pkromer
asked on
HTTPS Content Filtering in SonicWall CFS and Office 365 / Outlook 2016
When I enable HTTPS Content Filtering in our SonicWall CFS, connectivity to Office 365 breaks very slowly. It might be fine for awhile, but randomly some users start to have Outlook issues where it says "trying to connect" at bottom of Outlook but eventually it says "disconnected", and then no mail comes down.
I have added all domain names listed here and here to the Allowed Domains list, in every permutation like https://, *., and just as shown on those links, but Outlook still slowly fails. To get everybody back up running, I have to go back into the CFS and disable HTTPS Content Filtering.
Ideas?
I have added all domain names listed here and here to the Allowed Domains list, in every permutation like https://, *., and just as shown on those links, but Outlook still slowly fails. To get everybody back up running, I have to go back into the CFS and disable HTTPS Content Filtering.
Ideas?
masnrock
Are you using app controls as well?
ASKER
No app controls, Im using CFS Policy Assignment via User and Zone Screens.
ASKER
btw, we need the https filtering to block sites like Facebook, Twitter, and any other sites that uses https that gets around the normal forbidden domains list. If any of you know how we can achieve that end without https filtering, that would solve this also.
Hi pkromer,
What is the SonicWALL Model and firmware running?
Do you have SSL-DPI running? If not I'd strongly recommend it and is a much better method for executing CFS via HTTPS. CFS via HTTPS filtering is different than HTTP CFS...and uses IPs & hostnames opposed to being able to perform redirects to enforce authentication or provide a block page.
If you are running multiple CFS policies I'd recommend putting the exclusions in the Global Policy opposed to Per Policy in CFS 3.0. In CFS 4.0 make sure each policy in each Zone required for Office 365 includes the updated exclusions list.
Let me know once you have applied the changes.
What is the SonicWALL Model and firmware running?
...every permutation like https://, *.,This can cause false/positives and undesired behavior so remove them and just include the permutation exactly how it is listed domain - in many of the cases you can trust the domain over explicitly keying in the subdomian because the domain will automatically wildcard everything below it.
Do you have SSL-DPI running? If not I'd strongly recommend it and is a much better method for executing CFS via HTTPS. CFS via HTTPS filtering is different than HTTP CFS...and uses IPs & hostnames opposed to being able to perform redirects to enforce authentication or provide a block page.
If you are running multiple CFS policies I'd recommend putting the exclusions in the Global Policy opposed to Per Policy in CFS 3.0. In CFS 4.0 make sure each policy in each Zone required for Office 365 includes the updated exclusions list.
Let me know once you have applied the changes.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
SonicWall NSA 2400, firmware SonicOS Enhanced 5.9.1.10-1o.
ASKER
We are running multiple policies but all allowed and forbidden domains are in the global policy, and each sub-policy is set to get those from global.
SonicWall NSA 2400, firmware SonicOS Enhanced 5.9.1.10-1o.You should upgrade to the 6.2 or 6.5 leg as they both provide major security improvements & bug fixes. 6.2 is the requirement for running SSL-DPI as well.
We are running multiple policies but all allowed and forbidden domains are in the global policy, and each sub-policy is set to get those from global.OK good.
ASKER
"You can achieve this in a more granular approach if needed with App Control Advanced too. Filter - Category: Social Networking; Application: Facebook and set to block, which will block all Facebooks activities. Do the same for Twitter and any other social media you want to block."
To do that would I need to switch from CFS Policy Assignment via User and Zone Screens to Via App Rules?
To do that would I need to switch from CFS Policy Assignment via User and Zone Screens to Via App Rules?
ASKER
Just realized that to get to App Control Advanced I have to deal with SPI connections setting because I had to change it a couple days ago for browser reasons to get the firmware updated to what it is. Now I need to change it back and reboot the firewall, which I can't do for 4 more hours. Krap. I'll do that and then we can continue this whenever you can next if that is ok with you.
To do that would I need to switch from CFS Policy Assignment via User and Zone Screens to Via App Rules?No, App Control is an entirely separate engine. There is some overlap but by design. You can move to App Rules for your CFS deployment for faster processing but I'd hold off until you upgrade to SonicOS 6.2 because then you will be using CFS 4.0 instead of CFS 3.0, which is different in terms of how it executes CFS and managing it as well. When you upgrade, everything will cross over just fine so you don't have to worry about that.
...SPI connections setting because I had to change it a couple days ago for browser reasons to get the firmware updated to what it is.Are you talking about the self-signed certificate vulnerability of SHA1 and needing to manage the device by downgrading the browser security to SSLv2.0/3.0?
Now I need to change it back and reboot the firewall, which I can't do for 4 more hours. Krap. I'll do that and then we can continue this whenever you can next if that is ok with you.Sounds good. I'm here for you!
ASKER
"Are you talking about the self-signed certificate vulnerability of SHA1 and needing to manage the device by downgrading the browser security to SSLv2.0/3.0?"
I changed Firewall advanced settings > Connections to Maximum SPI Connections (DPI services disabled) from DPI Connections (DPI services enabled with additional performance optimizations) because yes, Chrome wouldn't open the firewall. I was previously using an old version of IE to admin the unit, which was dumb.
"Sounds good. I'm here for you!"
Thanks very much.
I changed Firewall advanced settings > Connections to Maximum SPI Connections (DPI services disabled) from DPI Connections (DPI services enabled with additional performance optimizations) because yes, Chrome wouldn't open the firewall. I was previously using an old version of IE to admin the unit, which was dumb.
"Sounds good. I'm here for you!"
Thanks very much.
