CFS not working as it should

hello attached diagram what i want in a school.
so now de default CFS profile when i blocked everything , the students profile works but then the staff and teachers are also blocked, even i have 2 profiles VIP and teachers containing categories allowed.
only when i enable all in default CFS profiles they can access the internet but then the students have also full access
anyone have the good tips for me how to handle ?
Best Answer
shiprasahu93 Moderator
In the CFS priority, I see that the default CFS policy is at priority 1. Kindly use the Staff and Teachers policies with a higher priority and then the CFS default policy. You can use the arrow available on the policy to change the priority.
The SonicWall would use the SSO agent to find the username logged in to a PC and then pull its group membership from LDAP. After that, it applies the CFS policy based on the priority of the CFS policies available.
Shipra Sahu
Technical Support Advisor, Premier Services
problem is that all users use default CFP profile instead of the created profiles
any1 can help ?
Could you please let us know, if you're mapping the profiles using the IP addresses of the client machines or usernames using ULA or SSO?
Also, could you please share the priority of the CFS policies itself?
Shipra Sahu
Technical Support Advisor, Premier Services
hi Shipra
i am getting the users via LDAP see attachement
u ask me to share the priority of CFS policies, can u point me where i need to check that so i make screenshots
If the users are used for applying the CFS policies, then the firewall should know which IP address belongs to what user. We usually suggest using SSO agent so that we can identify the username logged into a specific machine. So, basically, you should be able to see the users identified under the MONITOR | User Sessions | Active Users section. Please take a look at the KB below for SSO agent install and set up if not already done.
The CFS policy priority can be checked from the MANAGE | Rules | Content Filter Policies tab.
Thank you!
Shipra Sahu
Technical Support Advisor, Premier Services
thx Shipra, i am gonna change it with your documentation
attached the CFS priority
changing the priority was enough to get the trick done
thx for ur support, u r my hero
Perfect! Glad I could help!
Have a good one!
Shipra Sahu
Technical Support Advisor, Premier Services
hi Shipra
today i was at the school and a teacher came with her laptop from home and wanted to Zoom with it, so she entered the schools wifi but was unable to access most websites, only a few, while she is not in the domaincontroller butonly on the wifi there came a errormsg from the sonicwall saying website blocked due to students profile, but i took my laptop from home and i could search the entire web.
the only difference she has that her laptop starts without any password or pin, is that why she is beeing recognised as student?
Yes, the CFS policies that you have added are based on usernames/user groups. If there is a new device that is not part of the domain, the appropriate policy based on priority would get applied if the user cannot be authenticated.
Also, for such situations, I would suggest creating an IP based rule temporarily and applying the respective policy with the right priority.
Or, if you have a separate SSID like Guest, you can ask them to connect to that and have a separate policy applied to that zone.
I hope that helps!
Shipra Sahu
Technical Support Advisor, Premier Services