Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Blocking HTTPS sites using EWF (Enhanced Web Filtering)

1

1

Article ID: KB31122 KB Last Updated: 03 Mar 2020Version: 5.0
Summary:

This article describes blocking HTTPS sites using EWF (Enhanced Web Filtering) by using either the Server Name Identification (SNI) field or the SSL proxy feature that is available on the device.

Traditionally, blocking HTTPS sites on an SRX device using EWF was limited when working with sites that have dynamic IP addresses. The SRX device used the destination IP address from the HTTPS packet and passed it to the WebSense ThreatSeeker Cloud (TSC). A category corresponding to TSC is returned if possible. Based on local actions defined for this category, the HTTPS request was blocked or allowed. The DNS IP address of the HTTPS site might be different than that of the Server Database. If the IP address resolves to something else, it may not match the DB and web filtering may not match it.

While blocklist allows us to configure the IP addresses of sites that needs to be blocked, it is not successful if the website has a dynamic IP address. We can now use the Server Name Identification (SNI) field to block the SSL handshake or use the SSL proxy feature to allow us to extract the URL from the HTTPS connections and then block the URL accurately.

 

Cause:

HTTPS sites are encrypted. Thus, an intermediate device cannot read the GET request sent over the HTTPS protocol because encryption is end to end.

Either we have to terminate the connection at the beginning of the connection or break the SSL Handshake to then filter the site.

 

Solution:

Before the release of Junos OS 12.3X48-D25, the SRX device could block HTTPS websites using only the IP addresses of the connection. This is because the communication between the PC and the Web Server is encrypted and the SRX device cannot decrypt this encrypted tunnel. However, if the IP address and the URL belong to two different groups (based on WebSense's response), then the block would not work as expected.

The newer versions of Juniper SRX now supports two methods to block HTTPS sites:

  • Server Name Indication (SNI) Support

  • SSL Forward Proxy

Server Name Indication (SNI) Support:

Server Name Indication (SNI) is an extension of the SSL/TLS header, which carries the destination server's hostname during the HTTPS "Client Hello" exchange in clear text before the SSL handshake is complete.

The SRX device uses this server name along with the destination IP address to maintain/run the query for the web filtering service.

From 12.3X48-D45 or 15.1X49-D80 and later, support for SNI with EWF is available on the SRX platform.

Since only the server name is available during the handshake, we cannot block specific links within a website using this feature.

Hence, you would have to deploy SSL Forward Proxy to perform  more granular filtering.

SNI does not contain any prefix such as http:// or https://. Hence, when configuring a custom blocklist, configure only the server's name seen in the SNI. 

Example:

root@SRX# set security utm custom-objects url-pattern black-list value play.google.com
root@SRX# set security utm custom-objects url-pattern black-list value mail.google.com

Note: Use Wireshark to capture the HTTPS handshake for the site in question and extract the exact server name from the SNI extension used in the "Client Hello" message. 

Refer to the UTM feature documentation for more information.

SSL Forward Proxy:

SSL Forward Proxy allows a device to break a single communication between two end points into two halves, which is from PC to Proxy Server and Proxy Server to Web Server.

From Junos version 12.3X48-D25 and above, all SRX series of devices (except vSRX) can integrate the SSL proxy with the EWF feature. 

From Junos OS version 15.1X49-D40 and later, the SRX device can integrate the SSL proxy with the EWF feature, thus allowing selective SRX devices (SRX340, SRX345, SRX5400, SRX5600, SRX5800 and vSRX instance) to extract the URL from the HTTPS connection. Refer to Junos 15.1X49 Release Notes, page 12.

Refer to Configuring SSL Proxy for the method to implement SSL proxy on the device.

The following example steps use the SRX device's self-signed certificate as a root certificate and imports all public certificates on the device mentioned in the link provided above. For alternative methods, please refer to the SSL Proxy documentation.

  1. Set up the network (PCs) to terminate the SSL connection on the SRX device instead of the actual public website:

    Generate the SRX device's own Root CA, which is used to terminate the PC's connection on the SRX device.

    root@SRX# run request security pki generate-key-pair certificate-id SRXasCA size 2048 type rsa
    Generated key pair SRXasCA, key size 2048 bits

    root@SRX# run file list /cf/var/db/certs/common/key-pair
    /cf/var/db/certs/common/key-pair:
    SRXasCA.priv

    root@SRX# run request security pki local-certificate generate-self-signed certificate-id SRXasCA domain-name srx.juniper.com subject "CN=SRX-Lab,O=JUNIPER,L=Chennai,ST=TN,C=IN" email support@juniper.com add-ca-constraint
    Self-signed certificate generated and loaded successfully

    root@SRX# run file list /cf/var/db/certs/common/local/

    /cf/var/db/certs/common/local/:
    SRXasCA.cert

    root@SRX# run show security pki local-certificate certificate-id SRXasCA detail
    Certificate identifier: SRXasCA
    Certificate version: 3
    Serial number: 2c7d42729eada2a6eed3c8963abca4ac
    Issuer:
    Organization: JUNIPER, Country: IN, State: TN, Locality: Chennai, Common name: SRX-Lab
    Subject:
    Organization: JUNIPER, Country: IN, State: TN, Locality: Chennai, Common name: SRX-Lab
    Subject string:
    CN=SRX-Lab, O=JUNIPER, L=Chennai, ST=TN, C=IN
    Alternate subject: "support@juniper.com", srx.juniper.com, ip empty
    Validity:
    Not before: 08-13-2016 15:08 UTC
    Not after: 08-12-2021 15:08 UTC
    Public key algorithm: rsaEncryption(2048 bits)
    30:82:01:0a:02:82:01:01:00:e2:2c:bf:9f:83:85:0e:80:1d:e7:c2
    da:9a:38:41:73:33:8a:d3:03:f2:23:28:69:aa:29:73:6b:e4:3f:6b
    60:7c:d9:d4:1e:2b:53:0e:42:4b:f7:ba:fe:d4:a6:ba:ff:18:ca:e3
    e6:53:8e:c2:44:c0:54:b1:de:d9:91:6c:af:a4:41:f9:c4:58:92:d3
    bf:fe:a1:15:8b:9d:10:ea:e2:32:51:91:80:f5:d2:32:f6:d0:2f:41
    a3:92:5c:74:71:c3:b2:0d:d8:99:51:b4:ec:34:9f:0b:39:fa:52:ca
    22:12:e7:29:5b:43:01:5d:94:7e:52:a2:85:f3:5e:5d:13:09:dc:f4
    0f:b0:58:93:67:b5:4f:4b:e8:7e:1e:cd:ca:07:bb:15:eb:0d:d7:57
    0b:b1:84:61:ed:47:1c:5d:6f:57:16:24:0d:25:a5:ba:fc:af:ff:f0
    b7:5f:f0:00:6c:cd:16:ef:ba:52:ca:79:5a:95:08:01:49:ad:08:fd
    2c:67:de:a4:0a:63:3b:5b:d0:e8:75:b3:20:a4:5c:85:4a:31:c0:7a
    a5:d8:a2:ae:46:67:fe:98:c2:fc:a7:95:0b:5a:d4:86:c2:0d:3c:0b
    3a:b5:5d:7e:97:f4:4e:7a:77:8a:aa:43:72:a9:7b:df:e3:f9:de:da
    60:b5:de:00:5f:02:03:01:00:01
    Signature algorithm: sha1WithRSAEncryption
    Use for key: CRL signing, Certificate signing
    Fingerprint:
    10:f8:d1:99:01:5e:dd:74:1f:ba:6a:08:b3:e5:ce:c5:be:4f:a6:28 (sha1)
    bf:63:4b:83:42:14:24:97:f1:3f:57:34:06:6d:da:f9 (md5)
    Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started

    root@SRX# run request security pki local-certificate export certificate-id SRXasCA filename /var/tmp/SRXasCA.pem
    certificate exported successfully

    root@SRX# run file list /var/tmp/SRXasCA.pem detail
    -rw-r--r-- 1 root wheel 1273 Aug 13 15:14 /var/tmp/SRXasCA.pem
    total files: 1

    Export SRXasCA.pem to the browser's 'trusted' certificate list.

    Steps>Importing SRX's Root certificates on the browser

    NOTE: We need to export this Root Certificate from the SRX device to ALL computers. Otherwise, you will see the HTTPS certificate warning. This is because the SRX device will always send the SRX device's self signed certificate to the client regardless of which HTTPS site is opened. The certificate check will always fail on the PC unless we have installed SRX device's root certificate in the PC.

  2. Set up the SRX device to support the SSL connection between the SRX device and the public websites:

    Download the Public Certificates on the SRX device:

    You can manually import the certificates you want or download the default set of certificates that Juniper offers.

    Steps> Loading the Public Certificates on the SRX

    root@SRX# run request security pki ca-certificate ca-profile-group load ca-group-name TrustedCA filename default
    Do you want to load this CA certificate ? [yes,no] (no) yes

    Loading 155 certificates for group 'TrustedCA'.
    TrustedCA_1: Loading done.
    TrustedCA_2: Loading done.
    TrustedCA_3: Loading done.
    :
    :

    root@SRX# run file list /cf/var/db/certs/common/certification-authority/ | count
    Count: 155 lines

    All CA profiles are automatically added to the PKI hierarchy, which allows the SRX device to understand the certificate information exchanged between the SRX device and the HTTPS sites.

    root@SRX# show security pki | display set
    set security pki ca-profile TrustedCA_1 ca-identity TrustedCA_1
    set security pki ca-profile TrustedCA_2 ca-identity TrustedCA_2
    set security pki ca-profile TrustedCA_3 ca-identity TrustedCA_3
    :
    :

    From Junos OS 15.1X49-D30 releases, the CRL checking feature has been enabled by default on SRX Series devices on any SSL proxy profile.

