Leigh Kalbli
asked on
sonicwall content filter on vpn
i have two scenarios i am trying to apply content filtering. we first have multiple small branch offices connected via cellular modem on vpn to main branch. i want to apply content filtering policy to that particular vpn tunnel. Second we have about 50 iphones in a division that we are going to push a vpn policy to so we can restrict web content. the phones are all company phones and have been seeing excessive use of data. the phones are managed and locked down from getting apps such as NFL,Youtube, Pandora etc. but users are simply just using safari to bypass.
Using Sonicwall NSA2400's at the main branch, is it even possible to force the client connection to use any of the content filter policy? I know how to create teh content filter policy itself, but how is it applied to the VPN tunnels.
Using Sonicwall NSA2400's at the main branch, is it even possible to force the client connection to use any of the content filter policy? I know how to create teh content filter policy itself, but how is it applied to the VPN tunnels.
yes you can apply a CFS policy on the VPN zone.
With gen6 and new 6.2.6.x there's CFS 4.0 where it's even more granular to apply policies to IP ranges :)
With gen6 and new 6.2.6.x there's CFS 4.0 where it's even more granular to apply policies to IP ranges :)
ASKER
David,
The VPN policy would be deployed through an MDM solution that should prevent them from disabling. I will research that side.
J Spoor,
Any chance you have a KB ?
Thanks
The VPN policy would be deployed through an MDM solution that should prevent them from disabling. I will research that side.
J Spoor,
Any chance you have a KB ?
Thanks
Leigh,
We've had issues with such requirements historically, so I'd be very interested to learn about your findings.
Regards,
David
We've had issues with such requirements historically, so I'd be very interested to learn about your findings.
Regards,
David
Here's an article that may help with your challenge: https://support.sonicwall. com/kb/sw7 079
ASKER
Thanks for the article but we are not using SSL VPN.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
masnrock,
while the article sheds light to the approach and solution, the key variable is that both sites are not on Sonicwall.
Thanks
while the article sheds light to the approach and solution, the key variable is that both sites are not on Sonicwall.
Thanks
hence you apply CFS on the VPN zone and do it from your end ?
Apologies for just stepping back in, but as long as you can configure the devices that you have at the remote locations to route all traffic via the VPN then this will still work.
you can EITHER, go to network>zones and configure it on the VPN zone
of you can use the policy per IP range option, this still requires CFS to be enabled on the VPN zone though.
of you can use the policy per IP range option, this still requires CFS to be enabled on the VPN zone though.
ASKER
j Spoor,
Thanks for pointing me in the right direct. First, i forgot to even enable the CFS. Second, ran into one issue though but i may have to deal with it. We have multiple VPN tunnels for not just the branch offices but for IT, Sales etc. We wanted to have exclusive CFS policies for each group. For our environment with current factors, it seems that only one VPN CFS policy may be usable. No big deal as we can work around it. I am still in test mode with it with an end device to ensure the client side is in fact having traffic filtered. I will post updated soon.
Thanks
Thanks for pointing me in the right direct. First, i forgot to even enable the CFS. Second, ran into one issue though but i may have to deal with it. We have multiple VPN tunnels for not just the branch offices but for IT, Sales etc. We wanted to have exclusive CFS policies for each group. For our environment with current factors, it seems that only one VPN CFS policy may be usable. No big deal as we can work around it. I am still in test mode with it with an end device to ensure the client side is in fact having traffic filtered. I will post updated soon.
Thanks
What you can do is per IP range less restrictive CFS policies.
On VPN zone itself you msut apply the most restrictive policy.
With CFS4.0 (6.2.6.0 on Generation 6) the policies are much more granular.
On VPN zone itself you msut apply the most restrictive policy.
With CFS4.0 (6.2.6.0 on Generation 6) the policies are much more granular.
As for the phones, you would be able to set them up to VPN back into the office, but the issue that you'd have as I'd see it, is with minimal knowledge the users would be able to easily disable this VPN Profile.