Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] EWF blocking based on 'Server Name indication' extension does not work with Unified policies

0

0

Article ID: KB36785 KB Last Updated: 24 Apr 2021Version: 1.0
Summary:

Starting from Junos OS release 18.2R1, unified policies are supported on SRX devices, which enables granular control and enforcement of dynamic Layer 7 applications within the traditional security policy. However, when configuring unified policies with EWF (Enhanced Web Filtering) policies blocking HTTPS sites based on SNI (Server Name Indication) extension, the HTTPS websites may not be blocked as expected. Refer to KB31122 - Blocking HTTPS sites using EWF 

This article demonstrates the default behavior of unified policies handling of EWF with SNI based HTTPS URL filtering.

Symptoms:

Consider the following example in which unified policies are deployed with UTM EWF policy to block a HTTPS site based on SNI:

security {
    utm {
        custom-objects {
            url-pattern {              
                blacklist {
                    value https://www.juniper.net;
                }
            }
            custom-url-category {
                blocked_websites {
                    value blacklist;
                }
            }
        }
        feature-profile {
            web-filtering {
                url-blacklist blocked_websites;
                type juniper-enhanced;
                juniper-enhanced {
                    server {
                        host rp.cloud.threatseeker.com;
                        port 80;
                    }
                }
            }
        }
        utm-policy utm1 {            
            web-filtering {
                http-profile Webfilter_Policy;
            }
        }
    }
 

[edit security policies from-zone trust to-zone untrust]

     policy Internet {
         match {
             source-address any;
             destination-address any;
             application junos-defaults;
             dynamic-application any;
         }
         then {
             permit {
                 application-services {
                     utm-policy utm1;
                 }
             }
         }
     }

The expectation from the above configuration example is to block https://www.juniper.net. However, when attempted to access https://www.juniper.net, the firewall does not block this access.

Cause:
  • Unified policies are the security policies that enable dynamic applications as match conditions, as part of the existing 5-tuple or 6-tuple (5-tuple with user firewall) match conditions to detect application changes over time.
  • Unified policies allow dynamic application as a policy match criteria in the application.
  • On applying Application Identification (AppID) to the traffic, the AppID checks several packets and identifies the application.
  • After the application is identified, the final policy is applied to the session. The policy actions such as permit, deny, reject, or redirect are applied to the traffic as per the policy.
  • During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies n the potential policy list, the SRX Series device applies the default security policy until a more explicit match has occurred. The policy that best matches the application is the final policy.
  • In the case of HTTPS traffic, EWF takes action based SNI before a final match policy is found and EWF takes action based on the global default UTM policy until final match policy is identified. By default, global default UTM policy is NULL UTM policy and default action for all categories is log-and-permit.
  • Due to this default behavior, HTTPS websites do not get blocked as per configured utm-policy.
Solution:

The solution is to configure category action in the global default service policy as follows:

set security utm default-configuration web-filtering juniper-enhanced category blocked_websites action block
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search