    However, on Junos OS 12.1X46, 12.3X48 and 15.1X49-D10/D20 releases,  we do not support CRL checks, so it is recommended to disable CRL check. Since we have 155 profiles, and configuring on all profiles is a tedious task, using groups is a good way to apply the settings on all profiles in one go.

    set groups crl-disable-group security pki ca-profile <*> ca-identity <*>
    set groups crl-disable-group security pki ca-profile <*> revocation-check disable
    set security pki apply-groups crl-disable-group
  3. Configure the SRX device to perform SSL Proxy:

    To successfully terminate the SSL connection between the PC and the SRX device:

    set services ssl proxy profile SRXasCA root-ca SRXasCA

    To successfully terminate the SSL connection between the SRX device and the public websites:

    set services ssl proxy profile SRXasCA trusted-ca all

    To make the SRX device perform the proxy, call the SSL proxy profile in the policy where the UTM Policy is configured.

    set security policies from-zone trust to-zone untrust policy Internet match source-address any
    set security policies from-zone trust to-zone untrust policy Internet match destination-address any
    set security policies from-zone trust to-zone untrust policy Internet match application any
    set security policies from-zone trust to-zone untrust policy Internet then permit application-services ssl-proxy profile-name SRXasCA
    set security policies from-zone trust to-zone untrust policy Internet then permit application-services utm-policy Lab-Test
  4. Configure Web filtering to block the sites required:

    set security utm feature-profile web-filtering type juniper-enhanced
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test category Enhanced_Social_Web_Facebook action block
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test category Enhanced_Social_Web_Youtube action block
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test category Enhanced_Social_Web_Twitter action block
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test category Enhanced_Social_Networking_and_Personal_Sites action block
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test category Enhanced_Viral_Video action block
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test category Enhanced_Streaming_Media action block
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test category Enhanced_Games action block
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test site-reputation-action very-safe permit
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test site-reputation-action moderately-safe permit
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test site-reputation-action fairly-safe permit
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test site-reputation-action suspicious block
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test site-reputation-action harmful block
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test default permit
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test custom-block-message "This site is not allowed! GET BACK TO WORK!"
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test fallback-settings default log-and-permit
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test fallback-settings server-connectivity log-and-permit
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test fallback-settings timeout log-and-permit
    set security utm feature-profile web-filtering juniper-enhanced profile Lab-Test fallback-settings too-many-requests log-and-permit
    set security utm utm-policy Lab-Test web-filtering http-profile Lab-Test
    set security utm utm-policy Lab-Test traffic-options sessions-per-client over-limit log-and-permit

    The UTM profile (Lab-Test) is already added to the policy in the previous setup.

Verification:

If a syslog is configured on the device, you can see the following logs:

set system syslog file blocked-sites any any
set system syslog file blocked-sites match WEBFILTER_URL_BLOCKED
root@SRX# run show log blocked-sites

Aug 13 17:16:36 SRX RT_UTM: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" 192.168.18.50(53220)->216.58.197.78(443) CATEGORY="Enhanced_Social_Web_Youtube" REASON="BY_PRE_DEFINED" PROFILE="Lab-Test" URL=www.youtube.com OBJ=/favicon.ico username N/A roles N/A

Aug 13 17:18:09 SRX RT_UTM: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" 192.168.18.50(53234)->8.254.218.10(443) CATEGORY="Enhanced_Games" REASON="BY_PRE_DEFINED" PROFILE="Lab-Test" URL=www.twitch.tv OBJ=/favicon.ico username N/A roles N/A

Aug 13 17:18:50 SRX RT_UTM: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" 192.168.18.50(53244)->104.244.42.129(443) CATEGORY="Enhanced_Social_Web_Twitter" REASON="BY_PRE_DEFINED" PROFILE="Lab-Test" URL=twitter.com OBJ=/?lang=en username N/A roles N/A

 

Modification History:
  • 2017-10-30: Added SNI based blocking documentation.

  • 2019-03-18: Updated link to UTM documentation.  confirmed content for accuracy.

  • 2019-06-21: Summary updated to include the traditional information. 

  • 2020-03-03: Removed step for disabling CRL check

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search