TTechclick ⚡ XP 0% All lessons
SonicWall · Next-Gen Firewall · Security ServicesInteractive · L1 / L2 / L3

SonicWall Security Services — GAV, IPS, CFS, Botnet & App Control

A SonicWall firewall is only as protective as the security services you switch on. Gateway AV, Anti-Spyware, IPS, Application Control, the Botnet and GeoIP filters and the Content Filtering Service all ride one single-pass RFDPI engine fed by Capture Labs. This lesson shows what each one does, how you enable them per rule and zone, and the DPI-SSL dependency that quietly lets HTTPS threats through.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to SonicWall's subscription security services (2026): Gateway Anti-Virus, Anti-Spyware, IPS, Application Control, Botnet & GeoIP filters and the Content Filtering Service — how they all ride one single-pass RFDPI engine fed by Capture Labs, how to enable them per rule/zone, and why DPI-SSL is the dependency everyone forgets.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

The bundle

Many services, one RFDPI single pass, Capture Labs feeds.

 2

Malware & intrusion

Gateway AV, Anti-Spyware and IPS signatures.

 3

Apps & reputation

App Control, Botnet filter and GeoIP filter.

 4

Web filtering & DPI-SSL

CFS categories, client CFS, tuning pitfalls.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Are GAV, IPS and CFS separate appliances bolted on?

Answered in The bundle.

2. What does IPS 'Prevent' do versus 'Detect'?

Answered in Malware & intrusion.

3. Why might a licensed service still miss an HTTPS threat?

Answered in Web filtering & DPI-SSL.

Most engineers think…

Most people assume that once a SonicWall has 'security' licensed, every threat is automatically caught everywhere. That mental model loses you marks in an interview and lets traffic through in production.

SonicWall's protection is a bundle of subscription servicesGateway Anti-Virus, Anti-Spyware, IPS, Application Control, the Botnet and GeoIP filters and the Content Filtering Service — that all run inside the one single-pass RFDPI engine, fed by Capture Labs intelligence. Each one is enabled per access rule or zone, not by magic, and RFDPI can only see inside HTTPS when DPI-SSL is on. Knowing that split is what lets you turn on the right service, in the right place, and actually tune it.

① The security services bundle — many shields, one single pass

The single most important idea: SonicWall's protection is a set of subscription security services, and they all run inside the one single-pass RFDPI engine — not as separate appliances or separate sequential scans. That is why you can switch several on without stacking latency.

The bundle is Gateway Anti-Virus (GAV), Anti-Spyware, IPS, Application Control, the Botnet Filter, the GeoIP Filter and the Content Filtering Service (CFS). Their signatures and intelligence come from SonicWall Capture Labs, which continuously pushes malware, IPS, botnet command-and-control, application and URL-category updates. No active licence or no updates means stale protection.

Two rules to remember. First, services are sold as a bundle (for example an Essential or Advanced protection suite). Second, each service is enabled per access rule and/or per zone — a service that is licensed but not applied to a rule inspects nothing on that path.

Figure 1 — One RFDPI pass runs every service
Each licensed security service is applied by the same single-pass RFDPI engine, fed by Capture Labs intelligence.One RFDPI pass runs every serviceRFDPI engine+ Capture LabsGateway Anti-VirusAnti-SpywareIPSApplication ControlBotnet & GeoIPContent Filtering
Each licensed security service is applied by the same single-pass RFDPI engine, fed by Capture Labs intelligence.
Figure 2 — From licence to live protection
A service only protects traffic once it is licensed, updated, and enabled on the right rule or zone.From licence to live protectionLicensebuy the bundleUpdateCapture Labs feedsEnableper rule / per zoneInspectRFDPI single passActblock / log / throttle
A service only protects traffic once it is licensed, updated, and enabled on the right rule or zone.
Quick check · Q1 of 10 · Understand

SonicWall's GAV, IPS, App Control and CFS are best described as…

Correct: b. They are licensed services that execute together within RFDPI's single pass, fed by Capture Labs intelligence and enabled per access rule or zone — not separate boxes or sequential proxies.
👉 So far: SonicWall security = a licensed bundle (GAV, Anti-Spyware, IPS, App Control, Botnet, GeoIP, CFS) all running in one RFDPI single pass, fed by Capture Labs, enabled per rule/zone.

