Content filter don't block websites but the hit count grow
Solidata
Newbie ✭
Hello everyone!
I've installed a new TZ370, with content and app filter.
The app filter works, but content filtering no. On the content filter rules on the right the hit count grow.
There is a simple network environment, a Sonicwall after an ADSL Router with 1:1 NAT and 1 remote branch with another Sonicwall SOHO. Internal network with a 20 Terminal.
I’ve already set up other firewall, it’s very quickly and simple, but this is the first with 7. 0
I have already checked the configuration with a Sonicwall reseller and for him it’s all ok.
The configuration is the same as the guide find in sonicwall site: https://www.sonicwall.com/support/knowledge-base/?sol_id=210531022038210. , except for the profile object, which is the default, and the object address, is the entire local subnet.
Has anyone seen this problem before?
Best regards to all community!
Answers
As with all Gen7 devices upgrade to the latest firmware. If you do not have DPI-SSL enabled than Content Filtering won't catch 80% of web traffic.
Hi TKWITS, DPI-SSL is eanabled.
I have made another test. content filter is active on the network but not filtering https connection, for example if i go to view http://colt.com is blocked, https://colt.com is clear!
@Solidata, You need to import the 3 CA certs highlighted below in to the SonicWall as they are missing ( if you check the serial numbers against the ones in the SonicWall these aren't there) reboot after importing all three and try again, you can save each as file using Chrome,
Hi Preston, it is not a problem resulting by a lack of certificate, the problem is that despite dpi-ssl enabled and the filter working in http site, it does not block the ssl connection
Hi @Solidata, have a look in the DPI-SSL / Common Names / Connection Failures, does it show unknown CA messages ?
DPI-SSL needs the CA certs for the Inspection for that site you mention, the SonicWall is missing three of them, also make sure you are blocking UDP 443 outbound otherwise Chrome and Edge don't work correctly for DPI-SSL
Also what certificate does it show is being used when you browse to the site using HTTPS when DPI-SSL is enabled is it showing the SonicWall DPI SSL one?
in your Image showing the DPI-SSL as enabled it is not showing any actual connections, have you enabled it under the DPI-SSL Objects Tab ? also check you don't have any outbound firewall rules under the Security Profiles tab where the Client DPI-SSL is disabled for HTTPS
Hi Preston, i think there was some kind of misunderstanding... I need a content filtering on the network, so, dropping pornography, war, weapon ecc ecc... i can't put a certificate for every site i have to block!🤢
The filter is functionally in http but not reach the https sites. I think there is a bullshit.
I have a look in the DPI-SSL / Common Names / Connection Failures, There's nothing.
I will try to block UDP 443 outbound but i don't understand the meaning of this, content filtering "should do this".
Hi @Solidata, I have it enabled on mine with the latest Gen7 firmware and the CFS works as expected with the DPI-SSL enabled, just check the browser and what certificate it is using when going to colt.com, if it is showing Amazon it is is not enforcing the DPI-SSL, if this is the case check that your DPI-SSL/ Objects are set to Include All and exclude (the devices you want to exclude) also check that in the Zones page that DPI-SSL Client is enabled
also check from another PC as it could be a browser Cache issue.
Have you followed the KB here: https://www.sonicwall.com/support/knowledge-base/how-to-decrypt-https-traffic-using-dpi-ssl/170505885674291/
Have you read this KB: https://www.sonicwall.com/support/knowledge-base/client-dpi-ssl-frequently-asked-questions-faq/170505782716496/
Did you enable HTTPS filtering for your CFS profile? (Object \ Profile Objects \ Content Filter \ (Your profile) \ Advanced \ Enable HTTPS Content Filtering)
hi @TKWITS , I follow the guide and the HTTPS filtering for CFS profile is enabled as Photo reported in precedence.
Maybe i'm explained badly.
I've setting other firewall but with sonic os6.5 and the configuration is the same.
Seems like the traffic of HTTPS sites is not going through the firewall.
With SSL client inspection enabled, browser should response with a certificate error(if not installed) because certificate needs for managing packet, but ALL HTTPS sites go directly in web page, while http traffic, if the site is on the rule, was blocked...
I'm on a nightmare☠️
hi @preston this is the question!!! colt.com certificate is Amazon and not sonicawall!
All filters are enabled
Hi @Solidata, the DPI-SSL isn't being enforced as you would see connections on the DPI-SSL status, did you reboot the firewall after enabling?
do you have any AV software which is also doing HTTPS inspection ? as this could be stopping the Certificate from being enforced.
I hate repeating myself...
Did you enable HTTPS filtering for your CFS profile? (Object \ Profile Objects \ Content Filter \ (Your profile) \ Advanced \ Enable HTTPS Content Filtering)
hi @preston , i have already rebooted many times the firewall.
The antivirus is excluded, my testing are made with a fresh w10 workstation
hi @Tknudsen i'va already response to your question, YES, HTTPS filtering for CFS profile is enabled.
@Solidata, stupid question, you aren't testing this whilst you are logged in to the admin of the SonicWall from the same PC are you?
no @preston not a stupid question!!! 😂 tests are from other machine, anyway, admin is included
You never mentioned what firmware version you were using. At this point, if it were me, I'd upgrade to the latest firmware version, factory default the unit, and start over.
@Solidata
may be a stupid question,
Did you enabled the CFS Policy and source and destination is LAN to WAN??
If its enabled, try to create/Add new CFS Profile & CFS Action and add new policy and attach it and try. (Disable the default policy, Profile & Action).
hi@TKWITS , Firmware version is the latest 7.0.1-5050
Today, reluctantly, I will restore firewall and reconfigure again...
hi @Ajishlal , already tried but no success. it's a frustration☠️
@Solidata
Have you tried enabling the block on "57. Internet Watch Foundation CAIC"?
I had the same issue before, and this solved the problem.