Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - How to set up the UTM Anti-Spam feature

0

0

Article ID: KB17286 KB Last Updated: 24 Feb 2020Version: 7.0
Summary:

This article provides information on how to set up the UTM (Unified Threat Management) Anti-Spam feature.

Symptoms:

Configuration example of the UTM (Unified Threat Management) Anti-Spam feature.

Note: At this time, the Anti-Spam feature is supported only for the SMTP protocol.

For more information on Anti-Spam, refer to the technical documentation, Security Features from the Junos OS Security Configuration Guide.


 
Solution:

Note: At this time, the Anti-Spam feature is supported only for the SMTP protocol.

There are three steps to setting up the Anti-Spam feature:

  • Define Custom Objects

  • Define the feature profile and UTM policy, which will be attached to the feature profile

  • Apply the UTM policy to the Security Policy as an application service

In this example, the default server based URL categories and lists are not being used; instead custom categories are defined.

Check for License

Before you begin the configuration, confirm that the UTM Anti-Spam license is installed. Run the following command, and look for anti_spam_key_sbl:

root@SRX-220> show system license 
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
Feature name                       used    installed      needed 
  
anti_spam_key_sbl                     x            x           x    x days

Licenses installed: 
  License identifier: JUNOS308405  <---Anti-Spam License Key
  License version: 2
  Valid for device: AQ0910AA0016   <---SRX Serial No
  Features:
    anti_spam_key_sbl - Anti-Spam
      date-based, 2011-05-12 08:00:00 GMT-8 - 2011-06-11 08:00:00 GMT-8

If the license is not installed, install it with the following command: 

> request system license add terminal

Then copy the license from the text file, which is provided for the license, and paste it in the above command.

Define Custom Objects:

Start by setting up the Custom Objects for the Anti-Spam. Some of these objects can be shared across multiple UTM features. For the Anti-Spam, start by creating a list of URLs patterns or IP addresses for the white and black lists.

In this example, a list of custom URL patterns are created - one defined as ip-black-list and the other as ip-white-list. These lists can be created at the [edit security utm custom-objects] hierarchy level.

  • Set up the two URL pattern lists. These can be IP addresses or URL patterns using wildcards.

    set security utm custom-objects url-pattern ip-black-list value http://*.sex.com
    set security utm custom-objects url-pattern ip-black-list value http://*.gamble.com
    set security utm custom-objects url-pattern ip-black-list value http://*.flashgames.com
    set security utm custom-objects url-pattern ip-white-list value http://*.work.com
    set security utm custom-objects url-pattern ip-white-list value http://*.taxes.com
    set security utm custom-objects url-pattern ip-white-list value http://*.networking.com

Define the feature-profile and UTM policy

Next, set up the feature profile to look at the  local spam URL lists. Then you will be able to define an action to take: either block or tag. You can define a custom string to tag either the header or the subject of the emails. In this example, the subject will be tagged with ***YEP*SPAM***.

  1. Set the feature-profile to a local list and tag the subject with a custom string:

    set security utm feature-profile anti-spam address-whitelist ip-white-list
    set security utm feature-profile anti-spam address-blacklist ip-black-list
    set security utm feature-profile anti-spam sbl profile local-profile no-sbl-default-server
    set security utm feature-profile anti-spam sbl profile local-profile spam-action tag-subject
    set security utm feature-profile anti-spam sbl profile local-profile custom-tag-string ***YEP*SPAM***

  2. Create the UTM policy for spam filtering:
    set security utm utm-policy spam-block anti-spam smtp-profile local-profile


  3.  
 Or
  1. To enable only  the server based Anti-Spam feature, apply the default UTM anti-spam profile:

    set security utm feature-profile anti-spam sbl profile junos-as-defaults sbl-default-server
    set security utm feature-profile anti-spam sbl profile junos-as-defaults spam-action block
    set security utm feature-profile anti-spam sbl profile junos-as-defaults custom-tag-string ***SPAM***
    >

  2. Apply the default profile to a UTM policy:

    set security utm utm-policy spam-block anti-spam smtp-profile junos-as-defaults

Apply the UTM policy to the Security Policy

Finally, you will need to apply the UTM policy to a security policy as an application-service. In this example, it is applied to a policy from Untrust to Trust. Create the Untrust to Trust security policy, in which the UTM policy is applied as an application-service:

 
set security policies from-zone untrust to-zone trust policy spam-tag match source-address any
set security policies from-zone untrust to-zone trust policy spam-tag match destination-address any
set security policies from-zone untrust to-zone trust policy spam-tag match application any
set security policies from-zone untrust to-zone trust policy spam-tag then permit application-services
utm-policy spam-block

Verify UTM Anti-Spam is working:

root@> show security utm anti-spam status 
SBL Whitelist Server:
SBL Blacklist Server:
    msgsecurity.juniper.net

DNS Server:
    Primary  :          0.0.0.0, Src Interface: ge-0/0/0
    Secondary:          0.0.0.0, Src Interface: ge-0/0/1
    Ternary  :          0.0.0.0, Src Interface: ge-0/0/2

root@> show security utm anti-spam statistics   
 UTM Anti Spam statistics: 

Total connections:     0 
Denied connections:    0
Total greetings:       0
Denied greetings:      0
Total e-mail scanned:  0
White list hit:        0
Black list hit:        0
Spam total:            0
Spam tagged:           0
Spam dropped:          0
DNS errors:            0
Timeout errors:        0
Return errors:         0
Invalid parameter errors: 0

Statistics start time: 08/03/2012 19:30:59

Configuration example for Anti-Spam:

root@# show | no-more 
version 12.1R1.9;
system {
    host-name Starburst;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
    login {
        message "/**** Please reload /var/tmp/default.conf when you are done ****/ ";
        user lab {
            uid 2000;
            class superuser;
            authentication {
                encrypted-password "$ABC123"; ## SECRET-DATA
            }
        }
    }
    services {
        ftp;
        ssh;
        telnet;
        web-management {
            traceoptions {
                flag dynamic-vpn;
                flag webauth;
            }
            http {
                interface ge-0/0/0.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.10.66.94/24;
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 66.129.243.0/24 {
            next-hop 10.10.66.1;
            no-readvertise;
        }
    }
}
security {
    utm {
        custom-objects {
            url-pattern {
                ip-black-list {
                    value [ http://*.test1.com http://*.test2.com http://*.test3.com ];
                }
                ip-white-list {
                    value [ http://*.test4.com http://*.test5.com http://*.test6.com ];
                }
            }
            
        }
        feature-profile {
            anti-spam {
                address-whitelist ip-white-list;
                address-blacklist ip-black-list;
                traceoptions {
                      flag all;
                             }
                sbl {
                    profile local-profile {
                        no-sbl-default-server;
                        spam-action tag-subject;
                        custom-tag-string ***YEP*SPAM***;
                    }
                }
            }
        }
        utm-policy spam-block {
            anti-spam {
                smtp-profile local-profile;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy allow-out {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy spam-tag {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            utm-policy spam-block;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    any-service;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/15.0;
            }
        }
        security-zone untrust {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            any-service;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search