Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX Getting Started - Enhanced Web Filtering using legacy security policies

0

0
Article ID: KB22483 KB Last Updated: 02 May 2019Version: 11.0 Summary:

This article provides examples for configuring, verifying, and troubleshooting Enhanced Web Filtering (EWF).

For information on configuring Integrated Web Filtering or Redirect Web Filtering, refer to KB16466 - SRX Getting Started - Configure Web Filtering.

Symptoms:

How to configure Enhanced Web Filtering (URL Filtering).

Solution:

Configuration

Note:  The following sample uses legacy security policies, not newer unified security policies, available as of 18.2.

To configure Enhanced Web Filtering via J-Web refer to KB26911 - Example - Configuring Enhanced Web Filtering via J-Web.

The following example illustrates the EWF configuration:

 

  1. Security UTM configuration: 
    [edit security utm]
root# show
feature-profile {
    web-filtering {
        type juniper-enhanced;
        juniper-enhanced {
            cache {
                timeout 1800;
                size 1500;
            }             
            server {
                 host cluster-k.cloud.threatseeker.com;
                 port 80;
            }
            profile my_ewfprofile01 {
                category {
                    Enhanced_Business_and_Economy {
                        action block;
                    }
                    Enhanced_Job_Search {
                        action permit;
                    }
                    Enhanced_Uncategorized {
                        action log-and-permit;
                    }
                }
                site-reputation-action {
                    very-safe log-and-permit;
                    moderately-safe log-and-permit;
                    fairly-safe log-and-permit;
                    suspicious log-and-permit;
                    harmful log-and-permit;
                }
                default log-and-permit;
                fallback-settings {
                    default log-and-permit;
                    server-connectivity log-and-permit;
                    timeout log-and-permit;
                    too-many-requests log-and-permit;
                }
            }
        }
    }
}
utm-policy mypolicy {
    web-filtering {
        http-profile my_ewfprofile01;
    }
}


    Note: 
    Alternative "juniper-enhanced server host" address is "rp.cloud.threatseeker.com".
    "juniper-enhanced server host" can be configured with IP address of the server if there is issue with address resolution

  2. Security policy configuration:
    set security policies from-zone utm_clients to-zone mgmt policy 1
    then permit application-services utm-policy mypolicy

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security utm feature-profile web-filtering type juniper-enhanced
set security utm feature-profile web-filtering juniper-enhanced cache timeout 1800
set security utm feature-profile web-filtering juniper-enhanced cache size 1500
set security utm feature-profile web-filtering juniper-enhanced server host rp.cloud.threatseeker.com
set security utm feature-profile web-filtering juniper-enhanced server port 80
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 category Enhanced_Business_and_Economy action block
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 category Enhanced_Job_Search action permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 category Enhanced_Unauthorized action log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 site-reputation-action very-safe log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 site-reputation-action moderately-safe log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 site-reputation-action fairly-safe log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 site-reputation-action suspicious log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 site-reputation-action harmful log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 default log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 fallback-settings default log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 fallback-settings server-connectivity log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 fallback-settings timeout log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 fallback-settings too-many-requests log-and-permit
set security utm utm-policy mypolicy web-filtering http-profile my_ewfprofile01
set security policies from-zone utm_clients to-zone mgmt policy 1 then permit application-services utm-policy mypolicy

Verification:

  1. Once the configuration is committed, check the web-filtering server status:

     

    root@host> show security utm web-filtering status
    UTM web-filtering status:
    Server status: Juniper Enhanced using Websense server     UP

  2. After the web pages are fetched, the web-filtering statistics increase: 
    root@host> show security utm web-filtering statistics
  UTM web-filtering statistics:
    Total requests:                  5
    white list hit:                  0
    Black list hit:                  0
    Queries to server:               5
    Server reply permit:             5
    Server reply block:              0
    Custom category permit:          0
    Custom category block:           0
    Site reputation permit:          0
    Site reputation block:           0
    Cache hit permit:                0
    Cache hit block:                 0
    Safe-search redirect:            0
    Web-filtering sessions in total: 8000
    Web-filtering sessions in use:   0
    Fallback:               log-and-permit          block
          Default                        0              0
          Timeout                        0              0
     Connectivity                        0              0
Too-many-requests                        0              0

  3. When logging is enabled, the following messages are seen in the logs:

     

    Dec 16 10:34:13 host utmd[1258]: WEBFILTER_SERVER_CONNECTED: Successfully connected to webfilter server cluster-k.cloud.threatseeker.com
    Dec 16 10:34:13 host utmd[1258]: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.40.4(52248)->66.211.181.181(80) CATEGORY="N/A" REASON="by other category" PROFILE="my_ewfprofile01" URL=www.ebay.com OBJ=/
    Dec 16 10:34:13 host utmd[1258]: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.40.4(52249)->66.211.181.29(80) CATEGORY="N/A" REASON="by other category" PROFILE="my_ewfprofile01" URL=hp.mobileweb.ebay.com OBJ=/home
    Dec 16 10:34:14 host utmd[1258]: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.40.4(52251)->128.241.217.187(80) CATEGORY="N/A" REASON="by other category" PROFILE="my_ewfprofile01" URL=thumbs2.ebaystatic.com OBJ=/pict/3006382983738080_2.jpg
    Dec 16 10:34:14 host utmd[1258]: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.40.4(52252)->128.241.217.187(80) CATEGORY="N/A" REASON="by other category" PROFILE="my_ewfprofile01" URL=thumbs1.ebaystatic.com OBJ=/pict/2509547309448080_1.jpg
    Dec 16 10:34:14 host utmd[1258]: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.40.4(52250)->8.254.8.126(80) CATEGORY="N/A" REASON="by other category" PROFILE="my_ewfprofile01" URL=i.ebayimg.com OBJ=/00/$(kgrhqj,!l4e64bnsg1sbo6q9lgg-w~~_14.jpg


Technical Documentation:

UTM Web Filtering Feature Guide for Security Devices - See 'Enhanced Web Filtering' links

Troubleshooting:

Refer to a checklist of common errors here:
KB25680 - UTM (Unified Threat Management) Troubleshooting Checklist

Also, the following traceoptions are used for advanced troubleshooting:
 
set security utm traceoptions flag all
set security utm feature-profile web-filtering traceoptions flag all
Note: The 'security utm traceoptions' are logged in the /var/log/utmd file, and the 'security utm web-filtering traceoptions' are logged in the /var/log/utmd-wf file.
           

 
Modification History:
2018-01-31: Add server configuration information
2019-05-02: Updated to refer to legacy policies

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search