge bonus.
0
Blue Street TechLast KnightCommented:
Yes, see my post here...I updated it I think you may have missed it. http://www.experts-exchange.com/questions/28703546/Facebook-getting-through-Sonicwall.html#a40918088
0
Blue Street TechLast KnightCommented:
Yeah, I posted
Remember in CFS URIs include all sub-domains. So you don't need to put www.facebook.com but rather only facebook.com otherwise it will only block www.facebook.com and not secure.facebook.com, facebook.com or *.facebook.com.
0
Wayne88Commented:
Excellent detail!
0
Blue Street TechLast KnightCommented:
Thanks Wayne!
0
Blue Street TechLast KnightCommented:
Did you read my post about about google images. copy from above.

RE: Basic CFS Setup
1) Navigate to "Security Services > Content Filter".
2) Click the "Configure" button.
3) In the dialogue window that opens, you should be on the CFS tab.
4) Make sure the Enable HTTPS Content Filtering and Enable CFS Server Failover are both enabled.
5) Then in the Custom List tab is where your Keyword blocking should be cleared and your Forbidden Domains should have facebook.com.
6) Now go to the Policy tab and click on Default Policy. In there go to settig and make sure all the Sources (Allowed Domains, Forbidden Domains, and Keywords) all read Global.
7) Check the box that is labeled "Enable Safe Search Enforcement" and click the "OK" button to clear the dialogue and save the change.
8) Click the "OK" button on the previous dialogue to clear it as well.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
plainsschoolsAuthor Commented:
Yeah I went through all of that but the safe search is not being unforced... Google images still lets pretty much anything right through.
0
Blue Street TechLast KnightCommented:
Refresh your page...I updated my last post and I'm not sure if you saw it all.

Do you have Disable Google SSL Search option on Content Filter page, under Content Filter Type?
0
plainsschoolsAuthor Commented:
I don't have a "disable Google search ssl" under content filter type. I only have one pull down with content filter service and the configure button...
0
Blue Street TechLast KnightCommented:
It's OK if you don't have a disable Google Search SSL, everything above that I have specified in my comments will do it and then some. Please re-read my comments. The answer is in them. :)

Let me know if you are still having issues!
0
plainsschoolsAuthor Commented:
Well I found a work around using our DNS server to force safe search. Thank you to all who contributed.
0
Blue Street TechLast KnightCommented:
Thanks for the points...glad I could help.

If you want to ask another question, I'd love to take another crack at it - this works on SonicWALL - have many with this exact setup. Keep in mind DNS can easily be circumvented...ultimately, I try to get this setup in the SonicWALL.

Cheers!
0
plainsschoolsAuthor Commented:
DiverseIT-

We are now having a problem with our sonicwall being too restrictive, I am hoping you can point me in the right direction. It is blocking thunderbird (email client) and several websites clearmymail (email spam filter) neweggbusiness cart etc. I'm guessing this is SSL that is being blocked but I am hoping you can lend me a hand again. Thanks
0
Blue Street TechLast KnightCommented:
Hi PlainsSchools,

I'd be happy to help you but this question is closed. For the purpose of finding solutions to specific problems and the integrity of EE database please open up a new question and I'd be happy to help.

Also, here is some more info for this question regarding YouTube filtering for schools I thought would be helpful.

You may want to register for this: https://support.google.com/youtube/answer/2695317?hl=en&ref_topic=2592688&guide=2592683&hl=en&rd=1

SonicWALL has implemented this using SonicWALL Content Filtering Service (CFS), both in CFS Via Users and Zones and CFS using App Rules. When enabled, all access to youtube.com would contain the custom header X-YouTube-Edu-Filter with the school ID specified under CFS. When YouTube sees this header, it will serve a limited EDU-only site to all computers behind the SonicWALL.

Note: The school ID is provided by YouTube and can be obtained by joining YouTube for Schools here:  http://www.youtube.com/schools.  Read more about YouTube for Schools here: How to Access YouTube in Schools

This is how to enable it once you have the School ID from YouTube.

Known Caveats

YouTube for Schools and HTTPS

The SonicWALL CFS implementation of YouTube for Schools does not support HTTPS access to youtube.com. When youtube.com is accessed over HTTPS, the user will have unrestricted access to YouTube content. The following solutions can be implemented to work around this:

Enable Client DPI-SSL with CFS inspection. DPI-SSL feature activation requires separate license and this is supported on NGFW models. Using Client DPI-SSL, SonicWALL can add the custom header -  X-YouTube-Edu-Filter - with the school ID just as it would when YouTube is accessed over HTTP.
    Create a LAN (or DMZ) to WAN Access Rule as under:
        Action: Deny
        Service: HTTPS
        Source: Any
        Destination: Create an FQDN Address Object for youtube.com and ytimg.com and add here......

Multiple School IDs
To configure a different school ID for different CFS policies the user must not be in multiple groups (see below) and the Default CFS policy should not be configured with a school ID.

Membership in Multiple Groups
If a user is a member of multiple groups where one policy allows access to any part of YouTube and the other policy has a YouTube for Schools restriction, the user will be filtered by the YouTube for Schools policy and not be allowed unrestricted access to YouTube.
    When a user is a member of multiple groups that have different YouTube for School IDs, SonicWALL will assign the school ID in the first CFS policy of the policies list.

YouTube for Schools and the YouTube mobile app
YouTube for Schools is currently not available when accessing youtube.com through the mobile YouTube Application. This is a known issue with YouTube and not due to SonicWALL. To block users from accessing YouTube through the mobile app, we suggest enabling the App Control Advanced signatures SID 5982, 7780, 8691, 8692 YouTube mobile apps.

Procedure:

Enabling YouTube for Schools in CFS via Users and Zones

   • Login to the SonicWALL management GUI
   • Navigate to the Security Services > Content Filter page.
   • Click on Configure to open the SonicWALL Filter Properties window
   • Click on Configure on an existing policy.
   • Click on the Settings tab.
   • Enable check box Enable YouTube for Schools
   • Enter the unique ID for your school’s network under School ID.
   • Click on OK to save.

Note: Youtube.com must not be in CFS Forbidden Domains. If any one of the CFS Categories 29, 31 and 48 (Search Engines and Portals, MP3/Streaming and Web Communications) are enabled for blocking, Youtube.com must be allowed under Allowed Domains.

Take care!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.