Create a Default UTM Configuration
You can define the default parameters for security features in unified threat management (UTM). You can configure the parameters for the following:
Web Filtering–Web filtering allows you to manage internet usage by preventing access to inappropriate web content.
Antivirus—The antivirus profile defines the content to scan for any malware and the action to be taken when malware is detected.
Antispam—Antispam examines transmitted messages to identify any e-mail spam.
Content Filtering—Content filtering blocks or permits certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type.
To create a default UTM configuration:
- Select Configure > UTM Policy > Default Configuration.
- Click + icon.
The Create Default Configuration page is displayed.
- Complete the configuration according to the guidelines provided in Table 1.
- Click Finish.
The configuration summary is displayed.
- Click OK.
The default UTM configuration is created and assigned to the selected device(s).
Table 1: Default UTM Configuration Settings
Field | Description |
|---|---|
| General | |
| General Information | |
Name | Enter the name of the default configuration. |
Description | Enter a description for the default configuration. The maximum length is 255 characters. |
Device | Select the devices(s) on which you want to assign default configuration. Devices with Junos OS Release 18.2 onward are listed here. |
| Web Filtering | |
| Web Filtering Profiles by Traffic Protocol | |
HTTP Persist | Enable to configure the web-filtering engine type. |
HTTP Reassemble | Enable to specify a unique customized list of all URLs or IP addresses for a given category that are bypassed for scanning. |
Type | Select a web-filtering engine type.
|
URL Blocklist | Select the URL blocklist category to block the URLs in that category. To create a new URL blocklist category, click Create New URL Category. A Web filtering profile can contain one allowlist or one blocklist with multiple user-defined categories each with a permit or block action. |
URL Allowlist | Select the URL allowlist category to bypass all the URLs in that category. To create a new URL allowlist category, click Create New URL Category. With local Web filtering, the firewall intercepts every HTTP request in a TCP connection and extracts the URL. A Web filtering profile can contain one allowlist or one blocklist with multiple user-defined categories each with a permit or block action. |
| Global | |
Base Filter | This field is applicable only when the Web Filtering Profile type is Juniper Enhanced. When a URL category version is downloaded, a predefined base filter with default actions are also downloaded. All categories have default actions in a base filter. The base filter can be attached to user profile, which acts like a backup filter. The base filter takes action for the categories that are not configured in a user profile. Select a predefined base filter, which has default actions for all categories, for Web filtering. |
Account | This field is applicable only when the Web Filtering Profile type is Websense Redirect. Enter the websense redirect account. |
Custom Block Message | Specify a custom message to be displayed when HTTP requests are blocked. Note: If a message begins with http: or https:, the message is considered a block message URL. Messages that begin with values other than http: or https: are considered custom block messages. |
Default Action | This is applicable only when the Web Filtering Profile type is Juniper Enhanced or Juniper Local. Select a default action for the profile for requests that experience internal errors in the web filtering module. Select a default action.
|
Safe Search | This option is applicable only when the Web Filtering Profile type is Juniper Enhanced. Select a safe search solution to ensure that the embedded objects such as images on the URLs received from the search engines are safe and that no undesirable content is returned to the client. Note: Safe search redirect supports HTTP only. You cannot extract the URL for HTTPS. Therefore, it is not possible to generate a redirect response for HTTPS search URLs. Safe search redirects can be disabled by clearing the Safe Search check box. |
Quarantine Custom Message | Enter the quarantine custom message. |
Sockets | This is applicable only when the Web Filtering Profile type is Websense Redirect. Enter the number of sockets used for communicating between the client and server. The range is 1 to 32. |
Timeout | Select a timeout interval from 1 to 1800 seconds. |
| Cache | |
This section is applicable only when the Web Filtering Profile type is Juniper Enhanced. | |
Size | Specify a Juniper enhanced cache size. Select a cache size from 0 to 4096 Killobytes. |
Timeout | Specify Juniper enhanced cache timeout. Select a timeout interval from 1 to 1800 minutes. |
| Block Message | |
Type | Select the type of block message.
|
URL | Enter URL of the block messages. |
| Fallback Settings | |
The fallback options are used when the web filtering system experiences errors and must fallback to one of the previously configured actions to either deny (block) or permit the object. If you select None for the first time, the field in the CLI configuration is ignored. If you modify any other value to None, then existing CLI configuration for the fields is deleted from the device. | |
Default | Specifies all errors other than the categorized settings. These could include either unhandled system exceptions (internal errors) or other unknown errors. Select an action: None, Block, or Log and permit. |
Server Connectivity | Specifies that the server connection is not established during certain processes. Select an action: None, Block, or Log and permit. |
Timeout | Specifies that if the time taken to scan exceeds the timeout setting in the Web filtering profile, the processing is terminated and the content is passed or blocked without completing filtering. Select an action: None, Block, or Log and permit. |
Too-many-requests | Specifies that if the total number of messages received concurrently exceeds the device limits, the content is passed or blocked depending on the too-many-request fallback option. Select an action: None, Block, or Log and permit. |
| URL Categories | |
Select an URL category. A URL category is a list of URL patterns grouped under a single title so a single action that applies to all URL patterns can be performed on the list. Click the + icon to select one or more URL categories, an action, and a redirect profile. A redirect profile is applicable only for block and quarantine actions. You can create a new redirect profile by clicking Create New Redirect Profile. The created redirect profile is displayed in the Redirect Profile drop-down list. The following actions are available:
Edit the action or redirect profile by clicking Apply Actions and updating the action and redirect profile. Delete the URL category by selecting the URL category and clicking the X icon. | |
| Quarantine Message | |
Type | Select a type of quarantine message.
|
URL | Enter a valid URL. |
| Server | |
This section is applicable only when the Web Filtering Profile type is Juniper Enhanced or Websense Redirect. | |
Host | Enter the address of the host server. |
Port | Enter the port number of the server. |
| Site Reputation Action | |
Specify the action to be taken depending on the site reputation returned for all types of URLs whether it is categorized or uncategorized. This section is applicable only when the Web Filtering Profile type is Juniper Enhanced. If you select None for the first time, the field in the CLI configuration is ignored. If you modify any other value to None, then existing CLI configuration for the field is deleted from the device. | |
Fairly Safe | Permit, log and permit, block, or quarantine a request if a site-reputation of 70 through 79 is returned. |
Harmful | Permit, log and permit, block, or quarantine a request if a site-reputation of zero through 59 is returned. |
Moderately safe | Permit, log and permit, block, or quarantine a request if a site-reputation of 80 through 89 is returned. |
Suspicious | Permit, log and permit, block, or quarantine a request if a site-reputation of 60 through 69 is returned. |
Very Safe | Permit, log and permit, block, or quarantine a request if a site-reputation of 90 through 100 is returned. |
Reset | Click Reset to position the slider to the recommended levels. |
| Antivirus | |
| Antivirus Profiles by Traffic Protocol | |
Type | Select the anti-virus engine that will be used on the device. Select an engine type:
|
URL Allowlist | Select a unique customized list of all URLs for a given category that are bypassed for scanning. To create a URL category, see Creating Custom URL Category Lists. |
| MIME Allowlist | |
Enter MIME types to create MIME bypass lists and exception lists. The device uses MIME types to decide which traffic may bypass antivirus scanning. The MIME allowlist defines a list of MIME types and can contain one or many MIME entries. | |
MIME Block List | Enter the special MIME types you want to block over HTTP, FTP, SMTP, and POP3 connections. Use commas to separate each MIME type. |
MIME Permit List | Enter the special MIME types you want to permit over HTTP, FTP, SMTP, and POP3 connections. Use commas to separate each MIME type. |
| Scan Options | |
URI Check | Select the check-box to enable URI check. It specifies Uniform Resource Identifier blocking: an effective measure for preventing malware from reaching the endpoint. URI lookup is performed against an in-the-cloud malicious/infected URI database on each URI requested via HTTP. |