② Malware & intrusion — Gateway AV, Anti-Spyware and IPS

Gateway Anti-Virus (GAV) is stream-based antivirus at the gateway: it scans malware carried over HTTP, FTP, SMTP, POP3, IMAP and more. Because RFDPI is reassembly-free, GAV scans the stream as it flows instead of buffering the whole file. Anti-Spyware pairs with it, blocking spyware payloads and the phone-home / call-back traffic spyware uses to fetch instructions or exfiltrate data.

IPS — categories, severity and the action you choose

Intrusion Prevention (IPS) is signature-based detection of exploits, worms, buffer overflows and port scans. Signatures are grouped into categories, each with a severity / priority (high, medium, low). For each, you set an action: Prevent (block) or Detect (log and alert only).

The tuning rule: do not blanket-Prevent everything. Prevent the high-severity categories, run the noisier ones in Detect first, watch the logs, then promote true positives. Setting every signature to block blindly is the classic false-positive storm.

Figure 3 — IPS — severity drives your action
Set high-severity categories to Prevent and tune the noisier ones in Detect first to avoid a false-positive storm.IPS — severity drives your actionHigh severityPrevent — block known exploits and wormsMedium severityDetect, watch logs, then promote true positivesLow / infoDetect or off — noise you tune out
Set high-severity categories to Prevent and tune the noisier ones in Detect first to avoid a false-positive storm.
🦠
Gateway Anti-Virus (GAV)
tap to flip

Stream-based gateway antivirus scanning malware over HTTP, FTP, SMTP, POP3 and IMAP inside RFDPI's single pass — no full-file buffering.

🛡️
IPS (Intrusion Prevention)
tap to flip

Severity-rated signature categories for exploits, worms and scans. Set each to Prevent (block) or Detect (log) — tune, don't blanket-block.

🤖
Botnet Filter
tap to flip

Blocks connections to or from known botnet command-and-control IPs, so an infected host cannot call home. Near-zero tuning.

🌐
Content Filtering Service (CFS)
tap to flip

URL-category web filtering via policies and profiles applied through zones or access rules, plus a Client CFS option for roaming users.

Prevent the high, Detect the noisy

Don't set every IPS signature to Prevent on day one. Prevent the high-severity categories, run medium/low in Detect, read the logs for a few days, then promote real attacks to Prevent. That gets you protection without a false-positive storm that buries the genuine alerts.

Quick check · Q2 of 10 · Remember

In IPS, what is the difference between the Prevent and Detect actions?

Correct: c. Prevent blocks traffic matching a signature; Detect only logs/alerts. You set the action per severity-rated category, preventing high-severity ones and detecting-then-tuning the rest.
👉 So far: GAV stream-scans malware over web/file/mail; Anti-Spyware blocks call-home; IPS uses severity-rated signature categories set to Prevent (block) or Detect (log) — tune, don't blanket-block.

③ Apps & reputation — App Control, Botnet and GeoIP

Application Control identifies thousands of applications by their signature and behaviour, regardless of port — so it still sees an app that hops to a non-standard or evasive port. You can then allow, block, or bandwidth-manage (throttle) it. The everyday use: throttle or block recreational apps such as streaming, P2P and games while protecting business traffic.

Two more services need almost no tuning, which makes them quick risk-reduction levers. The Botnet Filter blocks connections to or from known botnet command-and-control (C2) IP addresses, so an infected internal host cannot call home and known-bad infrastructure cannot reach in. The GeoIP Filter blocks traffic by country or region — for example, dropping inbound from places you never do business with.

The interview line: App Control is the precise, port-independent lever; Botnet and GeoIP are the blunt, low-effort levers you turn on first.

Figure 4 — App Control vs Botnet / GeoIP filters
App Control is the precise port-independent lever; Botnet and GeoIP are blunt, near-zero-tuning levers.App Control vs Botnet / GeoIP filtersApplication ControlIdentifies apps by signatureWorks regardless of portAllow / block / throttleNeeds policy tuningBotnet / GeoIPBlock known C2 IPsBlock by country / regionAlmost no tuningQuick risk reduction
App Control is the precise port-independent lever; Botnet and GeoIP are blunt, near-zero-tuning levers.
'It's licensed, so it's protecting everything' trap

A licensed service inspects nothing until it is enabled on the relevant access rule or zone. The classic miss is leaving the services on the default LAN→WAN rule while a guest/WLAN or DMZ zone goes uninspected. Always map which services are ticked on which rule for the path you care about.

▶ Watch a botnet callback get blocked on the way out

How one web request is inspected end-to-end, then how an infected host's call-home is stopped. Press Play for the healthy path, then Break it to see the classic failure.

