Friday, July 2, 2021

Juniper Networks SRX Firewall Web (URL) Filtering

The Juniper SRX Web Filtering lets you to manage Internet usage by preventing access to inappropriate Web content. There are three types of Web filtering solutions:

Local Web Filtering

  • Doesn’t require a license.
  • Enables you to define your own lists of allowed sites (allowlist) or blocked sites (blocklist) for which you want to enforce a policy.


Enhanced Web Filtering:

  • Is the most powerful integrated filtering method and includes a granular list of URL categories, support for Google Safe Search, and a reputation engine.
  • Doesn’t require additional server components.
  • Provides real-time threat score for each URL.
  • Enables you to redirect users from a blocked URL to a user-defined URL rather than blocking user access to the blocked URL.


Redirect Web Filtering:

  • Tracks all queries locally, so you don't need an Internet connection.
  • Uses the logging and reporting features of a standalone Websense solution.


You don't need a Web Filtering license if you plan use the SRX Local engine type. You need to manually define your own URL pattern lists and URL categories. Below are the steps in configuring Local Web Filtering in vSRX.



Step 1: List URLs That You Want to Allow or Block

 

The first step is to define first a custom objects (URL patterns). Go to Configure > Security > UTM > Custom Objects > select URL Pattern List tab > click Add.

Type URL Pattern Name: ALLOWED_WEBSITES > type URL Pattern Value: www.juniper.net > click Add. Add Google and Playstation websites.

Click OK when done.

Click Add > create the BLOCKED_WEBSITE URL Pattern List.

Add Cisco, Yahoo and Xbox websites.

Click OK when done.

Step 2: Categorize the URLs That You Want to Allow or Block

 

The second step is to assign the created URL Patterns to a URL Category List.

 

Go to Configure > Security > UTM > Custom Objects > select URL Category List tab > click Add.

 

Type URL Category Name: GOOD_WEBSITES > select ALLOWED_WEBSITES URL Pattern List and move to Selected Values column on the right > click OK.

Click Add > create the BAD_WEBSITES URL Category list.

Type URL Category Name: BAD_WEBSITES > move BLOCKED WEBSITES URL Pattern list to the Selected Values column on the right > click OK.


Step 3: Add a Web Filtering Profile

 

The third step is to create a UTM Web Filtering Profile. Go to Configure > Security > UTM > Web Filter > click Add.

 

Notice there are several default Web Filtering Profiles.

 

Under Main tab > type Profile name: CUSTOM_LOCAL_WF > select: Local > select Default action: Block > type Timeout: 30 seconds (default is 15 seconds) > type Custom block message (per your IT policy): Website access defined. Please contact IT for assistance.

Leave the default settings under Fallback options tab > click OK.

Click Global Options.

Select URL whitelist: GOOD WEBSITES > select URL blacklist: BAD_WEBSITES.

Select Filtering type: Local > click OK.

Step 4: Reference a Web Filtering Profile in a UTM Policy

 

The fourth step is to assign the Web Filtering Profile to a UTM Policy. Go to Configure > Security > UTM > Policy > click Add to create a new UTM policy.

 

Notice there are several default UTM Policy.

 

Under Main tab > type Policy name: CUSTOM_UTM_POLICY > leave the default for Session per client over limit: Log and permit.

Go to Web filtering profiles tab > select HTTP profile: CUSTOM_LOCAL_WF > click OK.

Step 5: Assign a UTM Policy to a Security Policy

 

The fifth step is to assign the created UTM Policy to a Security Policy rule.

 

Filter the Trust to Untrust policy by selecting From Zone: trust > To Zone: untrust > click Filter. 

 

Select the TRUST-UNTRUST policy > click Edit.

 



Go to Logging tab > select: Log at Session Init Time.

Go to Application Services tab > select UTM Policy > CUSTOM_UTM_POLICY > click OK.

Notice the UTM Policy appeared under NW Services column.

I tried accessing all the websites from a machine in the Trust zone (Windows 7 VM) prior to a Commit.






Click Commit  > Commit to apply changes.

