This article provides examples for configuring, verifying, and troubleshooting integrated Web filtering. For information about redirect Web filtering, see KB16444 - SRX Getting Started - Redirect Web Filtering.
For other topics, go to the SRX Getting Started main page.
Configure integrated Web filtering using pre-defined web-filtering profile from a category server (SurfControl Content Portal Authority provided by Websense).
This section contains the following:
Configuration Task Overview
Configuring integrated Web filtering consists of the following tasks:
- Verifying license installation
- Configuring UTM custom objects and assigning them to categories
- Configuring integrated Web filtering parameters
- Configuring a UTM policy for each protocol and attaching the policy to a profile
- Attaching the UTM policy to a firewall security policy
For more information and examples, see the Configuring Web Filtering on Branch SRX Series Services Gateways and J Series Services Routers application note and the Technical Documentation section.
Verifying License Installation
Before you configure integrated Web filtering, confirm that the Web filtering license is installed.
J-Web
To verify license installation using J-Web:
- Select Maintain>Licenses.
- Look for WF Key Surfcontrol CPA in the list of license.
- If the license is not listed, click Add. The Add License page appears.
- Copy the text from the license file, and paste it in the License Key Text box.
- Click OK.
CLI
To verify license installation using the CLI:
- Run the show system license command, and look for
wf_key_surfcontrol_cpa
.
user@host> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
av_key_kaspersky_engine 1 1 0 2010-12-30 16:00:00 PST
wf_key_surfcontrol_cpa 1 1 0 2010-12-30 16:00:00 PST
- If no license is installed, install the license by entering the following command:
user@host> request system license add terminal
- Copy the text from the license file, and paste it at the command prompt.
J-Web Configuration
To configure the redirect Web filtering feature profile:
- Select Configure>Security>UTM>Global options.
- Click the Web Filtering tab.
- In the Filtering Type list, select Surf Control Integrated.
- Next to Cache timeout, enter the timeout (in minutes) for expiring cache entries (for example, 1800).
- Next to Cache Size, enter the maximum number of kilobytes (KB) for the cache (for example, 500).
- Next to Server Host, enter the Surf Control server name or IP address (for example, cpa.surfcpa.com).
- Next to Server Port, enter the port number used to communicate with the Surf Control server (for example, 9020).
- Click OK. A status popup appears. If the configuration changes are saved successfully, the popup automatically closes. If the changes are not saved successfully, click Details for more information.
To configure a UTM policy for Web filtering:
- Select Configure>Security>Policy>UTM Policies.
- Click Add to configure a UTM policy. The Add Policy window appears.
- Click the Main tab.
- In the Policy Name box, enter a unique name for the UTM policy you are creating (for example, web-filter).
- In the Session per client limit box, enter a session per client limit from 0 to 20000 for this UTM policy.
- For Session per client over limit, select one of the following: Log and Permit or Block. This is the action the device takes when the session per client limit for this UTM policy is exceeded.
- Click the Web filtering profiles tab.
- Next to HTTP profile, select junos-wf-cpa-default, which is the default profile.
- Click OK. A status popup appears. If the configuration changes are saved successfully, the popup automatically closes. If the changes are not saved successfully, click Details for more information.
To attach the UTM policy to a security policy:
- Select Configure>Security>Policy>FW Policies.
- Click Add. The Add Policy window appears.
- Click the Policy tab.
- In the Policy Name box, enter the name of the policy (for example, web-filter).
- Next to From Zone, select a zone from the list (for example, trust).
- Next to To Zone, select a zone from the list (for example, untrust).
- Choose a source address (for example, any).
- Choose a destination address (for example, any).
- Choose an application by selecting junos-http in the Application Sets box and clicking the arrow button.
- Next to Default Policy Action, select permit.
- Click the Application Services tab.
- Next to UTM Policy, select the UTM policy to be attached to the security policy (in this example, web-filter).
- Click OK. A status popup appears. If the configuration changes are saved successfully, the popup automatically closes. If the changes are not saved successfully, click Details for more information.
Make sure that your policy is activated. By default, in JUNOS Release 9.6 and earlier, after you create a policy, it is activated. In JUNOS Release 10.0 and higher, your changes do not take effect until you click the Commit button (under the tabs).
CLI Configuration
Set the type of Web filtering feature parameters.
- Set the type of Web filtering to surf-control-integrated.
user@host#
set security utm feature-profile web-filtering type surf-control-integrated
- Define the SurfControl server settings.
user@host# set security utm feature-profile web-filtering surf-control-integrated cache timeout 1800
user@host# set security utm feature-profile web-filtering surf-control-integrated cache size 500
Define the UTM policy for the protocol and attach this policy to a profile. Then apply the UTM policy to a firewall security policy as an application service.
- Define the UTM policy for HTTP (web-filter) and attach this policy to the pre-defined profile junos-wf-cpa-default.
user@host#
set security utm utm-policy web-filter web-filtering http-profile junos-wf-cpa-default.
- Apply the UTM policy to a policy from the trust zone to the untrust zone, and set the application services to be allowed.
user@host# set security policies from-zone trust to-zone untrust policy web-filter match source-address any
user@host# set security policies from-zone trust to-zone untrust policy web-filter match destination-address any
user@host# set security policies from-zone trust to-zone untrust policy web-filter match application junos-http
user@host#
set security policies from-zone trust to-zone untrust policy web-filter then permit application-services utm-policy
web-filter
Technical Documentation
UTM Web Filtering Feature Guide for Security Devices Verification
Use the show security utm web-filtering status
command to check the status of the SurfControl server.
user@host>
show security utm web-filtering status
UTM web-filtering status:
Server status: SC-CPA server up
Use the show security utm web-filtering statistics
command to review statistical information about integrated Web filtering.
user@host> show security utm web-filtering statistics
UTM web-filtering statistics:
Total requests: 0
white list hit: 0
Black list hit: 0
Queries to server: 0
Server reply permit: 0
Server reply block: 0
Custom category permit: 0
Custom category block: 0
Cache hit permit: 0
Cache hit block: 0
Web-filtering sessions in total: 4000
Web-filtering sessions in use: 0
Fall back: log-and-permit block
Default 0 0
Timeout 0 0
Connectivity 0 0
Too-many-requests 0 0
Troubleshooting
Refer to a checklist of common errors here:
KB25680 - UTM (Unified Threat Management) Troubleshooting Checklist
Also, traceoptions are used for advanced troubleshooting:
user@host# set security traceoptions flag all
user@host# set security utm traceoptions flag all
user@host# set security utm application-proxy traceoptions flag all
user@host#
set security utm feature-profile web-filter traceoptions flag all
Traceoptions can be found in the following logs:
user@host# show log utmd-wf