① RequestPriya's laptop in Pune opens a website; the request hits the SonicWall and enters the RFDPI single pass.
② InspectIn one pass RFDPI runs CFS (URL category), App Control (app ID), then IPS and GAV against the decrypted stream.
③ CallbackMeanwhile an infected host tries an outbound call-home to a known botnet command-and-control IP.
④ BlockThe Botnet Filter matches the C2 address and blocks the connection; the event is logged in Monitor.
Press Play to step through the healthy inspection path. Then press Break it.
Quick check · Q3 of 10 · Apply

Streaming video is saturating the link even though it is running on an unusual port. Which service handles this best?

Correct: b. App Control identifies applications by signature regardless of port, so it still sees the app on an evasive port and can throttle (bandwidth-manage) or block it. GeoIP/Botnet/GAV solve different problems.
👉 So far: App Control IDs apps by signature regardless of port (allow/block/throttle); the Botnet Filter blocks known C2 IPs and GeoIP blocks countries — the two near-zero-tuning levers.

④ Web filtering with CFS — and the DPI-SSL dependency

The Content Filtering Service (CFS) is URL-category filtering. SonicWall classifies websites into categories — gambling, adult, malware, social media and many more — and you build CFS policies and profiles with allowed / forbidden category lists, then apply them via zones or access rules. A Client CFS option extends the same filtering to roaming users who are off the corporate network.

The dependency everyone forgets

RFDPI can only inspect the inside of an HTTPS session when DPI-SSL decryption is enabled. With DPI-SSL off, GAV, IPS, App Control and CFS see only encrypted bytes for that session — a malware download or a forbidden category over HTTPS passes uninspected.

Tuning pitfalls to avoid: do not set every IPS signature to Prevent, scope CFS policies by user or group so the rules fit the audience, use App Control to bandwidth-manage rather than hard-block where you can, and turn on Botnet and GeoIP early because they cost almost nothing to run.

Figure 5 — A web request through the security services
CFS, App Control, IPS and GAV all inspect the same decrypted stream in one RFDPI pass.A web request through the security servicesRequestuser opens a siteDecryptDPI-SSL if HTTPSCategorizeCFS URL categoryScanApp Control, IPS, GAVVerdictallow / block / log
CFS, App Control, IPS and GAV all inspect the same decrypted stream in one RFDPI pass.

Rohit at a Indore logistics firm faces this

A warehouse PC keeps making odd outbound connections to foreign IPs at night, and antivirus flags it as infected — yet GAV, IPS and the Botnet Filter are all licensed and 'on'.

Likely cause

The security services are enabled on the default LAN rule, but this PC sits on a separate WLAN/guest zone whose access rule never had the services ticked — so its outbound C2 traffic is never inspected.

Diagnosis

Confirm the suspicious flows and source zone in the logs, then open the access rule for that zone — the Botnet/IPS/GAV toggles are unchecked. (If the callbacks ride HTTPS, DPI-SSL is also off.)

SonicOS 7 ▸ Monitor ▸ Connections/Logs + Policy ▸ Rules and Policies ▸ Access Rules
Fix

Enable the Botnet Filter, GAV/Anti-Spyware and IPS on the access rule covering that zone; if the C2 uses HTTPS, also enable Client DPI-SSL so RFDPI can inspect inside TLS.

Verify

Re-check Monitor ▸ Logs: the botnet callbacks now show as blocked, the infected host can no longer reach its C2, and no new strange outbound connections appear from that zone.

Prove it from the logs, not a hunch

Never close a 'is it blocked?' ticket on assumption. The SonicOS Monitor logs show the exact connection, the matched service (GAV/IPS/Botnet/CFS) and the action taken. One read tells you whether the service fired — and whether the traffic was even decrypted by DPI-SSL.

Quick check · Q4 of 10 · Analyze

GAV and IPS are licensed and enabled, yet malware still downloads over an HTTPS site with nothing logged. The most likely cause?

Correct: d. Without DPI-SSL the engine cannot decrypt HTTPS, so GAV/IPS/CFS see only ciphertext and the threat passes. Enable DPI-SSL (with a sane bypass list) so RFDPI can inspect inside TLS.
👉 So far: CFS filters websites by URL category via policies/profiles on zones or rules (plus client CFS for roamers); and RFDPI only sees inside HTTPS when DPI-SSL is on.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Where do the threat signatures and intelligence for SonicWall's security services come from?

