Local Web Filtering
- Doesn’t require a license.
- Enables you to define your own lists of allowed sites (allowlist) or blocked sites (blocklist) for which you want to enforce a policy.
Enhanced Web Filtering:
- Is the most powerful integrated filtering method and includes a granular list of URL categories, support for Google Safe Search, and a reputation engine.
- Doesn’t require additional server components.
- Provides real-time threat score for each URL.
- Enables you to redirect users from a blocked URL to a user-defined URL rather than blocking user access to the blocked URL.
Redirect Web Filtering:
- Tracks all queries locally, so you don't need an Internet connection.
- Uses the logging and reporting features of a standalone Websense solution.
You don't need a Web Filtering license if you plan use the SRX Local engine type. You need to manually define your own URL pattern lists and URL categories. Below are the steps in configuring Local Web Filtering in vSRX.
Step 1: List URLs That You Want to Allow or Block
The first step is to define first a custom objects (URL patterns). Go to Configure > Security > UTM > Custom Objects > select URL Pattern List tab > click Add.
Type URL Pattern Name: ALLOWED_WEBSITES > type URL Pattern Value: www.juniper.net > click Add. Add Google and Playstation websites.
Click OK when done.
Click Add > create the BLOCKED_WEBSITE URL Pattern List.
Add Cisco, Yahoo and Xbox websites.
Click OK when done.
Step 2: Categorize the URLs That You Want to Allow or Block
The second step is to assign the created URL Patterns to a URL Category List.
Go to Configure > Security > UTM > Custom Objects > select URL Category List tab > click Add.
Type URL Category Name: GOOD_WEBSITES > select ALLOWED_WEBSITES URL Pattern List and move to Selected Values column on the right > click OK.
Click Add > create the BAD_WEBSITES URL Category list.
Type URL Category Name: BAD_WEBSITES > move BLOCKED WEBSITES URL Pattern list to the Selected Values column on the right > click OK.
Step 3: Add a Web Filtering Profile
The third step is to create a UTM Web Filtering Profile. Go to Configure > Security > UTM > Web Filter > click Add.
Notice there are several default Web Filtering Profiles.
Under Main tab > type Profile name: CUSTOM_LOCAL_WF > select: Local > select Default action: Block > type Timeout: 30 seconds (default is 15 seconds) > type Custom block message (per your IT policy): Website access defined. Please contact IT for assistance.
Leave the default settings under Fallback options tab > click OK.
Click Global Options.
Select URL whitelist: GOOD WEBSITES > select URL blacklist: BAD_WEBSITES.
Select Filtering type: Local > click OK.
Step 4: Reference a Web Filtering Profile in a UTM Policy
The fourth step is to assign the Web Filtering Profile to a UTM Policy. Go to Configure > Security > UTM > Policy > click Add to create a new UTM policy.
Notice there are several default UTM Policy.
Under Main tab > type Policy name: CUSTOM_UTM_POLICY > leave the default for Session per client over limit: Log and permit.
Go to Web filtering profiles tab > select HTTP profile: CUSTOM_LOCAL_WF > click OK.
Step 5: Assign a UTM Policy to a Security Policy
The fifth step is to assign the created UTM Policy to a Security Policy rule.
Filter the Trust to Untrust policy by selecting From Zone: trust > To Zone: untrust > click Filter.
Select the TRUST-UNTRUST policy > click Edit.
Go to Logging tab > select: Log at Session Init Time.
Go to Application Services tab > select UTM Policy > CUSTOM_UTM_POLICY > click OK.
Notice the UTM Policy appeared under NW Services column.
I tried accessing all the websites from a machine in the Trust zone (Windows 7 VM) prior to a Commit.
Click Commit > Commit to apply changes.
Using a Chrome web browser, it showed the website can't be reached and connection was reset for the blocked websites: Cisco, Yahoo and Xbox.
I used an Internet Explorer web browser and it showed the custom message and category/policy for the blocked websites.
Notice the Internet Explorer tab indicated a Juniper Web Filtering.
I tried to access Youtube and CNN websites but it was blocked since they weren't explicitly listed under the allowed URL Pattern List/Category.
To view the UTM Web Filtering Counter or statistics, go to Monitor > Security > UTM > Web Filtering.
Notice the Counter under the White List Hit and Block List Hit.
Click the Clear Web Filter Statistics (in the bottom) to clear the Counters.
You can view the same output using the CLI show security utm web-filtering status and show security utm web-filtering statistics commands.
show root@vSRX-1> show security ?