Content Size Limit | Specifies the accumulated TCP payload size. Enter the content size limit value from 20 to 40,000 kilobytes. |
Decompress Layer Limit | Specifies the number of layers of nested compressed files and files with internal extractable objects, such as archive files (tar), the internal antivirus scanner can decompress before it executes the virus scan. Select a value between 0 to 10. |
Timeout | Specifies the time frame from when the scan request is generated to when the scan result is returned by the scan engine. Enter the time interval from 1 to 1800 seconds. |
Pre Detection | Enable or disable the anti-virus pre-detection. |
| Sophos Engine | |
| General Settings | |
Timeout | Specify the antivirus engine timeout. Select a value from 1 to 5 seconds. |
Retry | Specifies the number of times to retry the Sophos antivirus engine query. Select the number of retry value from 0 to 5. |
| Server | |
Server IP | Specify the DNS Server IP. Enter a valid DNS server IP address. |
| Pattern Update | |
URL | Specifies the URL of the database server. Enter the URL for the pattern database. |
Interval | Specifies the interval at which the database server is queried for a new version of the database. Enter the time interval for automatically updating the pattern database. The range is from 10 to 10080 seconds. The default interval is 60 seconds. |
No Auto Update | Specifies that the automatic download and update of the antivirus engine and signature database are disabled. |
| Email Notify | |
Admin Email | Enter a valid admin e-mail ID to notify about the pattern file update. |
Custom Message Subject | Specify the custom message subject for notification. Enter the subject of the custom message. |
Custom Message | Enter the custom message for notification. |
| Proxy | |
Proxy Server | Enter the IP address or hostname of the proxy server. |
Port | Select the proxy server port. Port range is from 0 to 65535 |
Username | Enter the username of the proxy server. |
Password | Enter the password for proxy server. It consists of up to 32 characters. |
Confirm password | Re-enter the password to verify the login password for the proxy server. |
| Fallback Settings | |
Default | Specifies all errors other than the categorized settings. This could include either unhandled system exceptions (internal errors) or other unknown errors. Select None, Block, Log and Permit, or Permit action. |
Content Size | Specifies that if the content size exceeds a set limit, the content is passed or blocked depending on the max-content-size fallback option. Select None, Block, Log and Permit, or Permit action. |
Engine-not-ready | Specifies that the scan engine is not ready during certain processes, for example, while the signature database is loading. Select None, Block, Log and Permit, or Permit action. |
Timeout | Specifies that if the time taken to scan exceeds the timeout setting in the antivirus profile, the processing is terminated and the content is passed or blocked without completing the virus checking. Select None, Block, Log and Permit, or Permit action. |
Out-of-resources | Specifies the resource constraints error received during virus scanning. This error can be sent by the scan engine (as a scan-code) or scan manager. When the system is out of resources occurs, scanning is terminated. Select None, Block, Log and Permit, or Permit action. |
Too-many-requests | Specifies that if the total number of messages received concurrently exceeds the device limits, the content is passed or blocked depending on the too-many-request fallback option. Select None, Block, Log and Permit, or Permit action. |
| Trickling | |
Trickling Timeout | Specifies the mechanism used to prevent the HTTP client or server from timing-out during a file transfer or during antivirus scanning. Enter the trickling timeout interval from 0 to 600 seconds. |
| Virus Detection | |
Type | Specifies the type of notification to be sent when a virus is detected. Select Protocol Only or Message options.
|
Notify Mail Sender | Specifies whether or not a notification is sent to the virus-detection notification e-mail address when a virus is detected. Enable to send a notification and disable to not send a notification. |
Custom Message Subject | Specifies the subject line text for your custom message for the virus detection notification. Enter the subject line text for your custom message. |
Custom Message | Specifies the customized message text for the virus detection notification. Enter the text for the custom notification message. |
| Fallback Block | |
Type | Specifies the type of notification sent when a fallback option of block is triggered. Select Protocol Only or Message options.
