Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Redirect web filtering example via custom objects

0

0

Article ID: KB15512 KB Last Updated: 22 Feb 2020Version: 3.0
Summary:

This article provides information on how to configure redirect Web filtering by using a custom URL pattern and URL category lists.

Symptoms:
  • This article provides an example of configuring redirect Web filtering (also known as URL filtering) using custom objects.

  • For basic information, additional examples, and troubleshooting about integrated Web filtering, refer to KB16444 - SRX Getting Started - Redirect Web Filtering .
Solution:

This section contains the following:

 

Configuration Task Overview

Configuring redirect Web filtering consists of the following tasks:

  • Configuring UTM custom objects and assigning them to categories 

  • Configuring redirect Web filtering parameters 

  • Configuring a UTM policy for each protocol and attaching the policy to a profile

  • Attaching the UTM policy to a firewall security policy.

You do not need a license on the SRX device to use the redirect Web filtering feature.

 

J-Web Configuration

To configure the redirect Web filtering feature profile:

  1. Select Configure>Security>UTM>Global options.

  2. Click the Web Filtering tab.

  3. In the Filtering Type list, select Websense Redirect.

  4. Click OK. A status prompt appears. Click OK. If the custom object is not successfully saved, click Details for more information.
 

To configure a UTM policy for Web filtering:

  1. Select Configure>Security>Policy>UTM Policies.

  2. Click Add to configure a UTM policy. The Add Policy window appears.

  3. In the Main tab, next to Policy Name, enter a unique name for the UTM policy you are creating (for example, custom-utm-policy).

  4. Click the Web filtering profiles tab.

  5. Next to HTTP profile, select junos-wf-websense-default.

  6. Click OK. A status prompt appears. Click OK. If the UTM policy is not successfully saved, click Details for more information.


To attach the UTM policy to a security policy:

  1. Select Configure>Security>Policy>FW Policies.

  2. Select the trust-to-untrust (default-permit) security policy, and click Edit.

  3. In the Edit Policy window, click Application Services.

  4. In the UTM Policy list, select the UTM policy to attach to the security policy (in this example, custom-utm-policy).

  5. Click OK. A status prompt appears. Click OK. If the UTM policy is not successfully saved, click Details for more information.
 

Make sure that your policy is activated. By default, after you create a policy, it is activated.
 

To create an URL pattern list custom object:

  1. Select Configure>Security>UTM>Custom Objects.

  2. Click the URL Pattern List tab.

  3. Click Add to create URL pattern lists. The Add URL Pattern window appears.

  4. Next to URL Pattern Name, enter a unique name for the list you are creating (for example, black-list or white-list).

  5. Next to URL Pattern Value, enter the URL or IP address that you want added to the list (for example, http://*.hacking.com).

  6. Click Add to add the URL pattern. The pattern appears in the Values box.

  7. To add more URLs or IP addresses, repeat steps 5 and 6.

  8. Click OK to save the URL pattern list.

A status prompt appears. Click OK. If the URL pattern list is not successfully saved, click Details for more information.

To create a custom URL category list custom object:
 
  1. Select Configure>Security>UTM>Custom Objects.

  2. Click the URL Category List tab.

  3. Click Add to create URL category lists. The Add URL Category window appears.

  4. Next to URL Category Name, enter a unique name for the URL category list custom object (for example, blocked-sites or allowed-sites).

  5. Next to Available Values, select an URL pattern that you created earlier (for example, black-list from the previous procedure), and click the right arrow button to move it to the Selected Values box, and click the right arrow button to move it to the Selected Values box.

  6. To add more values, repeat step 5 as necessary.

  7. Click OK. A status prompt appears. Click OK. If the URL category list is not successfully saved, click Details for more information.


To configure the redirect Web filtering feature profile:
 
  1. Select Configure>Security>UTM>Global options.

  2. Click the Web Filtering tab.

  3. Next to URL whitelist, select an URL category list that you created earlier (in this example, allowed-sites from the previous procedure).

  4. Next to URL blacklist, select an URL category list that you created earlier (in this example, blocked-sites from the previous procedure).

  5. In the Filtering Type list, select Websense Redirect.

  6. Click OK. A status prompt appears. Click OK. If the custom object is not successfully saved, click Details for more information.

  7. In the left pane, under Security>UTM, select Web Filtering.

  8. Click Add to create a profile for redirect Web filtering.

  9. In the Main tab, next to Profile name, enter a unique name for the Web filtering profile (for example, web-filter-redirect).

