LogicN Newbie ✭
We have TZ370 installed at a School, and struggling to implement CFS and also block keywords.
Can we use any additional app/module for that? to protect/filter access to internet?
Category: Firewall Security Services
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
Hi @LogicN, There is nothing wrong with the CFS it is a Google Browser issue, unless you block UDP 443 (LAN_WAN) outbound in the Access Policies, the CFS keyword or enforcing Safe search will not work, as the CFS is being bypassed by the Google Quic protocol which uses UDP 443 rather than TCP 443 on Chrome and Edge, Firefox doesn't have this issue
make sure on the CFS policy if you are not using DPI-SSL which I recommend that you enable the HTTPS Content filtering.
We have all that setup, with 3 CFS policies, Default, staff and student.
That does not stop them from getting to like freemake.com or bet365.com or...............
Plus that does not stop them from keyword searched on unwanted words.
Are you using DPI-SSL ? also try changing the order URI List Searching Order in the policy to use the blocked first, are those sites blocked for all users? or for just one policy ?
No not using DPI-SSL, but possibly that is what i was looking at.
Yes, possibly on, students even staff policies can apply block first. and leave default with "none"
I will try and let you know
Just done a quick test here without DPI-SSL it doesn't block bet365 but when I enable DPI-SSL it does block as expected
I would test enabling DPI-SSL one PC first before rolling out to all the workstations
3 Policies, priority Student, Staff, and Default
do i need to download SSL certs to each device? from Sonicwall or distribute through GPO?
Although not sure if that will stop keywords searches as well or not
Hi @LogicN , I would recommend looking at these before deploying and also make a list of all the devices needed to exclude from DPI-SSL like Printers, Scanners (anything you can't install a certificate on like CCTV) and you need to think about how to distribute the cert to tablets etc...
Also as you are a school you will need to exclude any critical domains needed for online tests / exams, the more known trusted applications or services you can exclude from DPI-SSL the better as it will put less load on the appliance, anything to do with payments need excluding from DPI-SSL like banking or shopping.
also the CFS Exclusion list in the DPI-SSL Exclusions has nothing to do with the CFS settings, it is just the CFS category list re-used which is being used as a way to easier exclude sites from DPI-SSL inspection by CFS Category ( the above Banking and Shopping exclusions would be done this way )