plainsschools
asked on
Facebook getting through Sonicwall
Hello-
I am hoping someone will be able to tell me how I can block facebook from our sonicwall. I have tried implementing key words, using a drop page rule (which worked for a while), blocking social networking with content filtering but now regardless of my efforts I can't seem to block it. It even blocked it when I tried to submit this question because facebook is in the keywords but it wont block the facebook webpage. The Sonicwall "engineers" from whatever outsourced call center have been no help whatsoever.
We are a small public school and our policy does not allow for the use of facebook. I am not looking for a lecture on why we should leave it open, as has happened before, this is our policy and I would like to figure out a way to get our sonicwall to restrict it. We have a sonicwall TZ210 with enhanced sonic OS and content filtering. Thank you for any suggestions you may have.
I would also like information on how to get the sonicwall (if possible) to filter google images as safesearch isnt filtering anything as soon as a user logs into their google acount. Thanks for the input.
I am hoping someone will be able to tell me how I can block facebook from our sonicwall. I have tried implementing key words, using a drop page rule (which worked for a while), blocking social networking with content filtering but now regardless of my efforts I can't seem to block it. It even blocked it when I tried to submit this question because facebook is in the keywords but it wont block the facebook webpage. The Sonicwall "engineers" from whatever outsourced call center have been no help whatsoever.
We are a small public school and our policy does not allow for the use of facebook. I am not looking for a lecture on why we should leave it open, as has happened before, this is our policy and I would like to figure out a way to get our sonicwall to restrict it. We have a sonicwall TZ210 with enhanced sonic OS and content filtering. Thank you for any suggestions you may have.
I would also like information on how to get the sonicwall (if possible) to filter google images as safesearch isnt filtering anything as soon as a user logs into their google acount. Thanks for the input.
Hi plainsschools,
Make sure your firmware is current.
Disregard keywords - this is old school and should only be used in specific circumstances. Removal all of them. SonicWALL uses dynamic categories based on algorithmic data in the cloud.
Do you have CGSS (Comprehensive Gateway Security Service) licensed or just CFS (Content Filtering Service)?
Depending on your strategy - Global CFS policy or VLAN/Zone based CFS policy deployment might change things here but I'm going to take a simplified approach and describe how to do this on a global (one policy for all manner) level.
How are you using CFS by App Rules or by Users and Zone Screens?
If you have CGSS licenses and are deploying via Users & Zones, you need to do the following:
Make sure your firmware is current.
Disregard keywords - this is old school and should only be used in specific circumstances. Removal all of them. SonicWALL uses dynamic categories based on algorithmic data in the cloud.
Do you have CGSS (Comprehensive Gateway Security Service) licensed or just CFS (Content Filtering Service)?
Depending on your strategy - Global CFS policy or VLAN/Zone based CFS policy deployment might change things here but I'm going to take a simplified approach and describe how to do this on a global (one policy for all manner) level.
How are you using CFS by App Rules or by Users and Zone Screens?
If you have CGSS licenses and are deploying via Users & Zones, you need to do the following:
CFS Settings:
RE: Basic CFS Setup
1) Navigate to "Security Services > Content Filter".
2) Click the "Configure" button.
3) In the dialogue window that opens, you should be on the CFS tab.
4) Make sure the Enable HTTPS Content Filtering and Enable CFS Server Failover are both enabled.
5) Then in the Custom List tab is where your Keyword blocking should be cleared and your Forbidden Domains should have facebook.com.
6) Now go to the Policy tab and click on Default Policy. In there go to settig and make sure all the Sources (Allowed Domains, Forbidden Domains, and Keywords) all read Global.
7) Check the box that is labeled "Enable Safe Search Enforcement" and click the "OK" button to clear the dialogue and save the change.
8) Click the "OK" button on the previous dialogue to clear it as well.
Remember in CFS URIs include all sub-domains. So you don't need to put www.facebook.com but rather only facebook.com otherwise it will only block www.facebook.com and not secure.facebook.com, facebook.com or *.facebook.com.
2) Click the "Configure" button.
3) In the dialogue window that opens, you should be on the CFS tab.
4) Make sure the Enable HTTPS Content Filtering and Enable CFS Server Failover are both enabled.
5) Then in the Custom List tab is where your Keyword blocking should be cleared and your Forbidden Domains should have facebook.com.
6) Now go to the Policy tab and click on Default Policy. In there go to settig and make sure all the Sources (Allowed Domains, Forbidden Domains, and Keywords) all read Global.
7) Check the box that is labeled "Enable Safe Search Enforcement" and click the "OK" button to clear the dialogue and save the change.
8) Click the "OK" button on the previous dialogue to clear it as well.
ASKER
We have CGSS minus analyzer and sonicOS expanded. We are currently attempting to block it by content filtering social media sites (which it catches all of them but Facebook) and I also have an app rule setup to drop the page when that url is requested via https. I'll look at your recommendation shortly. Thanks
Look up your Zones (Network > Zones) and make sure they (CFS and App Control) is being applied to both the WAN, LAN and if you have a WLAN. You should see green checks under those columns for each Zone. If you don't click the configure button to the far right of each zone and enable them.
