Knowledge Search


×
 

[SRX] Web Content Filtering Configuration Example - Block specific FTP commands

  [KB17285] Show Article Properties


Summary:

How to setup UTM (Unified Threat Management) feature Content Filtering

Symptoms:

Configuration example of Content Filtering

Cause:

Solution:

Below is an example of setting up a Content Filter to block specific FTP commands from going through the SRX device. The Content Filter can be setup for MIME patterns, file extensions, and protocol commands. The protocols that at supported are HTTP, FTP and E-mail.

This feature does not need a license.

For additional information and instructions refer to the Technical Documentation.


Configuration

  1. First define the UTM custom objects for content filtering. These can be MIME patterns, File Extension Lists, or Protocol Command Lists. In this example, the Protocol Command List for the FTP protocol are defined: 
  2. set security utm custom-objects protocol-command ftp-commands value user
    set security utm custom-objects protocol-command ftp-commands value pass
    set security utm custom-objects protocol-command ftp-commands value port
    set security utm custom-objects protocol-command ftp-commands value type


  3. Define the content filtering profile. This is where you setup the actions to be taken for each type of content and define what lists are going to be using for each type of content.  The notifications sent to the email users for content that is blocked can also be define.  In this example, the FTP protocol command blocks are defined:
  4. set security utm feature-profile content-filtering profile content-filter block-command ftp-commands

  5. Define the UTM policy for the content filtering. This is where you specify the profile that each of the specific protocols are going to use to filter the content for that protocol. In this example we are only setting up a filter for FTP. For FTP you have the choice of setting up separate profiles for both uploads and downloads. The same profile is going to be used for both uploads and downloads.
    set security utm utm-policy content-filter content-filtering ftp upload-profile content-filter
    set security utm utm-policy content-filter content-filtering ftp download-profile content-filter

  6. Last, apply the UTM policy to a Security policy as an application-service. In this example we are doing a policy from Untrust to Trust.
  7. set security policies from-zone untrust to-zone trust policy content-filter match source-address any
    set security policies from-zone untrust to-zone trust policy content-filter match destination-address any
    set security policies from-zone untrust to-zone trust policy content-filter match application any
    set security policies from-zone untrust to-zone trust policy content-filter then permit application-services utm-policy content-filter

Verification

Verification that Content Filtering is working.                   

> show security utm content-filtering statistics

Content-filtering-statistic: Blocked
Base on command list: 0
Base on mime list: 0
Base on extension list: 0
ActiveX plugin: 0
Java applet: 0
EXE files: 0
ZIP files: 0
HTTP cookie: 0

Technical Documentation:

Content Filtering


Troubleshooting

Refer to a checklist of common errors here:
KB25680 - UTM (Unified Threat Management) Troubleshooting Checklist


The following traceoptions are used for troubleshooting:

root# set security traceoptions flag all
root# set security utm traceoptions flag all
root# set security utm application-proxy traceoptions flag all
root# set security utm feature-profile content-filtering traceoptions flag all

Note: Make sure that once you are done with your troubleshootiing part to deactivate the traceoption.

Traceoptions can be found in the following log:

/var/log/utmd


Full working config example for Content Filtering:

version 12.1R3.5;
system {
    host-name SRX;
    root-authentication {
        encrypted-password "$1$mSN7ZXXP$PUZXdoU/qV4SWhiRAPpu3."; ## SECRET-DATA
    }
    services {
        ftp;
        ssh;
        telnet;
        web-management {
            traceoptions {
                flag dynamic-vpn;
                flag webauth;
            }
            http {
                interface ge-0/0/0.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 1.1.1.0/24 {
            next-hop 10.1.1.2;
            no-readvertise;
        }
    }
}
security {
    utm {
        custom-objects {
            protocol-command {
                ftp-commands {
                    value [ user pass port type ];
                }
            }
        }
        feature-profile {
            content-filtering {
                traceoptions {
                    flag all;
                }
                profile content-filter {
                    block-command ftp-commands;
                }
            }
        }
        utm-policy content-filter {
            content-filtering {
                ftp {
                    upload-profile content-filter;
                    download-profile content-filter;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy allow-out {
                match {
                    source-address any; 
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy content-filter {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            utm-policy content-filter;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address private-nets 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    any-service;
                }
                protocols {
                    all;
                }
            }
            interfaces {   
                ge-0/0/7.0;
            }
        }
        security-zone untrust {
            address-book {
                address cust-nets 1.1.1.0/24;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            any-service;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}


Related Links: