Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

CFS not working as it should

hello attached diagram what i want in a school.

so now de default CFS profile when i blocked everything , the students profile works but then the staff and teachers are also blocked, even i have 2 profiles VIP and teachers containing categories allowed.

only when i enable all in default CFS profiles they can access the internet but then the students have also full access


anyone have the good tips for me how to handle ?

thx

Category: Firewall Security Services
Reply

Best Answer

  • CORRECT ANSWER
    shiprasahu93shiprasahu93 Moderator
    Answer ✓

    @Destavener,

    In the CFS priority, I see that the default CFS policy is at priority 1. Kindly use the Staff and Teachers policies with a higher priority and then the CFS default policy. You can use the arrow available on the policy to change the priority.

    The SonicWall would use the SSO agent to find the username logged in to a PC and then pull its group membership from LDAP. After that, it applies the CFS policy based on the priority of the CFS policies available.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Answers

  • problem is that all users use default CFP profile instead of the created profiles

    any1 can help ?

  • @Destavener ,

    Could you please let us know, if you're mapping the profiles using the IP addresses of the client machines or usernames using ULA or SSO?

    Also, could you please share the priority of the CFS policies itself?

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • hi Shipra


    i am getting the users via LDAP see attachement

    u ask me to share the priority of CFS policies, can u point me where i need to check that so i make screenshots


    thx

    John

  • @Destavener,

    If the users are used for applying the CFS policies, then the firewall should know which IP address belongs to what user. We usually suggest using SSO agent so that we can identify the username logged into a specific machine. So, basically, you should be able to see the users identified under the MONITOR | User Sessions | Active Users section. Please take a look at the KB below for SSO agent install and set up if not already done.

    The CFS policy priority can be checked from the MANAGE | Rules | Content Filter Policies tab.

    Thank you!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • thx Shipra, i am gonna change it with your documentation

    attached the CFS priority

  • Shipra

    changing the priority was enough to get the trick done

    thx for ur support, u r my hero

  • Perfect! Glad I could help!

    Have a good one!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • hi Shipra

    today i was at the school and a teacher came with her laptop from home and wanted to Zoom with it, so she entered the schools wifi but was unable to access most websites, only a few, while she is not in the domaincontroller butonly on the wifi there came a errormsg from the sonicwall saying website blocked due to students profile, but i took my laptop from home and i could search the entire web.

    the only difference she has that her laptop starts without any password or pin, is that why she is beeing recognised as student?


    thx

  • @Destavener,

    Yes, the CFS policies that you have added are based on usernames/user groups. If there is a new device that is not part of the domain, the appropriate policy based on priority would get applied if the user cannot be authenticated.

    Also, for such situations, I would suggest creating an IP based rule temporarily and applying the respective policy with the right priority.

    Or, if you have a separate SSID like Guest, you can ask them to connect to that and have a separate policy applied to that zone.

    I hope that helps!

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.