You can use J-Web or the CLI to configure the content filtering
feature. When configuring content filtering, you must first create
the custom objects you are using. Those custom objects may include
protocol command lists, file extension lists, MIME pattern lists,
and MIME exception lists. Once you have created your custom objects,
you can configure content filtering,
For each UTM feature, you should configure feature parameters
in the following order:
First configure UTM custom objects (if any),
for the feature in question. Custom objects are global parameters
for UTM features. This means that configured custom objects apply
to all UTM policies where applicable, rather than only to individual
policies.
The CLI commands for setting content filtering custom objects
are:
user@host# set security utm custom-objects protocol-command
user@host# set security utm custom-objects filename-extension
user@host# set security utm custom-objects mime-pattern
Configure main feature parameters, called
feature profiles.
The CLI command for setting content filtering feature profiles
is:
user@host# set security utm feature-profile content-filtering
Configure a UTM policy for each protocol
and attach this policy to a profile.
CLI commands for configuring a UTM policy for HTTP (for example)
and attaching that policy to a profile are:
user@host# set security utm utm-policy <name>
user@host# set security utm utm-policy utmp4 content-filtering ftp download-profile ftp1
Attach the UTM policy to a firewall security
policy.
The CLI command for attaching a UTM policy to a security policy
is:
user@host# set security policies
user@host# set security policies from-zone trust to-zone
untrust policy p4 then permit application-services
utm-policy utmp4
J-Web Configuration
To configure content filtering using the J-Web configuration
editor, you must first create your custom objects (Protocol Command
List, Filename Extension List, MIME Pattern List).
Configure a Protocol Command Custom Object as follows (See Types of Content Filters for information on
protocol commands.):
Select Configure>Security>UTM>Custom
Objects.
From the Protocol command List tab, click Add to create command lists. (To
edit an existing item, select it and click Edit.)
Next to Protocol Command Name, enter a unique name
for the protocol list you are creating. (This name appears in the
Permit command and Block command lists when you configure a content
filter profile.)
Next to Protocol Command Value, enter the command
for the protocol in question.
Click Add to add your protocol
command to the Values list box.
Within this box, you can also select an item and click Delete
to remove it. Continue to add protocol commands in this manner.
Click OK to save the selected
values as part of the protocol command list you have created.
If the configuration item is saved successfully,
you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.
Configure a Filename Extension List Custom Object as follows :
Select Configure>Security>UTM>Custom
Objects.
From the Filename Extension List tab, click Add to create extension lists.
Next to File Extension Name, enter a unique name
for the list you are creating. (This name appears in the Block extension
list when you configure a content filter profile.)
In the Available Values box, select one or more
default values (press Shift to select multiple concurrent items or
press Ctrl to select multiple separate items) and click the —>
right arrow button to move the value or values to the Selected Values
box.
Click OK to save the selected
values as part of the extension list you have created.
If the configuration item is saved successfully,
you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.
Configure a MIME Pattern List Custom Object as follows :
Select Configure>Security>UTM>Custom
Objects.
From the MIME Pattern List tab, click Add to create MIME pattern lists.
In the Add MIME Pattern pop-up window, next to
MIME Pattern Name, enter a unique name for the list you are creating.
Keep in mind that you are creating a MIME block list and a MIME
block exception list (if necessary). Both MIME lists appear in the
Block MIME list and the Block MIME exception list fields when you
configure content filtering. Therefore, the MIME list names you create
should be as descriptive as possible.
Next to MIME Pattern Value, enter the MIME pattern.
Click Add to add your MIME
pattern to the Values list box.
Within this box, you can also select an entry and use the Delete
button to delete it from the list. Continue to add MIME patterns in
this manner.
Optionally, create a new MIME list to act as an
exception list.
The exception list is generally a subset of the main MIME list.
Click OK to save the selected
values as part of the MIME list you have created.
If the configuration item is saved successfully,
you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.
Now that your custom objects have been created, you can configure
the content-filtering feature profile.
Select Configure>Security>UTM>Content
Filtering.
Click Add to create a profile
for content filtering. (To edit an existing item, select it and click Edit.)
Next to Profile name, enter a unique name in the
box.
Next to Permit command list, select the protocol
command custom object you created for permitting commands from the
list.
The permit protocol command list is intended to act as an exception
list for the block protocol command list.
Note:
Protocol command lists, both permit and block, are created using
the same custom object.
Next to Block command list, select the protocol
command custom object you created for blocking commands from the list. (See Types of Content Filters for information on
protocol commands.)
Next to Block extension list, select the file extension
list custom object you created for blocking extensions from the list.
Next to Block MIME list, select the MIME pattern
list custom object you created for blocking MIME patterns from the
list.
In the Block content type section, select content
types in the Available content types box on the left and click the
right arrow button —> to move items to the Selected content
types box. (Press Shift to select multiple concurrent items or press
Ctrl to select multiple separate items.)
Note:
Block content type applies blocks to other available content
such exe, http cookie, Java applet, and so on. The list of content
types available from the Block content type box are supported only
for HTTP blocking.
