Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Web Content Filtering Configuration Example - Block specific FTP commands

0

0

Article ID: KB17285 KB Last Updated: 21 Feb 2020Version: 4.0
Summary:

How to setup UTM (Unified Threat Management) feature Content Filtering

Symptoms:

Configuration example of Content Filtering

Solution:

Below is an example of setting up a Content Filter to block specific FTP commands from going through the SRX device. The Content Filter can be setup for MIME patterns, file extensions, and protocol commands. The protocols that at supported are HTTP, FTP and E-mail.

This feature does not need a license.

For additional information and instructions refer to the Technical Documentation.


Configuration

  1. First define the UTM custom objects for content filtering. These can be MIME patterns, File Extension Lists, or Protocol Command Lists. In this example, the Protocol Command List for the FTP protocol are defined:

    set security utm custom-objects protocol-command ftp-commands value user
    set security utm custom-objects protocol-command ftp-commands value pass
    set security utm custom-objects protocol-command ftp-commands value port
    set security utm custom-objects protocol-command ftp-commands value type
  2. Define the content filtering profile. This is where you setup the actions to be taken for each type of content and define what lists are going to be using for each type of content.  The notifications sent to the email users for content that is blocked can also be define.  In this example, the FTP protocol command blocks are defined:

    set security utm feature-profile content-filtering profile content-filter block-command ftp-commands
  3. Define the UTM policy for the content filtering. This is where you specify the profile that each of the specific protocols are going to use to filter the content for that protocol. In this example we are only setting up a filter for FTP. For FTP you have the choice of setting up separate profiles for both uploads and downloads. The same profile is going to be used for both uploads and downloads.

    set security utm utm-policy content-filter content-filtering ftp upload-profile content-filter
    set security utm utm-policy content-filter content-filtering ftp download-profile content-filter
  4. Last, apply the UTM policy to a Security policy as an application-service. In this example we are doing a policy from Untrust to Trust.

    set security policies from-zone untrust to-zone trust policy content-filter match source-address any
    set security policies from-zone untrust to-zone trust policy content-filter match destination-address any
    set security policies from-zone untrust to-zone trust policy content-filter match application any
    set security policies from-zone untrust to-zone trust policy content-filter then permit application-services utm-policy content-filter

Verification

Verification that Content Filtering is working.                   

> show security utm content-filtering statistics

Content-filtering-statistic: Blocked
Base on command list: 0
Base on mime list: 0
Base on extension list: 0
ActiveX plugin: 0
Java applet: 0
EXE files: 0
ZIP files: 0
HTTP cookie: 0

 

 

Technical Documentation:

Content Filtering


Troubleshooting

Refer to a checklist of common errors here:
KB25680 - UTM (Unified Threat Management) Troubleshooting Checklist

The following traceoptions are used for troubleshooting:

root# set security traceoptions flag all
root# set security utm traceoptions flag all
root# set security utm application-proxy traceoptions flag all
root# set security utm feature-profile content-filtering traceoptions flag all


Note: Make sure that once you are done with your troubleshootiing part to deactivate the traceoption.

Traceoptions can be found in the following log:

/var/log/utmd


Full working config example for Content Filtering:

version 12.1R3.5;
system {
    host-name SRX;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
    services {
        ftp;
        ssh;
        telnet;
        web-management {
            traceoptions {
                flag dynamic-vpn;
                flag webauth;
            }
            http {
                interface ge-0/0/0.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 1.1.1.0/24 {
            next-hop 10.1.1.2;
            no-readvertise;
        }
    }
}
security {
    utm {
        custom-objects {
            protocol-command {
                ftp-commands {
                    value [ user pass port type ];
                }
            }
        }
        feature-profile {
            content-filtering {
                traceoptions {
                    flag all;
                }
                profile content-filter {
                    block-command ftp-commands;
                }
            }
        }
        utm-policy content-filter {
            content-filtering {
                ftp {
                    upload-profile content-filter;
                    download-profile content-filter;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy allow-out {
                match {
                    source-address any; 
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy content-filter {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            utm-policy content-filter;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address private-nets 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    any-service;
                }
                protocols {
                    all;
                }
            }
            interfaces {   
                ge-0/0/7.0;
            }
        }
        security-zone untrust {
            address-book {
                address cust-nets 1.1.1.0/24;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            any-service;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search