TechLibrary

Navigation Back up to About Overview

Example: Configuring Enhanced Web Filtering

Requirements

Before you begin, you should be familiar with Web Filtering and Enhanced Web Filtering. See Web Filtering Overview and Understanding Enhanced Web Filtering.

Overview

In this example, you configure custom objects and feature profiles.

In the first example configuration, you create a custom object called urllist3 that contains the pattern http://www.juniper.net 1.2.3.4. The urllist3 custom object is then added to the custom URL category custurl3.

In the second example configuration, you configure the Web filtering feature profile. You set the URL blacklist filtering category to custblacklist, set the whitelist filtering category to custwhitelist, and set the type of Web filtering engine to juniper-enhanced. Then you set the cache size parameters for Web filtering to 500 KB and the cache timeout parameters to 1800.

You name the Enhanced Web Filtering server as rp.cloud.threatseeker.com and enter 80 as the port number for communicating with it. (Default port is 80.) Then you create a Enhanced Web Filtering profile name called junos-wf-enhanced-default.

Next you select a category from the included whitelist and blacklist categories or select a custom URL category list you created for filtering against. Then you enter an action (permit, log and permit, block, or quarantine) to go with the filter. You do this as many times as necessary to compile your whitelists and blacklists and their accompanying actions. This example blocks URLs in the Enhanced_Hacking category. You also specify the action to be taken depending on the site reputation returned for the URL if there is no category match found.

Then you enter a custom message to be sent when HTTP requests are blocked. This example configures the device to send an ***access denied*** message. You select a default action (permit, log and permit, block, or quarantine) for this profile for requests that does not match to any explicitly configured action. This example sets the default action to block. You select fallback settings (block or log and permit) for this profile, in case errors occur in each configured category. This example sets fallback settings to block.

You can also define a redirect URL server so that instead of the device sending a block page with plain text html, the device will send a HTTP 302 redirect to this redirect server with some special variables embedded in the HTTP redirect location field. These special variables can be parsed by the redirect server and serve a special block page to the client with rich images and formatting. The cli command hierarchy is as follows:

set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default block-message type custom-redirect-urlset security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default block-message url http://10.10.121.18

Note: If you configure the security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default block-message , then the default block message configuration takes precedence over the security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default custom-block-message configuration.

Finally, you enter a timeout value in seconds. Once this limit is reached, fail mode settings are applied. The default is 15 seconds, and you can enter a value from 0 to 1800 seconds. This example sets the timeout value to 10. You also disable the safe search functionality. By default, search requests have safe-search strings attached to them, and redirect response is sent to ensure that all search requests are safe or strict.

Configuration

Configuring Enhanced Web Filtering Custom Objects

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security utm custom-objects url-pattern urllist3 value http://www.juniper.net set security utm custom-objects url-pattern urllist3 value 1.2.3.4 set security utm custom-objects url-pattern urllistblack value http://www.untrusted.com set security utm custom-objects url-pattern urllistblack value 13.13.13.13 set security utm custom-objects url-pattern urllistwhite value http://www.trusted.com set security utm custom-objects url-pattern urllistwhite value 7.7.7.7 set security utm custom-objects custom-url-category custurl3 value urllist3set security utm custom-objects custom-url-category custblacklist value urllistblackset security utm custom-objects custom-url-category custwhiltelist value urllistwhite

Warning: A Custom category does not take precedence over a predefined category when it has the same name as one of the predefined categories. Do not use the same name for a custom category that you have used for a predefined category.

Step-by-Step Procedure

To configure integrated Web filtering:

  1. Create custom objects and create the URL pattern list.
    [edit security utm]user@host# set custom-objects url-pattern urllist3 value [http://www.juniper.net 1.2.3.4]
  2. Configure the custom URL category list custom object using the URL pattern list.
    [edit security utm]user@host# set custom-objects custom-url-category custurl3 value urllist3
  3. Create a list of untrusted sites.
    [edit security utm]user@host# set custom-objects url-pattern urllistblack value [http://www.untrusted.com 13.13.13.13]
  4. Configure the custom URL category list custom object using the URL pattern list of untrusted sites.
    [edit security utm]user@host# set custom-objects custom-url-category custblacklist value urllistblack
  5. Create a list of trusted sites.
    [edit security utm]user@host# set custom-objects url-pattern urllistwhite value [http://www.trusted.com 7.7.7.7]
  6. Configure the custom URL category list custom object using the URL pattern list of trusted sites.
    [edit security utm]user@host# set custom-objects custom-url-category custwhitelist value urllistwhite

Results

From configuration mode, confirm your configuration by entering the show security utm custom-objects command. If the output does not display the intended configuration, repeat the instructions in this example to correct.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

[edit]userhost#show security utm custom-objectsurl-pattern {urllist3 {value [ http://www.juniper.net ];}urllistblack {value [ http://www.untrusted.com 13.13.13.13 ];}urllistwhite {value [ http://www.trusted.com 7.7.7.7 ];}}custom-url-category {custurl3 {value urllist3;}custblacklist {value urllistblack;}custwhiltelist {value urllistwhite;}}

If you are done configuring the device, enter commit from configuration mode.

Configuring the Enhanced Web Filtering Feature Profiles

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security utm feature-profile web-filtering url-whitelist custwhitelist set security utm feature-profile web-filtering url-blacklist custblacklist set security utm feature-profile web-filtering juniper-enhanced cache size 500 set security utm feature-profile web-filtering juniper-enhanced cache timeout 1800 set security utm feature-profile web-filtering juniper-enhanced server host rp.cloud.threatseeker.com set security utm feature-profile web-filtering juniper-enhanced server port 80 set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default category Enhanced_Hacking action log-and-permit set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default site-reputation-action very-safe permitset security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default site-reputation-action moderately-safe log-and-permitset security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default site-reputation-action fairly-safe log-and-permitset security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default site-reputation-action harmful blockset security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default site-reputation-action suspicious blockset security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default default block set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default custom-block-message "***access denied ***" set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default default block set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default fallback-settings server-connectivity block set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default fallback-settings timeout block set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default fallback-settings too-many-requests block set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default timeout 10 set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-default no-safe-search set security utm utm-policy mypolicy web-filtering http-profile my_ewfprofile01set security policies from-zone utm_clients to-zone mgmt policy 1 then permit application-services utm-policy mypolicyset security utm feature-profile web-filtering juniper-enhanced profile ewf-test-profile quarantine-custom-message “**The requested webpage is blocked by your organization's access policy**”.set security utm feature-profile web-filtering juniper-enhanced profile ewf-test-profile quarantine-message type custom-redirect-urlset security utm feature-profile web-filtering juniper-enhanced profile ewf-test-profile quarantine-message url besgas.spglab.juniper.net

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure the Enhanced Web Filtering feature profiles:

  1. Configure the Web filtering URL blacklist.
    [edit security utm feature-profile web-filtering]user@host# set url-blacklist custblacklist
  2. Configure the Web filtering URL whitelist.
    [edit security utm feature-profile web-filtering]user@host# set url-whitelist custwhitelist
  3. Specify the Enhanced Web Filtering engine, and set the cache size parameters.
    [edit security utm feature-profile web-filtering]user@host# set juniper-enhanced cache size 500
  4. Set the cache timeout parameters.
    [edit security utm feature-profile web-filtering]user@host# set juniper-enhanced cache timeout 1800
  5. Set the server name or IP address.
    [edit security utm feature-profile web-filtering]user@host# set juniper-enhanced server host rp.cloud.threatseeker.com
  6. Enter the port number for communicating with the server.
    [edit security utm feature-profile web-filtering]user@host# set juniper-enhanced server port 80
  7. Create a profile name, and select a category from the included whitelist and blacklist categories.
    [edit security utm feature-profile web-filtering]user@host# set juniper-enhanced profile junos-wf-enhanced-default category Enhanced_Hacking action log-and-permit
  8. Specify the action to be taken depending on the site reputation returned for the URL if there is no category match found.
    [edit security utm feature-profile web-filtering]user@host#set juniper-enhanced profile junos-wf-enhanced-default site-reputation-action very-safe permituser@host#set juniper-enhanced profile junos-wf-enhanced-default site-reputation-action moderately-safe log-and-permituser@host#set juniper-enhanced profile junos-wf-enhanced-default site-reputation-action fairly-safe log-and-permituser@host#set juniper-enhanced profile junos-wf-enhanced-default site-reputation-action harmful blockuser@host#set juniper-enhanced profile junos-wf-enhanced-default site-reputation-action suspicious block
  9. Enter a custom message to be sent when HTTP requests are blocked.
    [edit security utm feature-profile web-filtering]user@host# set juniper-enhanced profile junos-wf-enhanced-default custom-block-message "***access denied ***"
  10. Select a default action (permit, log and permit, block, or quarantine) for the profile, when no other explicitly configured action (blacklist, whitelist, custom category, predefined category actions or site reputation actions.) is matched .
    [edit security utm feature-profile web-filtering]user@host# set juniper-enhanced profile junos-wf-enhanced-default default block
  11. Select fallback settings (block or log and permit) for this profile.
    [edit security utm feature-profile web-filtering]set juniper-enhanced profile junos-wf-enhanced-default fallback-settings default block user@host# set juniper-enhanced profile junos-wf-enhanced-default fallback-settings server-connectivity blockuser@host# set juniper-enhanced profile junos-wf-enhanced-default fallback-settings timeout blockset juniper-enhanced profile junos-wf-enhanced-default fallback-settings too-many-requests block
  12. Enter a timeout value in seconds.
    [edit security utm feature-profile web-filtering]user@host# set juniper-enhanced profile junos-wf-enhanced-default timeout 10
  13. Disable the safe-search option.
    [edit security utm feature-profile web-filtering]user@host# set juniper-enhanced profile junos-wf-enhanced-default no-safe-search
  14. Configure a UTM policy for the web-filtering HTTP protocol and attach this policy to a security profile to implement it.
    [edit security utm]user@host# set utm-policy mypolicy web-filtering http-profile my_ewfprofile01
  15. Configure a security policy.
    [edit security]user@host# set policies from-zone utm_clients to-zone mgmt policy 1 then permit application-services utm-policy mypolicy

Results

From configuration mode, confirm your configuration by entering the show security utm feature-profile command. If the output does not display the intended configuration, repeat the instructions in this example to correct.

[edit]user@host# show security utm
feature-profile{
web-filtering {url-whitelist custwhitelist;url-blacklist custblacklist;type juniper-enhanced;juniper-enhanced {cache {timeout 1800;size 500;}server {host rp.cloud.threatseeker.com;port 80;}profile junos-wf-enhanced-default {category {Enhanced_Hacking {action log-and-permit;}Enhanced_Government {action quarantine;}}site-reputation-action {very-safe permit;moderately-safe log-and-permit;fairly-safe log-and-permit;harmful block;suspicious block;}default block;custom-block-message "***access denied ***";fallback-settings {default block;server-connectivity block;timeout block;too-many-requests block;}timeout 10;no-safe-search;}utm-policy mypolicy {web-filtering {http-profile my_ewfprofile01;}}}

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Status of the Web Filtering Server

Purpose

Verify the web filtering server status.

Action

From the top of the configuration in configuration mode, enter the show security utm web-filtering status command.

Verifying the Increase in Web Filtering Statistics

Purpose

Verify the increase in Web filtering statistics.

Action

From the top of the configuration in configuration mode, enter the show security utm web-filtering statistics command.

Published: 2013-11-19