Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure Enhanced Web Filtering to block HTTPS traffic via custom objects

0

0

Article ID: KB30867 KB Last Updated: 23 Feb 2020Version: 2.0
Summary:

This article explains how to configure Enhanced Web Filtering to block HTTPS traffic by using a custom URL pattern.

For basic information, additional examples, and troubleshooting about Enhanced Web filtering, refer to KB22483 - SRX Getting Started - Enhanced Web Filtering.

Symptoms:

How can I block HTTPS traffic by using Enhanced Web Filtering?

Solution:

For basic information, additional examples, and troubleshooting about Enhanced Web filtering, refer to KB22483 - SRX Getting Started - Enhanced Web Filtering.

 This section contains the following topics:

Configuration Task Overview

Configuring Enhanced Web filtering consists of the following tasks:
  • Configuring UTM custom objects and assigning them to categories
  • Configuring Enhanced Web filtering parameters
  • Configuring a UTM policy for http and attaching the policy to a profile
  • Attaching the UTM policy to a firewall security policy
Note: Enhanced Web Filtering requires a license. Run the show system license command, and look for wf_key_websense_ewf.

CLI Configuration

The following example activates enhanced Web filtering.

user@host# set security utm feature-profile web-filtering type juniper-enhanced

user@host# set security utm utm-policy custom-utm-policy web-filtering http-profile junos-wf-enhanced-default

user@host# set security policies from-zone trust to-zone untrust policy default-permit then permit application-services utm-policy custom-utm-policy

  1. Configure the device to use the enhanced Web filtering feature.
  2. Create a UTM policy and associate the "junos-wf-enhanced-default" profile to the policy.
  3. Apply the UTM policy to the existing trust-to-untrust security policy.

To configure enhanced Web filtering, create the UTM custom objects first. Custom objects are global parameters for UTM features and apply to all UTM policies where applicable, rather than only to individual policies. In this example, a custom URL black list is put into one category.

user@host# set security utm custom-objects url-pattern blacklist value https://www.juniper.net

user@host# set security utm custom-objects custom-url-category bad value blacklist

  1. Define the custom URL pattern lists--black-list
  2. Define the custom URL categories blocked-sites, by putting the black-list in one category.

After creating custom objects, configure the web filtering feature parameters.

user@host# set security utm feature-profile web-filtering type juniper-enhanced

user@host# set security utm feature-profile web-filtering url-blacklist bad

user@host# set security utm feature-profile web-filtering juniper-enhanced server host rp.cloud.threatseeker.com
user@host# set security utm feature-profile web-filtering juniper-enhanced server port 80

  1. Set the type of web-filtering to Juniper-enhanced.
  2. Define the global URL black lists.
  3. Define the Juniper-enhanced server settings.
  4. Define the name server setting:

     user@host# set system name-server 8.8.8.8


Complete Working Configuration Example

version 12.1X46-D40.2;
system {
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
    }
    services {
        ftp;
        web-management {
            http;
        }
    }
    syslog {
        file messages {
            any any;
            match RT_UTM;
        }
    }
}
interfaces {
    fe-0/0/0 {                         
        unit 0 {
            family inet {
                address 10.141.25.99/24;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.254/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.141.25.100;
    }
}
security {
    utm {
        custom-objects {
            url-pattern {              
                blacklist {
                    value https://www.juniper.net;
                }
            }
            custom-url-category {
                bad {
                    value blacklist;
                }
            }
        }
        feature-profile {
            web-filtering {
                url-blacklist bad;
                type juniper-enhanced;
                juniper-enhanced {
                    server {
                        host rp.cloud.threatseeker.com;
                        port 80;
                    }
                }
            }
        }
        utm-policy utm1 {              
            web-filtering {
                http-profile junos-wf-enhanced-default;
            }
        }
    }
    nat {
        source {
            rule-set 1 {
                from zone trust;
                to zone untrust;
                rule 1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }                                  
    policies {
        from-zone trust to-zone untrust {
            policy 1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            utm-policy utm1;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;               
                }
            }
            interfaces {
                fe-0/0/1.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                fe-0/0/0.0;
            }
        }
    }
}

Note: The DNS IP of the HTTPS site might be different from that of the the server database. If the IP resolves to something else, it may not match the DB and web filtering may not match it.

Verification

user@host> show security utm web-filtering status
UTM web-filtering status: 
Server status: Juniper Enhanced using Websense server UP

*** messages ***
Apr 19 09:04:25 RT_UTM: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" 192.168.1.2(12790)->23.218.10.56(443) CATEGORY="bad" REASON="BY_BLACK_LIST" PROFILE="junos-wf-enhanced-default"  URL=23.218.10.56 OBJ=/ USERNAME=N/A ROLES=N/A
Apr 19 09:04:25 RT_UTM: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" 192.168.1.2(12792)->23.218.10.56(443) CATEGORY="bad" REASON="BY_BLACK_LIST" PROFILE="junos-wf-enhanced-default" URL=23.218.10.56 OBJ=/ USERNAME=N/A ROLES=N/A

  1. Verify the web-filtering server status.
  2. Verify the HTTPS traffic block result. Access https://www.juniper.net from the trust zone computer, and run the command monitor start messages | match block in SRX.
  3. Verify the block list hit result.

     user@host> show security utm web-filtering statistics | match "Black list hit:" 
        Black list hit: 2

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search