Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX Getting Started - Integrated Web Filtering

0

0
Article ID: KB16334 KB Last Updated: 07 Feb 2014Version: 7.0 Summary:

This article provides examples for configuring, verifying, and troubleshooting integrated Web filtering. For information about redirect Web filtering, see KB16444 - SRX Getting Started - Redirect Web Filtering.

For other topics, go to the SRX Getting Started main page.

Symptoms:

Configure integrated Web filtering using pre-defined web-filtering profile from a category server (SurfControl Content Portal Authority provided by Websense).

Cause:

Solution:

This section contains the following:


Configuration Task Overview

Configuring integrated Web filtering consists of the following tasks:

  • Verifying license installation
  • Configuring UTM custom objects and assigning them to categories
  • Configuring integrated Web filtering parameters 
  • Configuring a UTM policy for each protocol and attaching the policy to a profile 
  • Attaching the UTM policy to a firewall security policy 

For more information and examples, see the Configuring Web Filtering on Branch SRX Series Services Gateways and J Series Services Routers application note and the Technical Documentation section.

Verifying License Installation

Before you configure integrated Web filtering, confirm that the Web filtering license is installed.

J-Web

To verify license installation using J-Web:

  1. Select Maintain>Licenses.
  2. Look for WF Key Surfcontrol CPA in the list of license.
  3. If the license is not listed, click Add. The Add License page appears.
  4. Copy the text from the license file, and paste it in the License Key Text box.
  5. Click OK.

CLI

To verify license installation using the CLI:

  1. Run the show system license command, and look for wf_key_surfcontrol_cpa.
user@host> show system license
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  av_key_kaspersky_engine               1            1           0    2010-12-30 16:00:00 PST
  wf_key_surfcontrol_cpa                1            1           0    2010-12-30 16:00:00 PST
  1. If no license is installed, install the license by entering the following command: 
user@host> request system license add terminal
  1. Copy the text from the license file, and paste it at the command prompt.

J-Web Configuration

To configure the redirect Web filtering feature profile:

  1. Select Configure>Security>UTM>Global options.
  2. Click the Web Filtering tab.
  3. In the Filtering Type list, select Surf Control Integrated.
  4. Next to Cache timeout, enter the timeout (in minutes) for expiring cache entries (for example, 1800).
  5. Next to Cache Size, enter the maximum number of kilobytes (KB) for the cache (for example, 500).
  6. Next to Server Host, enter the Surf Control server name or IP address (for example, cpa.surfcpa.com).
  7. Next to Server Port, enter the port number used to communicate with the Surf Control server (for example, 9020).
  8. Click OK. A status popup appears. If the configuration changes are saved successfully, the popup automatically closes. If the changes are not saved successfully, click Details for more information.

To configure a UTM policy for Web filtering:

  1. Select Configure>Security>Policy>UTM Policies.
  2. Click Add to configure a UTM policy. The Add Policy window appears.
  3. Click the Main tab.
  4. In the Policy Name box, enter a unique name for the UTM policy you are creating (for example, web-filter).
  5. In the Session per client limit box, enter a session per client limit from 0 to 20000 for this UTM policy.
  6. For Session per client over limit, select one of the following: Log and Permit or Block. This is the action the device takes when the session per client limit for this UTM policy is exceeded.
  7. Click the Web filtering profiles tab.
  8. Next to HTTP profile, select junos-wf-cpa-default, which is the default profile.
  9. Click OK. A status popup appears. If the configuration changes are saved successfully, the popup automatically closes. If the changes are not saved successfully, click Details for more information.

To attach the UTM policy to a security policy:

  1. Select Configure>Security>Policy>FW Policies.
  2. Click Add. The Add Policy window appears.
  3. Click the Policy tab.
  4. In the Policy Name box, enter the name of the policy (for example, web-filter).
  5. Next to From Zone, select a zone from the list (for example, trust).
  6. Next to To Zone, select a zone from the list (for example, untrust).
  7. Choose a source address (for example, any).
  8. Choose a destination address (for example, any).
  9. Choose an application by selecting junos-http in the Application Sets box and clicking the arrow button.
  10. Next to Default Policy Action, select permit.
  11. Click the Application Services tab.
  12. Next to UTM Policy, select the UTM policy to be attached to the security policy (in this example, web-filter).
  13. Click OK. A status popup appears. If the configuration changes are saved successfully, the popup automatically closes. If the changes are not saved successfully, click Details for more information.

Make sure that your policy is activated. By default, in JUNOS Release 9.6 and earlier, after you create a policy, it is activated. In JUNOS Release 10.0 and higher, your changes do not take effect until you click the Commit button (under the tabs).

CLI Configuration

Set the type of Web filtering feature parameters.

  1. Set the type of Web filtering to surf-control-integrated.

    2. user@host#     set security utm feature-profile web-filtering type surf-control-integrated

  2. Define the SurfControl server settings.

    3. user@host# set security utm feature-profile web-filtering surf-control-integrated cache timeout 1800
    user@host# set security utm feature-profile web-filtering surf-control-integrated cache size 500

Define the UTM policy for the protocol and attach this policy to a profile. Then apply the UTM policy to a firewall security policy as an application service.

  1. Define the UTM policy for HTTP (web-filter) and attach this policy to the pre-defined profile junos-wf-cpa-default.

    2. user@host# set security utm utm-policy web-filter web-filtering http-profile junos-wf-cpa-default.

  2. Apply the UTM policy to a policy from the trust zone to the untrust zone, and set the application services to be allowed.

    3. user@host# set security policies from-zone trust to-zone untrust policy web-filter match source-address any
    user@host# set security policies from-zone trust to-zone untrust policy web-filter match destination-address any
    user@host# set security policies from-zone trust to-zone untrust policy web-filter match application junos-http
    user@host#     set security policies from-zone trust to-zone untrust policy web-filter then permit application-services utm-policy web-filter


Technical Documentation

UTM Web Filtering Feature Guide for Security Devices


Verification

Use the show security utm web-filtering status command to check the status of the SurfControl server.

user@host> show security utm web-filtering status
UTM web-filtering status:
Server status: SC-CPA server up

Use the show security utm web-filtering statistics command to review statistical information about integrated Web filtering.

user@host> show security utm web-filtering statistics
UTM web-filtering statistics:
Total requests: 0
white list hit: 0
Black list hit: 0
Queries to server: 0
Server reply permit: 0
Server reply block: 0
Custom category permit: 0
Custom category block: 0
Cache hit permit: 0
Cache hit block: 0
Web-filtering sessions in total: 4000
Web-filtering sessions in use: 0
Fall back: log-and-permit block
Default 0 0
Timeout 0 0
Connectivity 0 0
Too-many-requests 0 0


Troubleshooting

Refer to a checklist of common errors here:
KB25680 - UTM (Unified Threat Management) Troubleshooting Checklist

Also, traceoptions are used for advanced troubleshooting:

user@host# set security traceoptions flag all
user@host# set security utm traceoptions flag all
user@host# set security utm application-proxy traceoptions flag all
user@host# set security utm feature-profile web-filter traceoptions flag all

Traceoptions can be found in the following logs:

user@host# show log utmd-wf

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search