Select the Notifications Options tab.
Next to Notification type, select Protocol or Message.
Next to Notify mail sender, select Yes or No.
If you selected Yes, in the Custom notification
message box, enter text for your custom message for this notification
in the box (if you are using a custom message).
Click OK.
If the configuration item is saved successfully,
you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.
Note:
You create a separate content filtering profile for each supported
content filtering protocol. When you are creating your UTM policy
for content filtering , the UTM policy configuration page provides
separate content filtering profile selection fields for each supported
protocol.
Next, configure a UTM policy for content filtering to which
you attach the content filtering profile you have configured.
Select Configure>Security>Policy>UTM
Policies.
From the UTM policy configuration window, click Add to configure a UTM policy.
The policy configuration pop-up window appears.
In the Main tab, next to the
Policy Name box, enter a unique name for the UTM policy you are creating.
In the Session per client limit box, enter a session
per client limit from 0 to 20000 for this UTM policy.
In Session per client over limit, select one of
the following: Log and permit or Block.
This is the action the device takes when the session per client
limit for this UTM policy is exceeded.
Select the Content filtering profiles tab in the pop-up window.
Select the appropriate profile you have configured
from the list for the corresponding protocol listed.
Click OK.
If the policy is saved successfully, you receive
a confirmation and you must click OK again. If
the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.
Next, attach the UTM policy to a security policy that you create.
Select Configure>Security>Policy>FW
Policies.
From the Security Policy window, click Add to configure a security policy with UTM.
The policy configuration pop-up window appears.
In the Policy tab, enter a name in the Policy Name
box.
Next to From Zone, select a zone from the list.
Next to To Zone, select a zone from the list.
Choose a Source Address.
Choose a Destination Address.
Choose an Application. Do this by selecting junos-<protocol>
(for all protocols that support content filtering) in the Application
Sets box and clicking the —> button to move them to the Matched
box.
Next to Default Policy Action, select one of the
following: Deny-All or Permit-All.
Next to Policy Action, select one of the following: Permit, Deny, or Reject.
Note:
When you select Permit for Policy Action, several additional
fields become available in the Applications Services tab, including
UTM Policy.
Select the Application Services tab in the pop-up window.
Next to UTM Policy, select the appropriate policy
from the list.
This attaches your UTM policy to the security policy.
Note:
There are several fields on this page that are not described
in this section. See the Security Policies section for detailed information
on configuring security policies and all the available fields.
Click OK to save your policy.
If the policy is saved successfully, you receive
a confirmation and you must click OK again. If
the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.
You must activate your new policy to apply it.
J-Web Point and Click CLI Configuration
To configure content filtering using the J-Web Point and Click
CLI, you must first create your custom objects (Protocol Command List,
Filename Extension List, MIME Pattern List).
Configure a Protocol Command Custom Object as follows:
Select Configure>CLI Tools>Point
and Click CLI.
Next to Security, click Configure or Edit.
Next to Utm, click Configure.
Next to Custom objects, click Configure.
Next to Protocol command, click Add new entry.
Next to Name, enter a unique name for the list
you are creating. (This name appears in the Permit command and Block
command lists when you configure a content filter profile.)
Next to Values, enter the commands for the protocol
in question.
Figure 118: Custom Object, MIME Pattern
Configuration, Point and Click CLI Configuration
Now that your custom objects have been created, you can configure
the content-filtering feature profile.
Select Configure>CLI Tools>Point
and Click CLI.
Next to Security, click Configure or Edit.
Next to Utm, click Configure.
Next to Feature profile, click Configure.
Next to Content filtering, click Configure.
Next to Profile, click Add new
entry.
Next to Name, enter a unique name for this profile.
Next to Block command, enter the protocol command
custom object you created for blocking commands from the list.
Next to Block content type, click Configure or Edit.
Select one or more of the available check boxes
to block ActiveX, exe, Http cookie, Java applet, and zip file content.
Click OK.
Next to Block extension, enter the file extension
list custom object you created for blocking extensions from the list.
Next to Block mime, select the Yes check box and click Configure or Edit.
Next to Exception, enter the exception Mime list
custom object you created for Mime patterns that will not be blocked.
Next to List, enter the Mime list custom object
you created for blocking Mime patterns.
Next to Notification options, select the Yes checkbox and click Configure or Edit.
Next to Custom message, enter text for your custom message
for this notification.
Next to Notify mail sender, select the Yes check box to enable this notification.
Next to Type, select message as the
type of notification that is sent when a fallback option of block
is triggered
Click OK.
Next to Permit command, enter the protocol
command custom object you created for permitting commands from the
list. (The permit protocol command list is intended to act as an exception
list for the block protocol command list.)
Click OK. See Figure 119 for the content filtering
profile main window.
Figure 119: Content Filtering Profile,
Point and Click CLI Configuration
Next, you configure a UTM policy for content-filtering to which
you attach the profile you have configured.