Correct: a. Capture Labs is SonicWall's threat-research team that continuously pushes malware, IPS, botnet C2, application and URL-category updates to the firewall. Without an active licence and updates, protection goes stale.
Q6 · Understand

Gateway Anti-Virus (GAV) is best described as…

Correct: b. GAV is gateway-level, stream-based antivirus that scans malware across web, file-transfer and mail protocols inside RFDPI's reassembly-free single pass — it is not the endpoint AV and not only an email filter.
Q7 · Apply

You want to block all inbound traffic from a region your company never does business with, with almost no tuning. Which service?

Correct: c. The GeoIP Filter blocks traffic by country/region using IP-to-country mapping — a blunt, near-zero-tuning risk-reduction lever. App Control targets apps, GAV targets malware, and CFS targets website categories.
Q8 · Analyze

A licensed Botnet Filter is not blocking an infected host's outbound C2 calls. What should you check first?

Correct: d. Services are applied per access rule and zone. A common miss is enabling them on the default LAN rule while a guest/WLAN or DMZ zone goes uninspected, so the C2 traffic is never seen.
Q9 · Evaluate

What is the smartest way to roll out IPS without burying real alerts?

Correct: b. Blanket-Prevent causes a false-positive storm; permanent Detect blocks nothing. Prevent the high-severity categories, detect-and-tune the rest, then promote genuine attacks to Prevent.
Q10 · Evaluate

Why is enabling DPI-SSL the strongest single move to make the security services effective?

Correct: c. The bulk of web traffic is encrypted. Without DPI-SSL the engine cannot look inside TLS, so the services inspect nothing for HTTPS sessions and threats/categories ride straight through.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is it wrong to say 'the SonicWall is licensed, so it's protecting everything'? Then compare with the expert version.

Expert version: Because protection comes from individual security services — GAV, Anti-Spyware, IPS, App Control, Botnet, GeoIP and CFS — that all run in one RFDPI single pass but only inspect a path when they are actually enabled on that access rule or zone. A service can be fully licensed and updated by Capture Labs yet protect nothing on a guest or DMZ zone where it was never ticked. On top of that, RFDPI can only see inside HTTPS when DPI-SSL is on, so even an enabled service is blind to encrypted threats without decryption. 'Licensed' is necessary but not sufficient — enabled, on the right rule, with DPI-SSL is what actually protects.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Security Services bundle
The licensed set — GAV, Anti-Spyware, IPS, App Control, Botnet Filter, GeoIP Filter and CFS — enabled per access rule or zone on the firewall.
RFDPI single pass
SonicWall's reassembly-free engine that runs all enabled security services together in one pass over the traffic stream.
Capture Labs
SonicWall's threat-research team that continuously pushes signatures and intelligence — malware, IPS, botnet C2, app IDs and URL categories — to firewalls.
Gateway Anti-Virus (GAV)
Stream-based gateway antivirus that scans malware over HTTP, FTP, SMTP, POP3 and IMAP without buffering whole files.
Anti-Spyware
Service that blocks spyware payloads and their phone-home / call-back traffic.
IPS (Intrusion Prevention)
Signature-based detection of exploits, worms and scans, organised into severity-rated categories with a Prevent (block) or Detect (log) action.
Application Control
Port-independent identification and control — allow, block, or bandwidth-manage — of thousands of applications by signature.
Botnet Filter
Blocks connections to or from known botnet command-and-control (C2) IP addresses.
GeoIP Filter
Blocks or allows traffic by country or geographic region using IP-to-country mapping.
Content Filtering Service (CFS)
URL-category web filtering via policies and profiles applied through zones or access rules, with a Client CFS option for roaming users.

📚 Sources

  1. SonicWall — Security Services overview (Gateway AV, Anti-Spyware, IPS, App Control, CFS). sonicwall.com
  2. SonicWall — SonicOS 7 Security Services Administration Guide. docs.sonicwall.com
  3. SonicWall — Content Filtering Service (CFS): policies, profiles and Client CFS. docs.sonicwall.com
  4. SonicWall — Botnet Filter and GeoIP Filter configuration. docs.sonicwall.com
  5. SonicWall — Application Control (App Rules / App Control) configuration. docs.sonicwall.com
  6. SonicWall — Capture Labs threat research and signature feeds. sonicwall.com

What's next?

Got the security services? Next, go deep on SonicWall VPNs — site-to-site IPsec tunnels for branch links and SSL VPN for remote users with NetExtender and Mobile Connect.

Next · All interview lessons → Practice on exam.techclick.in →