ASKER
Diverse it-
Ok those are set correctly except I can't enforce CFS on WAN, the box is greyed out...
Ok those are set correctly except I can't enforce CFS on WAN, the box is greyed out...
My bad, I was talking about both App Control and CFS. App Control should be enforced on all Zones and CFS should be enforced on all Zones, EXCEPT the WAN Zone. This is by design.
Verify that the correct policy selected for CFS in each Zone (by hovering over it in the Zones page)?
Verify that the correct policy selected for CFS in each Zone (by hovering over it in the Zones page)?
ASKER
Ok got it the Facebook filter is now working I had missed a check mark and in my custom list I had www.facebook.com, dropped the www and it worked. Any ideas on google images? We can't block gmail logins because we have a class on Google docs where they use it....
At least I have Facebook blocked again that's a huge bonus.
At least I have Facebook blocked again that's a huge bonus.
Yes, see my post here...I updated it I think you may have missed it. https://www.experts-exchange.com/questions/28703546/Facebook-getting-through-Sonicwall.html?anchorAnswerId=40918088#a40918088
Yeah, I posted
Remember in CFS URIs include all sub-domains. So you don't need to put www.facebook.com but rather only facebook.com otherwise it will only block www.facebook.com and not secure.facebook.com, facebook.com or *.facebook.com.
Excellent detail!
Thanks Wayne!
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Yeah I went through all of that but the safe search is not being unforced... Google images still lets pretty much anything right through.
Refresh your page...I updated my last post and I'm not sure if you saw it all.
Do you have Disable Google SSL Search option on Content Filter page, under Content Filter Type?
Do you have Disable Google SSL Search option on Content Filter page, under Content Filter Type?
ASKER
I don't have a "disable Google search ssl" under content filter type. I only have one pull down with content filter service and the configure button...
It's OK if you don't have a disable Google Search SSL, everything above that I have specified in my comments will do it and then some. Please re-read my comments. The answer is in them. :)
Let me know if you are still having issues!
Let me know if you are still having issues!
ASKER
Well I found a work around using our DNS server to force safe search. Thank you to all who contributed.
Thanks for the points...glad I could help.
If you want to ask another question, I'd love to take another crack at it - this works on SonicWALL - have many with this exact setup. Keep in mind DNS can easily be circumvented...ultimately, I try to get this setup in the SonicWALL.
Cheers!
If you want to ask another question, I'd love to take another crack at it - this works on SonicWALL - have many with this exact setup. Keep in mind DNS can easily be circumvented...ultimately,
Cheers!
ASKER
DiverseIT-
We are now having a problem with our sonicwall being too restrictive, I am hoping you can point me in the right direction. It is blocking thunderbird (email client) and several websites clearmymail (email spam filter) neweggbusiness cart etc. I'm guessing this is SSL that is being blocked but I am hoping you can lend me a hand again. Thanks
We are now having a problem with our sonicwall being too restrictive, I am hoping you can point me in the right direction. It is blocking thunderbird (email client) and several websites clearmymail (email spam filter) neweggbusiness cart etc. I'm guessing this is SSL that is being blocked but I am hoping you can lend me a hand again. Thanks
Hi PlainsSchools,
I'd be happy to help you but this question is closed. For the purpose of finding solutions to specific problems and the integrity of EE database please open up a new question and I'd be happy to help.
Also, here is some more info for this question regarding YouTube filtering for schools I thought would be helpful.
You may want to register for this: https://support.google.com/youtube/answer/2695317?hl=en&ref_topic=2592688&guide=2592683&hl=en&rd=1
SonicWALL has implemented this using SonicWALL Content Filtering Service (CFS), both in CFS Via Users and Zones and CFS using App Rules. When enabled, all access to youtube.com would contain the custom header X-YouTube-Edu-Filter with the school ID specified under CFS. When YouTube sees this header, it will serve a limited EDU-only site to all computers behind the SonicWALL.
Note: The school ID is provided by YouTube and can be obtained by joining YouTube for Schools here: http://www.youtube.com/schools. Read more about YouTube for Schools here: How to Access YouTube in Schools
This is how to enable it once you have the School ID from YouTube.
The SonicWALL CFS implementation of YouTube for Schools does not support HTTPS access to youtube.com. When youtube.com is accessed over HTTPS, the user will have unrestricted access to YouTube content. The following solutions can be implemented to work around this:
Enable Client DPI-SSL with CFS inspection. DPI-SSL feature activation requires separate license and this is supported on NGFW models. Using Client DPI-SSL, SonicWALL can add the custom header - X-YouTube-Edu-Filter - with the school ID just as it would when YouTube is accessed over HTTP.
Create a LAN (or DMZ) to WAN Access Rule as under:
Action: Deny
Service: HTTPS
Source: Any
Destination: Create an FQDN Address Object for youtube.com and ytimg.com and add here......
Multiple School IDs
To configure a different school ID for different CFS policies the user must not be in multiple groups (see below) and the Default CFS policy should not be configured with a school ID.
Membership in Multiple Groups
If a user is a member of multiple groups where one policy allows access to any part of YouTube and the other policy has a YouTube for Schools restriction, the user will be filtered by the YouTube for Schools policy and not be allowed unrestricted access to YouTube.
When a user is a member of multiple groups that have different YouTube for School IDs, SonicWALL will assign the school ID in the first CFS policy of the policies list.
YouTube for Schools and the YouTube mobile app
YouTube for Schools is currently not available when accessing youtube.com through the mobile YouTube Application. This is a known issue with YouTube and not due to SonicWALL. To block users from accessing YouTube through the mobile app, we suggest enabling the App Control Advanced signatures SID 5982, 7780, 8691, 8692 YouTube mobile apps.
• Login to the SonicWALL management GUI
• Navigate to the Security Services > Content Filter page.
• Click on Configure to open the SonicWALL Filter Properties window
• Click on Configure on an existing policy.
• Click on the Settings tab.
• Enable check box Enable YouTube for Schools
• Enter the unique ID for your school’s network under School ID.
• Click on OK to save.
Note: Youtube.com must not be in CFS Forbidden Domains. If any one of the CFS Categories 29, 31 and 48 (Search Engines and Portals, MP3/Streaming and Web Communications) are enabled for blocking, Youtube.com must be allowed under Allowed Domains.
Take care!
I'd be happy to help you but this question is closed. For the purpose of finding solutions to specific problems and the integrity of EE database please open up a new question and I'd be happy to help.
Also, here is some more info for this question regarding YouTube filtering for schools I thought would be helpful.
You may want to register for this: https://support.google.com/youtube/answer/2695317?hl=en&ref_topic=2592688&guide=2592683&hl=en&rd=1
SonicWALL has implemented this using SonicWALL Content Filtering Service (CFS), both in CFS Via Users and Zones and CFS using App Rules. When enabled, all access to youtube.com would contain the custom header X-YouTube-Edu-Filter with the school ID specified under CFS. When YouTube sees this header, it will serve a limited EDU-only site to all computers behind the SonicWALL.
Note: The school ID is provided by YouTube and can be obtained by joining YouTube for Schools here: http://www.youtube.com/schools. Read more about YouTube for Schools here: How to Access YouTube in Schools
This is how to enable it once you have the School ID from YouTube.
Known Caveats
YouTube for Schools and HTTPSThe SonicWALL CFS implementation of YouTube for Schools does not support HTTPS access to youtube.com. When youtube.com is accessed over HTTPS, the user will have unrestricted access to YouTube content. The following solutions can be implemented to work around this:
Enable Client DPI-SSL with CFS inspection. DPI-SSL feature activation requires separate license and this is supported on NGFW models. Using Client DPI-SSL, SonicWALL can add the custom header - X-YouTube-Edu-Filter - with the school ID just as it would when YouTube is accessed over HTTP.
Create a LAN (or DMZ) to WAN Access Rule as under:
Action: Deny
Service: HTTPS
Source: Any
Destination: Create an FQDN Address Object for youtube.com and ytimg.com and add here......
Multiple School IDs
To configure a different school ID for different CFS policies the user must not be in multiple groups (see below) and the Default CFS policy should not be configured with a school ID.
Membership in Multiple Groups
If a user is a member of multiple groups where one policy allows access to any part of YouTube and the other policy has a YouTube for Schools restriction, the user will be filtered by the YouTube for Schools policy and not be allowed unrestricted access to YouTube.
When a user is a member of multiple groups that have different YouTube for School IDs, SonicWALL will assign the school ID in the first CFS policy of the policies list.
YouTube for Schools and the YouTube mobile app
YouTube for Schools is currently not available when accessing youtube.com through the mobile YouTube Application. This is a known issue with YouTube and not due to SonicWALL. To block users from accessing YouTube through the mobile app, we suggest enabling the App Control Advanced signatures SID 5982, 7780, 8691, 8692 YouTube mobile apps.
Procedure:
Enabling YouTube for Schools in CFS via Users and Zones• Login to the SonicWALL management GUI
• Navigate to the Security Services > Content Filter page.
• Click on Configure to open the SonicWALL Filter Properties window
• Click on Configure on an existing policy.
• Click on the Settings tab.
• Enable check box Enable YouTube for Schools
• Enter the unique ID for your school’s network under School ID.
• Click on OK to save.
Note: Youtube.com must not be in CFS Forbidden Domains. If any one of the CFS Categories 29, 31 and 48 (Search Engines and Portals, MP3/Streaming and Web Communications) are enabled for blocking, Youtube.com must be allowed under Allowed Domains.
Take care!
Just Facebook or all Social Media Sites? You can use content filtering to block socila media sites such as FACEBOOK, TWITTER, etc.
Wayne