  10. In the Profile Type list, select Websense.

  11. Next to Account, enter the Websense account for this profile.  This is optional, and not required.

  12. Next to Server, enter the Websense server name (for example, Websenseserver).

  13. Next to Port, enter the port number used to communicate with the Websense server (for example, 8080).

  14. Next to Sockets, enter the number of sockets used for communicating between the client and server.  Recommend using 8 sockets.

  15. Next to Timeout, enter the timeout for requests.  This timeout is in seconds.  Recommend using a timeout of 10 seconds.

  16. Next to Custom Block Message, enter a custom message that is sent when HTTP requests are blocked (for example, ***DENIED***).

  17. Click the Fallback options tab.

  18. Next to Default Action, select Log and permit or Block as the action to occur when a request fails because it does not match any categories (in this example, Block).

  19. Next to Server Connectivity, select Log and permit or Block as the action to occur when a request fails for this reason (in this example, Block).

  20. Next to Timeout, select Log and permit or Block as the action to occur when a request fails for this reason (in this example, Block).

  21. Next to Too Many Requests, select Log and permit or Block as the action to occur when a request fails for this reason (in this example, Block).

  22. Click OK. A status prompt appears. Click OK. If the Web filtering options are not successfully saved, click Details for more information.


To configure a UTM policy for Web filtering:
 
  1. Select Configure>Security>Policy>UTM Policies.

  2. Click Add to configure a UTM policy. The Add Policy window appears.

  3. Click the Main tab.

  4. In the Policy Name box, enter a unique name for the UTM policy you are creating (for example, utm-web-filter-redirect).

  5. In the Session per client limit box, enter a session per client limit from 0 to 20000 for this UTM policy.

  6. For Session per client over limit, select one of the following: Log and Permit or Block. This is the action the device takes when the session per client limit for this UTM policy is exceeded.

  7. Click the Web filtering profiles tab.

  8. Next to HTTP profile, select the profile you previously configured (in this example, web-filter-direct).

  9. Click OK. A status prompt appears. Click OK. If the UTM policy is not successfully saved, click Details for more information.

To attach the UTM policy to a security policy:
 
  1. Select Configure>Security>Policy>FW Policies.

  2. Click Add. The Add Policy window appears.

  3. Click the Policy tab.

  4. In the Policy Name box, enter the name of the policy (for example, rewebfilter).

  5. Next to From Zone, select a zone from the list (for example, trust).

  6. Next to To Zone, select a zone from the list (for example, untrust).

  7. Choose a source address (for example, any).

  8. Choose a destination address (for example, any).

  9. Choose an application by selecting junos-http in the Application Sets box and clicking the arrow button.

  10. Next to Default Policy Action, select permit.

  11. Click the Application Services tab.

  12. Next to UTM Policy, select the UTM policy to be attached to the security policy (in this example, utm-web-filter-redirect).

  13. Click OK. A status prompt appears. Click OK. If the policy is not successfully saved, click Details for more information.

Make sure that your policy is activated. By default, after you create a policy, it is activated.

 

CLI Configuration

The following example activates redirect Web filtering.

  1. Configure the device to use the redirect Web filtering feature.
user@host# set security utm feature-profile web-filtering type websense-redirect
  1. Create a UTM policy and associate the "JUNOS-wf-websense-default" profile to the policy.
user@host# set security utm utm-policy custom-utm-policy web-filtering http-profile JUNOS-wf-websense-default
  1. Apply the UTM policy to the existing trust-to-untrust security policy.
user@host# set security policies from-zone trust to-zone untrust policy default-permit then permit application-services utm-policy custom-utm-policy

To configure redirect Web filtering, create the UTM custom objects first. Custom objects are global parameters for UTM features and apply to all UTM policies where applicable, rather than only to individual policies. In this example, custom URL black and white lists are put into two separate categories.

  1. Define the custom URL pattern lists.

    user@host# set security utm custom-objects url-pattern black-list value http://*.sex.com
    user@host# set security utm custom-objects url-pattern black-list value http://*.guns.com
    user@host# set security utm custom-objects url-pattern black-list value http://*.hacking.com
    user@host# set security utm custom-objects url-pattern white-list value http://*.juniper.net
    user@host# set security utm custom-objects url-pattern white-list value http://*.cnn.net
    user@host#
    set security utm custom-objects url-pattern white-list value http://*.msn.net
  2. Define the custom URL categories by putting the white-list in one category and the black-list in the other category.

    user@host# set security utm custom-objects custom-url-category allowed-sites value white-list
    user@host#
    set security utm custom-objects custom-url-category blocked-sites value black-list

After creating custom objects, Define the global URL Lists.

