RtoDto.net
Network/Security/Programming

SRX UTM Web Filtering

rtoodtoo utm July 16, 2014

On SRX, you can configure different types of web filtering. On this post, I would like to talk about

  • Local Web Filtering
  • Enhanced Web Filtering

Topology of our setup is below. As obvious, we will filter HTTP requests sent by the PC towards Internet.

utm_web_filtering_srx_juniper

Local Web Filtering

On this type of web filtering, we are using URL filters locally configured on the device. It requires a bit of configuration but you will see that it is intuitive after you configure several times.

First create some custom objects

[edit security utm]
root@srx# show custom-objects 
url-pattern {
    blocked-urls {
        value http://rtoodtoo.com;
    }
    allowed-urls {
        value https://rtodto.net;
    }
}
custom-url-category {
    bad-sites {
        value blocked-urls;
    }
    good-sites {
        value allowed-urls;
    }
}

As you can see we create our objects (URLs or patterns) under url-pattern and
reference these objects under custom-url-category.

Now we create feature profile in which we reference our local URL objects along
with the fallback settings.

[edit security utm]
root@srx# show feature-profile    
web-filtering {
    url-whitelist good-sites;
    url-blacklist bad-sites;
    type juniper-local;
    juniper-local {
        profile wf-local {
            custom-block-message "Juniper UTM firewall blocked this request";
            fallback-settings {
                default log-and-permit;
                server-connectivity block;
                timeout block;
                too-many-requests block;
            }
        }
    }
                       
}

“type juniper-local” is an important command that we need to understand
as we can have multiple web filtering types e.g juniper-enhanced and this
commands tells Junos which one is the active one.

Now we need to assign this local profile to a utm policy e.g wf-local

[edit security utm]
root@srx# show utm-policy wf-local 
web-filtering {
    http-profile wf-local;
}

We are almost done. We have finished the UTM config but haven’t assigned
this to the policy which is from TRUST zone to INTERNET. Until you assign
it to a policy no action will be taken.

[edit]
root@srx# show security policies 
from-zone TRUST to-zone INTERNET {
    policy trust-internet {
        match {
            source-address n172.4.1.4_30;
            destination-address any;
            application [ junos-http junos-dns-udp junos-ping ];
        }
        then {
            permit {
                application-services {
                    utm-policy wf-local;
                }
            }
        }
    }
}

Now utm policy wf-local is assigned for this particular traffic. We are ready
to filter requests.

if the client PC tries to access http://rtoodtoo.com site, it will receive the
“Juniper UTM firewall blocked this request” message defined in the custom-block-message.

Enhanced Web Filtering

Enhanced filtering has already built-in categories. You just pick up the one you
like and set the action. Here we will block games and shopping sites and allow all others. 

[edit security utm feature-profile web-filtering]
root@srx# show juniper-enhanced 
profile wf-enhanced {
    category {
        Enhanced_Games {
            action block;
        }
        Enhanced_Shopping {
            action block;
        }
    }
    default log-and-permit;
    custom-block-message "Juniper UTM firewall blocked this request";
    fallback-settings {
        default log-and-permit;
        server-connectivity block;
    }
    timeout 180;
}

if you have configured local web filtering in the previous step, SRX must have set
its type of filtering as local. Now we must change it to juniper-enhanced as below

[edit security utm feature-profile web-filtering]
root@srx# set type juniper-enhanced

Create a new policy referencing enhanced profile

[edit security utm]
root@srx# show utm-policy wf-enhanced 
web-filtering {
    http-profile wf-enhanced;
}

We are ready with the config now and assigning the policy is left.

[edit security policies from-zone TRUST to-zone INTERNET]
root@srx# show 
policy trust-internet {
    match {
        source-address n172.4.1.4_30;
        destination-address any;
        application [ junos-http junos-dns-udp junos-ping ];
    }
    then {
        permit {
            application-services {
                utm-policy wf-enhanced;
            }
        }
    }
}

Now we have assigned enhanced utm policy wf-enhanced under security policy.
If you try to access a shopping site you will receive the following error now.
I don’t want to name any shopping site name here:)

Juniper UTM firewall blocked this request
CATEGORY: Enhanced_Shopping REASON: BY_PRE_DEFINED

If you want to see statistics and status of web filtering you can run the following
operational commands.

>show security utm web-filtering statistics
>show security utm web-filtering status

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

3 thoughts on “SRX UTM Web Filtering”

  1. Thanks a lot poster, this is really a good article to read. And I found your blog is fantastic.

    Reply

Leave a Reply to rtoodtooCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading