Sonicwall - How to block HTTPS websites in CFS 3.0

Description

This article shows how to block HTTPS websites using CFS3.0 (SonicOS 6.2.5.3 or earlier).
The earlier IP based HTTPS filtering filtered HTTPS traffic based on server IP addresses. The enhancement described here is applicable to both IP addresses and hostnames for rating HTTPS websites. HTTPS Content Filtering is applicable for the domains entered in the Custom List and the Match Objects entries in Allowed/Forbidden List under Firewall | Match Objects page. In other words, when Enable HTTPS Content Filtering is checked under CFS | Configure | CFS window , it is a global CFS setting applicable to the following:

• Allow Domains
• Forbidden Domains
• Keyword Blocking
• App Rules > CFS Category List
• App Rules > CFS Allowed/Forbidden List

Hostnames are obtained in two ways:

1. Examine SSL Client Hello message and if it supports SSL server name extension, it will have hostname included in the SSL Client  Hello. This hostname is used to get rating information.
2. Another method is to examine Server Hello messages to get certificate Common Name (CN) from the certificate and use the same to get rating information.

For example, to block Gmail.com, add mail.google.com in the Forbidden Domains box. This would block any HTTP host with mail.google.com in the URL. Further, if using HTTPS, CFS will examine the Server Extensions field in the Client Hello message and/or the CN in the Server Hello message and block the page if it matches google.com. In the case of Gmail.com the CN is www.google.com and will be blocked by CFS. The downside of this would be that any Google services using that CN would also be blocked.

--------

How to block YouTube.com using CFS 3.0 (SonicOS 5.8.0 and above)

Last Updated: 8/2/2017 4443 Views 960 Users found this article helpful

Description

How to block YouTube.com using CFS 3.0 (SonicOS 5.8.0 and above)

Resolution

Feature/Application:

This KB article describes how to block youtube.com (HTTP and HTTPS) using SonicWall Content Filtering Service (CFS) 3.0.  SonicWall CFS 3.0, which was introduced in SonicOS 5.8.0.0, uses HTTPS Content Filtering to block HTTPS sites. The CFS 3.0 implementation uses HTTPS Content Filtering to look up the host name from the Server Name extension in the SSL Client Hello message, if the browser supports SSL Server Name extension, or the Certificate Common Name (CN) in the Server Hello message.

However, this method will not work if 1) the browser does not support Server Name Extension in the Client Hello message 2) the Common Name (CN) in the Certificate message does not correspond to the host name being accessed.  You could work around this problem by blocking those SSL / TLS versions not supporting Server Name extension. Refer this KB article to block SSL versions, UTM: How to Block SSL / TLS versions using Application Control Advanced (5.8 onwards). Alternatively, you could use DPI-SSL.

https://www.sonicwall.com/en-us/support/knowledge-base/170505612632599

https://www.sonicwall.com/en-us/support/knowledge-base/170505373426542