Select Configure>CLI Tools>Point
and Click CLI.
Next to Security, click Configure or Edit.
Next to Utm, click Configure.
Next to Utm policy, click Add new
entry.
In the Name box, enter a unique name for the UTM
policy you are creating.
Next to Content filtering, click Configure.
In the Http, Imap, Pop3, or Smtp profile boxes,
enter the name of the profile you created earlier. For Ftp, click Configure or Edit to enter Upload
and Download profiles.
Note:
You create a separate content-filtering profile for each protocol.
These profiles may basically contain the same configuration information,
but when you are creating your UTM policy for a content-filtering
profile, the UTM content-filter policy configuration page provides
separate profile selection fields for each supported protocol.
Click OK.
Click OK again to return to
main UTM configuration page. Your UTM content-filtering policy is
now listed in the UTM policy table.
Next, you attach the UTM policy to a security policy that you
create.
Select Configure>CLI Tools>Point
and Click CLI.
Next to Security, click Configure or Edit.
Next to Policy, select the Yes check box and click Edit.
Next to Policy, click Add new entry.
Note:
Refer to the section on security policy configuration for further
details on configuring a policy. Note that when you configure the
Then field as part of the policy, select Permit as the action, and
then configure Application services, you are able to enter the Utm
policy name as part of this security policy.
Next to Utm policy (in the Application services
security policy window), enter the name of the appropriate policy.
This attaches your UTM policy to the security policy.
Click OK.
CLI Configuration
To configure content filtering using the CLI, you must first
create your custom objects.
Configure the protocol command list custom
object by first creating a name for the list. See Types of Content Filters for information on protocol commands.
user@host# set security utm custom-objects protocol-command ftpprotocom1
Add commands to the list.
user@host# set security utm custom-objects custom-objects
protocol-command ftpprotocom1 value [user pass port type]
Configure the filename-extension custom
object by first creating a name for the list. See File Extension Scanning for information on file extension lists.
user@host# set security utm custom-objects filename-extension extlist2
Add extensions to the list.
user@host# set security utm custom-objects filename-extension extlist2 value [zip js vbs]
Configure MIME pattern lists. This includes
creating a main MIME list and a MIME exception list for antivirus
scanning. First create names for MIME lists and then add values to
the lists. See MIME White List for overview
information on MIME pattern lists.
user@host# set security utm custom-objects mime-pattern cfmime1
user@host# set security utm custom-objects mime-pattern ex-cfmime1
Add MIME patterns to the lists.
user@host# set security utm custom-objects mime-pattern cfmime1 value [video/quicktime image/x-portable-anymap
x-world/x-vrml]
user@host# set security utm custom-objects mime-pattern ex-cfmime1 value [video/quicktime-inappropriate]
Now that your custom objects have been created, you can configure
the content-filtering feature profile.
Create a profile as follows.
user@host# set security utm feature-profile content-filtering
profile confilter1
Apply protocol block command custom objects
to the content-filtering profile.
user@host# set security utm feature-profile content-filtering
profile confilter1 block-command ftpprotocom1
Apply blocks to other available content
such as exe, http-cookie, java-applet, and so on. The list of content
types available from the “block-content-type” command
are only supported for HTTP blocking.
Apply extension list custom objects to
the content-filtering profile for blocking extensions.
user@host# set security utm feature-profile content-filtering
profile confilter1 block-extension extlist2
Apply MIME pattern list custom objects
to the content-filtering profile for blocking MIME types. If configured,
you can also apply a MIME exception list.
user@host# set security utm feature-profile content-filtering
profile confilter1 block-mime list cfmime1 exception ex-cfmime1
Apply protocol permit command custom
objects to the content-filtering profile. (The permit protocol command
list is intended to act as an exception list for the block protocol
command list.)
Note:
Protocol command lists, both permit and block, are created by
using the same custom object.
user@host# set security utm feature-profile content-filtering
profile confilter1 permit-command ftpprotocom2
Next you configure the notification options.
You can configure notifications with custom messages or configure
no notification to be sent, as well. In this example, you configure
a custom message and send a notification message. (You can configure
a message notification for content-filtering.
user@host# set security utm feature-profile content-filtering
profile confilter1 notification-options
custom-message “the action is not taken” notify-mail-sender type message
Configure a UTM policy for a content filtering
protocol and attach this policy to a profile. CLI commands for configuring
a UTM policy for HTTP content filtering and attaching that policy
to a profile you created earlier for content filtering are:
user@host# set security utm utm-policy <name>
user@host# set security utm utm-policy utmp4 content-filtering http-profile contentfilter1
Attach the UTM policy to a firewall security
policy.
user@host# set security policies from-zone trust to-zone
untrust policy p4 match source-address any
user@host# set security policies from-zone trust to-zone
untrust policy p4 match destination-address any
user@host# set security policies from-zone trust to-zone
untrust policy p4 match application junos-htttp
user@host# set security from-zone trust to-zone untrust
policy p4 then permit application-services
utm-policy utmp4
