| Thanks to C7J0yc3 for this explanation. | | |
...Ahh the good ole Sonicwall screws with .css packets issue. I've dealt with this before, we put a TZ210 into an office of all Macs and suddenly no one could get to yahoo.com anymore. Some would partially load the page, but others would get no where. Browser didn't matter, however they could all do traceroute ping, DNS lookup etc, so we knew that the sonicwall wasn't blocking yahoo.com, just the content.
The solution was to un-check the "Enforce Host Tag Search for CFS" on the hidden diagnostics page.
Try this:
Log in to your SonicWall Device as admin, then change the url from http://<yourIPaddress>/main.html to Http://<yourIPaddress>/diag.html
Look for the check box "Enforce Host Tag Search for CFS". If it is checked (this is the default setting) just un-check it and hit save.
Here's why:
CFS is trying to be restrictive, and some sites have such a big header on their HTML (usually keywords) that CFS is expecting to occur in the first packet doesn't appear until later packets. It has to do with how much data CFS has at hand to make its decision.
It's not a security issue, it's a content filtering issue. If this box is checked, CFS will drop the packet if the host tag doesn't appear in the first packet.
Checking the box means CFS will enforce (require) that the host tag appears in the first packet. There is no RFC (internet standard) that requires the host tag to be in the first packet - it's a question of how much buffering is in the SonicWALL device.
When you un-check this box, the worst that could happen is that some site that CFS would otherwise block will be allowed because CFS doesn't have a host tag to check. Most sites have their HOST tag in the first packet returned, it's only a few rare ones that don't. And Yahoo does not.
So there you have it, let us know if that works.
Created with Microsoft OneNote 2010
One place for all your notes and information
0 comments:
Post a Comment