  1. Define the global URL white and black lists.

    user@host# set security utm feature-profile web-filtering url-whitelist allowed-sites
    user@host#
    set security utm feature-profile web-filtering url-blacklist blocked-sites
  2. Define the Websense Redirect Server settings:

    user@host# set security utm feature-profile web-filtering websense-redirect profile web-filter-redirect server host Websenseserver
    user@host# set security utm feature-profile web-filtering websense-redirect profile web-filter-redirect server port 8080
    user@host# set security utm feature-profile web-filtering websense-redirect profile web-filter-redirect custom-block-message ***DENIED***
    user@host# set security utm feature-profile web-filtering websense-redirect profile web-filter-redirect timeout 1800
    user@host#
    set security utm feature-profile web-filtering websense-redirect profile web-filter-redirect sockets 4
  3. Create the Web filtering profile and specify the actions to be taken for each category (user-defined and custom). The fallback options define the actions to be taken for traffic when errors in each configured category occur.

    user@host# set security utm feature-profile web-filtering websense-redirect profile web-filter-redirect fallback-settings default block
    user@host# set security utm feature-profile web-filtering websense-redirect profile web-filter-redirect fallback-settings server-connectivity block
    user@host# set security utm feature-profile web-filtering websense-redirect profile web-filter-redirect fallback-settings timeout block
    user@host#
    set security utm feature-profile web-filtering websense-redirect profile web-filter-redirect fallback-settings too-many-requests block

Define the UTM policy for the protocol and attach this policy to a profile. Then apply the UTM policy to a firewall security policy as an application service.

  1. Define the UTM policy for HTTP and attach this policy to a profile.

    user@host# set security utm utm-policy utm-web-filter-redirect web-filtering http-profile web-filter-redirect
  2. Apply the UTM policy to a policy from the Trust zone to the Untrust zone.

    user@host# set security policies from-zone trust to-zone untrust policy web-filter-redirect match source-address any
    user@host# set security policies from-zone trust to-zone untrust policy web-filter-redirect match destination-address any
    user@host# set security policies from-zone trust to-zone untrust policy web-filter-redirect match application any
    user@host# set security policies from-zone trust to-zone untrust policy web-filter-redirect then permit application-services utm-policy web-filter-redirect

Full Working Configuration Example

version 10.0R3.10;
system {
    host-name Starburst;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
    login {
        message "/**** Please reload /var/tmp/default.conf when you are done ****/ ";
        user lab {
            uid 2000;
            class superuser;
            authentication {
                encrypted-password "$ABC123"; ## SECRET-DATA
            }
        }
    }
    services {
        ftp;
        ssh;
        telnet;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.10.66.94/24;
            }
        }
    }
}
routing-options {
    static {
        route 66.129.243.0/24 {
            next-hop 10.10.66.1;
            no-readvertise;
        }
    }
}
security {
    zones {
        security-zone trust {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust;
    }
    policies {
        from-zone trust to-zone trust {
            policy allow {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy web-filter {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy web-filter-redirect {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            utm-policy web-filter-redirect;
                        }
                    }
                }
            }
        }
    }
    utm {
        custom-objects {
            url-pattern {
                black-list {
                    value [ http://*.test1.com http://*.test2.com http://*.test3.com ];
                }
                white-list {
                    value [ http://*.test4.net http://*.test5.net http://*.test6.net ];
                }
            }
            custom-url-category {
                allowed-sites {
                    value white-list;
                }
                blocked-sites {
                    value black-list;
                }
            }
        }
        feature-profile {
            web-filtering {
                url-whitelist allowed-sites;
                url-blacklist blocked-sites;
                type websense-redirect;
                traceoptions {
                    flag all;
                }
                websense-redirect {
                    profile web-filter-redirect {
                        server {
                            host Websenseserver;
                            port 8080;
                        }
                        custom-block-message ***DENIED***;
                        fallback-settings {
                            default block;
                            server-connectivity block;
                            timeout block;
                            too-many-requests block;
                        }
                        timeout 1800;
                        sockets 4;
                    }
                }
            }
        }
        utm-policy web-filter-redirect {
            web-filtering {
                http-profile web-filter-redirect;
            }
        }
    }
}
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search