Possible completions:
advance-policy-based-routing Show advance policy based routing information
alarms Show active security alarm information
alg Show ALG security services information
application-firewall Show security application firewall policies
application-tracking Show Application tracking information
dns-cache Show DNS cache of firewall policy
dynamic-address Security dynamic address name
dynamic-policies Show security firewall dynamic policies
firewall-authentication Show firewall authentication tables, information
flow Show flow information
forward-options Show forward-options status
gprs Show GPRS information
group-vpn Show Group VPN Security information
idp Show Intrusion Detection and Prevention information
ike Show Internet Key Exchange information
internal-security-association Show internal security association
ipsec Show IP Security information
keychain Show all protocols keychain
log Show auditable security log information
match-policies Show security match policies
monitoring Show security SPU monitoring information
nat Show Network Address Translation information
pki Show public-key infrastructure information
policies Show security firewall policies
resource-manager Show resource manager security services information
screen Show screen service information
shadow-policies Show security shadow policies
softwires Show softwire information
ssh Show SSH information
tcp-encap Show TCP encapsulation information
user-identification Show user-identification information
utm Show security utm information
zones Show security zone information
root@vSRX-1> show security utm ?
Possible completions:
anti-spam Show anti-spam information
anti-virus Show anti-virus information
content-filtering Show content-filtering information
session Show security utm session
status Show security utm status
web-filtering Show web-filtering information
root@vSRX-1> show security utm web-filtering ?
Possible completions:
statistics Show web-filtering statistics
status Show web-filtering status
root@vSRX-1> show security utm web-filtering status
UTM web-filtering status:
Server status: Juniper local URL filtering
root@vSRX-1> show security utm web-filtering statistics
UTM web-filtering statistics:
Total requests: 503
white list hit: 19
Black list hit: 54
Web-filtering sessions in total: 128000
Web-filtering sessions in use: 1
Fallback: log-and-permit block
Default 0 0
Timeout 0 0
Connectivity 0 0
Too-many-requests 0 0
Below is the complete show configuration output in vSRX.
root@vSRX-1> edit
Entering configuration mode
[edit]
root@vSRX-1# show
## Last changed: 2021-03-01 04:16:03 SGT
version 15.1X49-D80.4;
system {
host-name vSRX-1;
root-authentication {
encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA
}
name-server {
8.8.8.8;
}
services {
ssh {
root-login allow;
}
web-management {
https {
system-generated-certificate;
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp;
}
services {
application-identification;
}
security {
utm {
custom-objects {
url-pattern {
ALLOWED_WEBSITES {
value [ www.juniper.net www.google.com www.playstation.com ];
}
BLOCKED_WEBSITES {
value [ www.cisco.com www.yahoo.com www.xbox.com ];
}
}
custom-url-category {
GOOD_WEBSITES {
value ALLOWED_WEBSITES;
}
BAD_WEBSITES {
value BLOCKED_WEBSITES;
}
}
}
feature-profile {
web-filtering {
url-whitelist GOOD_WEBSITES;
url-blacklist BAD_WEBSITES;
type juniper-local;
juniper-local {
profile CUSTOM_LOCAL_WF {
default block;
custom-block-message "Website access denied. Please contact IT for assistance.";
fallback-settings {
default log-and-permit;
server-connectivity log-and-permit;
timeout log-and-permit;
too-many-requests log-and-permit;
}
timeout 30;
}
}
}
}
utm-policy CUSTOM_UTM_POLICY {
web-filtering {
http-profile CUSTOM_LOCAL_WF;
}
traffic-options {
sessions-per-client {
over-limit log-and-permit;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
fragment;
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
port-scan threshold 10000;
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set SOURCE-NAT-TRUST {
from zone trust;
to zone untrust;
rule SOURCE-NAT-TRUST {
match {
source-address 172.16.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool DEST_NAT_FTP {
address 172.16.1.100/32 port 21;
}
rule-set DEST_NAT_FTP {
from zone untrust;
rule DEST_NAT_FTP {
match {
destination-address 192.168.1.150/32;
destination-port {
21;
}
}
then {
destination-nat {
pool {
DEST_NAT_FTP;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy TRUST-UNTRUST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy CUSTOM_UTM_POLICY;
}
}
log {
session-init;
}
}
}
}
from-zone untrust to-zone trust {
policy FTP_UNTRUST_TRUST {
match {
source-address any-ipv4;
destination-address WIN7-VM;
application junos-ftp;
}
then {
permit;
log {
session-init;
}
}
}
}
}
zones {
security-zone trust {
tcp-rst;
address-book {
address WIN7-VM 172.16.1.100/32;
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.150/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
fxp0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
}
}
[edit]