Yes, so upgrading the SonicOS will change the hashing cipher from SHA1 (officially insecure) to SHA256 but you will need to regenerate the certificate in order to change the certs in System > Administration section. Once you do that then you will be able to use all Modern Browsers to manage the SonicWALL. Modern browsers along with the rest of the world view SHA1 as a security vulnerability since 01/01/2017.
Once you do that enable Maximum DPI Connections (DPI services enabled) - its a baseline security fundamental you need in order to protect your network. The only reason you would want to move to DPI Connections (DPI services enabled with additional performance optimizations) is if the SonicWALL is maxing out in its performance, which you can view System > Status section under CPUs: & Connections: (Peak/Current/Max) among others places.
Once you do that enable Maximum DPI Connections (DPI services enabled) - its a baseline security fundamental you need in order to protect your network. The only reason you would want to move to DPI Connections (DPI services enabled with additional performance optimizations) is if the SonicWALL is maxing out in its performance, which you can view System > Status section under CPUs: & Connections: (Peak/Current/Max) among others places.
ASKER
Where / how do I regenerate the certificate, and where / how do I install it?
This should really be another separate question because it doesn't directly address your question here, however, it is a beneficial byproduct of the SonicOS upgrade which will solve your issue in this question.
Nevertheless, to upgrade your cert here is what you do. Once you have installed the SonicOS update either 6.2 or 6.5 go to the System > Administration page and navigate to the Web Management Settings section. Next to Certificate Common Name: you should see a button labeled Regenerate Certificate. Once you click on that, then click Accept to save. Reboot the SonicWALL and verify the new cert has been implemented on the browser. When you examine the cert the old one will show SHA1 the new one will show SHA256. Once you have verified it is using SHA 256 you will be much more secure and able to use an modern browser for mgmt. For better security, ideally, I'd recommend procuring a third-party CA-signed cert instead of self-signed.
Let me know if you have any questions!
Nevertheless, to upgrade your cert here is what you do. Once you have installed the SonicOS update either 6.2 or 6.5 go to the System > Administration page and navigate to the Web Management Settings section. Next to Certificate Common Name: you should see a button labeled Regenerate Certificate. Once you click on that, then click Accept to save. Reboot the SonicWALL and verify the new cert has been implemented on the browser. When you examine the cert the old one will show SHA1 the new one will show SHA256. Once you have verified it is using SHA 256 you will be much more secure and able to use an modern browser for mgmt. For better security, ideally, I'd recommend procuring a third-party CA-signed cert instead of self-signed.
Let me know if you have any questions!
ASKER
App control... got that figured out, it works but how do I add another entry? I only have facebook blocked now but need to block a few more sites. See attached image.
btw, I have not upgraded the firmware or done any of the other stuff... I need to just get this part handled at this point. I definitely will follow your advice very soon after I get this done though.
2018-02-21_9-15-28.jpg
btw, I have not upgraded the firmware or done any of the other stuff... I need to just get this part handled at this point. I definitely will follow your advice very soon after I get this done though.
2018-02-21_9-15-28.jpg
Perfect! Now you can do the same tasks as you did for Facebook for the other sites you wish to block by pulling down the Application drop down menu and locating them accordingly.
ASKER
2 questions... why does the interface only show the last one you created? I have done 4 now, and I only see the most recent one I did. I don't see all 4 of them in a list. Also, Facebook and Twitter seem to be completely blocked, but MySpace and SnapChat are only partially blocked. Why would that be?
ASKER
Never mind that last part, SnapChat and MySpace are now fully blocked, no idea why there was a lag time. First question still stands though, it's weird that I cant see all the entries Ive added and makes me wonder if theyre going to stay in effect.
I'm not sure I follow...what is not showing exactly? Those are just views you can adjust them to see whatever you desire.
Also, if you wish to block all Social-Networking apps just configure it once by clicking the Configure icon next to the Category rather than going through each one. It saves a lot of time.
Also, if you wish to block all Social-Networking apps just configure it once by clicking the Configure icon next to the Category rather than going through each one. It saves a lot of time.
ASKER
Attached is a screenshot of what I mean by it showing just the most recent site I blocked. Btw, I also just did what you said and went to the small pencil / edit image next to category social networking and enabled blocking, which I assume is what you mean by not having to do each one separately.
2018-02-21_11-04-42.jpg
2018-02-21_11-04-42.jpg
Yes, exactly. That way the entire category is blocked.
OK, so the View By: is your first filter. Right now you have it set to Applications, which is why it is showing this on the Application level.
Hierarchically is goes like this:
Then you have the Application: filter, which right now you have selected SnapChat, however if you want to see all the Applications within the Category: Social-Networking then select All on the drop-down next to Application:.
Lastly, if you want to see all the Categories then next to the Category: filter drop down select All to view all.
It takes a little while to get how it works but once you do its great!
Does that make sense?
OK, so the View By: is your first filter. Right now you have it set to Applications, which is why it is showing this on the Application level.
Hierarchically is goes like this:
- Category
- Application
- Signature
Then you have the Application: filter, which right now you have selected SnapChat, however if you want to see all the Applications within the Category: Social-Networking then select All on the drop-down next to Application:.
Lastly, if you want to see all the Categories then next to the Category: filter drop down select All to view all.
It takes a little while to get how it works but once you do its great!
Does that make sense?
ASKER
Hey, I wrote a comment to you before closing the question and It's not here. Anyway, I said you are probably the most helpful and attentive expert Ive run across in all my years of using EE. Thanks very much.
Wow, thank you so much for the great compliment! I'm glad I could help!!
P.S. I think the site may be having some issues...I have had to post twice a few times.
P.S. I think the site may be having some issues...I have had to post twice a few times.
ASKER
ah, makes sense. Some of your posts have came in as two emails to me instead of one. EE needs to get on EE and find an expert to help them with their site... oh wait :-)
LOL