NOTE: CFS 4.0 does not allow usage of CFS Via App rules. This article applies only to CFS 3.0
1. Navigate to the Security Services | Content Filter.
2. Change CFS Policy Assignment to Via App Rules and click on Accept to save the change. 3. Click on Configure under Content Filter Service
4. Under theCFS tab, enable the check boxes underEnable HTTPS Content Filtering andEnable CFS Server Failover. Note: IfDPI-SSL Client Inspection is enabled with Content Filter, Enable HTTPS Content Filtering must be unchecked. 5. Click onOK
imported from LDAP, Teachers Group andStudents Group. For this KB article, we use the following scenario:
Create Two CFS Rules - Teachers and Students .
The Teachers Policy must be the least restrictive with only a few categories blocked.
The Students Policy must have all categories blocked except Education and Email.
Note: The default action will be to provide all machines with the Students policy unless a teacher is logged in. Technically, the Students group is not required to be imported to the firewall in this scenario.
8. Create Student List Match Object
Click on Add New Match Object again
Let's call this Students List
Set Match Object Type as CFS Category List
Enable the check box Select All Categories and uncheck Education and Email
Click on OK to save
Click on Add New Match Object again
Let's call this Teachers List
In the CFS Category List check categories 1 to 12 and then categories 48 and 58.
Click on OK to save.
Let us now create Match Objects for the Allowed and Forbidden domains.
10. Create Students Allowed Domains
Click on Add New Match Object
Under Name, enter Students - Allowed Domains.
Set Match Object Type to CFS Allow/Forbidden List.
Under Content, enter google.com and click on Add.
Click on OK to save.
11. Create Students Allowed Domains
Click on Add New Match Object
Under Name, enter Teachers - Allowed Domains.
Under Match Object Type, select CFS Allow/Forbidden List.
Set Match Type toPartial Match
Under Content, enteryoutube.com and click on Add.
Enter ytimg.com and click on Add.
Click on OK to save.
Match Object to block a website for both user groups.
Click on Add New Match Object
Under Name, enter All - Blocked Domains.
Set Match Object Type to CFS Allow/Forbidden List.
Under Content, enter microsoft.com,ecomm.co.uk and wellsfargo.com and click on Add after each
Click on OK to save.
Create App Rules policies
13. Create Students Policy
Click on Add New Policy
Under Policy Name, enter Students Policy
Set Policy Type to CFS
Under Match Object, selectStudents List.
SetAction Object toCFS Block Page.
UnderUsers/Groups, selectAny under Included.
Under Users/Groups select Teachers-Group under Excluded
Set theZone field toAny. Note: CFS using App Rules is not required to be enabled on the zones page because the zone can be selected here under the Zone field.