Using a Chrome web browser, it showed the website can't be reached and connection was reset for the blocked websites: Cisco, Yahoo and Xbox.



I used an Internet Explorer web browser and it showed the custom message and category/policy for the blocked websites.

Notice the Internet Explorer tab indicated a Juniper Web Filtering.



I tried to access Youtube and CNN websites but it was blocked since they weren't explicitly listed under the allowed URL Pattern List/Category.


To view the UTM Web Filtering Counter or statistics, go to Monitor > Security > UTM > Web Filtering.

Notice the Counter under the White List Hit and Block List Hit.

Click the Clear Web Filter Statistics (in the bottom) to clear the Counters.

You can view the same output using the CLI show security utm web-filtering status and show security utm web-filtering statistics commands.

 

show root@vSRX-1> show security ?

Possible completions:

  advance-policy-based-routing  Show advance policy based routing information

  alarms               Show active security alarm information

  alg                  Show ALG security services information

  application-firewall  Show security application firewall policies

  application-tracking  Show Application tracking information

  dns-cache            Show DNS cache of firewall policy

  dynamic-address      Security dynamic address name

  dynamic-policies     Show security firewall dynamic policies

  firewall-authentication  Show firewall authentication tables, information

  flow                 Show flow information

  forward-options      Show forward-options status

  gprs                 Show GPRS information

  group-vpn            Show Group VPN Security information

  idp                  Show Intrusion Detection and Prevention information

  ike                  Show Internet Key Exchange information

  internal-security-association  Show internal security association

  ipsec                Show IP Security information

  keychain             Show all protocols keychain

  log                  Show auditable security log information

  match-policies       Show security match policies

  monitoring           Show security SPU monitoring information

  nat                  Show Network Address Translation information

  pki                  Show public-key infrastructure information

  policies             Show security firewall policies

  resource-manager     Show resource manager security services information

  screen               Show screen service information

  shadow-policies      Show security shadow policies

  softwires            Show softwire information

  ssh                  Show SSH information

  tcp-encap            Show TCP encapsulation information

  user-identification  Show user-identification information

  utm                  Show security utm information

  zones                Show security zone information

root@vSRX-1> show security utm ?

Possible completions:

  anti-spam            Show anti-spam information

  anti-virus           Show anti-virus information

  content-filtering    Show content-filtering information

  session              Show security utm session

  status               Show security utm status

  web-filtering        Show web-filtering information

root@vSRX-1> show security utm web-filtering ?

Possible completions:

  statistics           Show web-filtering statistics

  status               Show web-filtering status

 

root@vSRX-1> show security utm web-filtering status       

 UTM web-filtering status:

    Server status: Juniper local URL filtering

 

 

root@vSRX-1> show security utm web-filtering statistics   

 UTM web-filtering statistics:

    Total requests:                     503

    white list hit:                     19

    Black list hit:                     54

    Web-filtering sessions in total:    128000

    Web-filtering sessions in use:      1

    Fallback:                       log-and-permit           block

          Default                                 0               0

          Timeout                                 0               0

     Connectivity                                 0               0

Too-many-requests                                 0               0


Below is the complete show configuration output in vSRX.

 

root@vSRX-1> edit    

Entering configuration mode

 

[edit]

root@vSRX-1# show

## Last changed: 2021-03-01 04:16:03 SGT

version 15.1X49-D80.4;

system {

    host-name vSRX-1;

    root-authentication {

        encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA

    }

    name-server {

        8.8.8.8;

    }

    services {

        ssh {

            root-login allow;

        }

        web-management {

            https {

                system-generated-certificate;

                interface ge-0/0/0.0;

            }

        }

    }

    syslog {

        user * {                       

            any emergency;

        }

        file messages {

            any any;

            authorization info;

        }

        file interactive-commands {

            interactive-commands any;

        }

    }

    license {

        autoupdate {

            url https://ae1.juniper.net/junos/key_retrieval;

        }

    }

    ntp;

}

services {

    application-identification;

