Recently we came across a scenario where a single MAC user could not load Subdomains of Yahoo worked just fine, but refused to load.

Fortunately there is a solution from the Sonicwall forums:

Log in to your SonicWall Device as admin, then change the url from http:///main.html to Http:///diag.html

Look for the check box “Enforce Host Tag Search for CFS”. If it is checked (this is the default setting) just un-check it and hit save.

Here’s why:

CFS is trying to be restrictive, and some sites have such a big header on their HTML (usually keywords) that CFS is expecting to occur in the first packet doesn’t appear until later packets. It has to do with how much data CFS has at hand to make its decision.

It’s not a security issue, it’s a content filtering issue. If this box is checked, CFS will drop the packet if the host tag doesn’t appear in the first packet.

Checking the box means CFS will enforce (require) that the host tag appears in the first packet. There is no RFC (internet standard) that requires the host tag to be in the first packet – it’s a question of how much buffering is in the SonicWALL device.

When you un-check this box, the worst that could happen is that some site that CFS would otherwise block will be allowed because CFS doesn’t have a host tag to check. Most sites have their HOST tag in the first packet returned, it’s only a few rare ones that don’t. And Yahoo does not.

Author: Aaron White, Date: 23rd October 2014


eSOZO Computer and Network Services

4 Walter E Foran Blvd
Suite 301
Flemington, NJ 08822Phone: (888) 376-9648 Email:


Our Services
Real Time Analytics