}

security {

    utm {

        custom-objects {               

            url-pattern {

                ALLOWED_WEBSITES {

                    value [ www.juniper.net www.google.com www.playstation.com ];

                }

                BLOCKED_WEBSITES {

                    value [ www.cisco.com www.yahoo.com www.xbox.com ];

                }

            }

            custom-url-category {

                GOOD_WEBSITES {

                    value ALLOWED_WEBSITES;

                }

                BAD_WEBSITES {

                    value BLOCKED_WEBSITES;

                }

            }

        }

        feature-profile {

            web-filtering {

                url-whitelist GOOD_WEBSITES;

                url-blacklist BAD_WEBSITES;

                type juniper-local;    

                juniper-local {

                    profile CUSTOM_LOCAL_WF {

                        default block;

                        custom-block-message "Website access denied. Please contact IT for assistance.";

                        fallback-settings {

                            default log-and-permit;

                            server-connectivity log-and-permit;

                            timeout log-and-permit;

                            too-many-requests log-and-permit;

                        }

                        timeout 30;

                    }

                }

            }

        }

        utm-policy CUSTOM_UTM_POLICY {

            web-filtering {

                http-profile CUSTOM_LOCAL_WF;

            }

            traffic-options {

                sessions-per-client {

                    over-limit log-and-permit;

                }

            }

        }

    }

    screen {

        ids-option untrust-screen {

            icmp {

                fragment;

                ping-death;

            }

            ip {

                source-route-option;

                tear-drop;

            }

            tcp {

                port-scan threshold 10000;

                syn-flood {

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    queue-size 2000; ## Warning: 'queue-size' is deprecated

                    timeout 20;        

                }

                land;

            }

        }

    }

    nat {

        source {

            rule-set SOURCE-NAT-TRUST {

                from zone trust;

                to zone untrust;

                rule SOURCE-NAT-TRUST {

                    match {

                        source-address 172.16.1.0/24;

                        destination-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                        }

                    }

                }

            }

        }                              

        destination {

            pool DEST_NAT_FTP {

                address 172.16.1.100/32 port 21;

            }

            rule-set DEST_NAT_FTP {

                from zone untrust;

                rule DEST_NAT_FTP {

                    match {

                        destination-address 192.168.1.150/32;

                        destination-port {

                            21;

                        }

                    }

                    then {

                        destination-nat {

                            pool {

                                DEST_NAT_FTP;

                            }

                        }

                    }

                }

            }

        }                              

    }

    policies {

        from-zone trust to-zone trust {

            policy default-permit {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone trust to-zone untrust {

            policy TRUST-UNTRUST {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit {           

                        application-services {

                            utm-policy CUSTOM_UTM_POLICY;

                        }

                    }

                    log {

                        session-init;

                    }

                }

            }

        }

        from-zone untrust to-zone trust {

            policy FTP_UNTRUST_TRUST {

                match {

                    source-address any-ipv4;

                    destination-address WIN7-VM;

                    application junos-ftp;

                }

                then {

                    permit;

                    log {

                        session-init;

                    }

                }                      

            }

        }

    }

    zones {

        security-zone trust {

            tcp-rst;

            address-book {

                address WIN7-VM 172.16.1.100/32;

            }

            interfaces {

                ge-0/0/1.0 {

                    host-inbound-traffic {

                        system-services {

                            ping;

                            ssh;

                        }

                    }

                }

            }

        }

        security-zone untrust {

            screen untrust-screen;

            interfaces {               

                ge-0/0/0.0 {

                    host-inbound-traffic {

                        system-services {

                            ping;

                            ssh;

                            https;

                        }

                    }

                }

            }

        }

    }

}

interfaces {

    ge-0/0/0 {

        unit 0 {

            family inet {

                address 192.168.1.150/24;

            }

        }

    }

    ge-0/0/1 {

        unit 0 {                       

            family inet {

                address 172.16.1.1/24;

            }

        }

    }

    fxp0 {

        unit 0 {

            family inet;

        }

    }

}

routing-options {

    static {

        route 0.0.0.0/0 next-hop 192.168.1.1;

    }

}

 

[edit]