|
Notify Mail Sender | Specifies that when a virus is detected and a fallback option of block is triggered, an e-mail is sent to the administrator. Enable this option. |
Custom Message Subject | Specifies the subject line text for your custom message for the fallback block notification. Enter the subject line text for your custom message. |
Custom Message | Specifies the customized message text for the fallback block notification. Enter the text for this custom notification message. |
| Fallback Non Block | |
Notify Mail Recipient | Specifies that the fallback nonblock notification is sent when a fallback e-mail option without a blocking action is triggered. Enable the option. |
Custom Message Subject | Specifies the subject line for your custom message for the fallback nonblock notification. Enter the subject line text for your custom message. |
Custom Message | Specifies the customized message text for the fallback nonblock notification. Enter the text for this custom notification message. |
| Avira Engine | |
The scan engine, Avira, scans the data by accessing the virus pattern database. It provides a full file-based anitvirus scanning function that is available through a separately licensed subscription service. When your antivirus license key expires, you can continue to use the locally stored antivirus signatures without any updates. If you delete the local database, then antivirus scanning is also disabled. You can download and install the antivirus scan engine on your SRX Series device either manually or by using the Internet to connect to a Juniper Networks-hosted URL or a user-hosted URL. The virus pattern database is located at https://update.juniper-updates.net/avira. By default, the pattern updates are downloaded through the SRX Series devices. After configuring Avira as the antivirus type, reboot the device for the new scan engine to take effect. | |
| On Box AV Load Flavor | |
Type | The on-device antivirus scan engine scans the data by accessing the virus pattern database. Select the on-box Antivirus traffic load type. |
| Pattern Update | |
URL | Specifies the URL of the database server. Enter the URL for the pattern database. |
Interval | Specifies the interval at which the database server is queried for a new version of the database. Enter the time interval for automatically updating the pattern database. The range is from 10 through 10080 seconds. The default interval is 60 seconds. |
No Auto Update | Specifies that the automatic download and update of the antivirus engine and signature database are disabled. |
Start Time | Specifies the time when the device automatically starts downloading the updated signature database from the specified URL. Enter a value in the format: YYYY-MM-DD.HH:MM:SS |
| Email Notify | |
Admin Email | Enter a valid administrator e-mail ID for notifying about the pattern file update. |
Custom Message Subject | Specify the custom message subject for notification. Enter the subject of the custom message. |
Custom Message | Enter the custom message for notification. |
| Antispam | |
| Antispam Profiles by Traffic Protocol | |
Address Allowlist | Select an address allowlist for local spam filtering. Allowlist include addresses that you want to exclude from undergoing antispam processing. These lists are configured as custom objects. To create a list of URLs for allowlist, see Creating URL Patterns. Note: When both the allowlist and blocklist are in use, the allowlist is checked first. If there is no match, then the blocklist is checked. |
Address Blocklist | Specifies a list of MIME types to be excluded from the allowlist. These lists are configured as custom objects. To create a list of URLs for blocklist, see Creating URL Patterns. Note: When both the allowlist and blocklist are in use, the allowlist is checked first. If there is no match, then the blocklist is checked. |
Type | Specify the antispam type.
|
Sophos Blocklist | Select this option to use server-based spam filtering. Un-select the check box to use, local spam filtering. Server-based antispam filtering requires Internet connectivity with the spam block list (SBL) server. Domain Name Service (DNS) is required to access the SBL server. The firewall performs SBL lookups through the DNS protocol. Note: Server-based spam filtering supports only IP-based spam block list blocklist lookup. Sophos updates and maintains the IP-based spam block list. Server-based antispam filtering is a separately licensed subscription service. |
| Action | |
Default Action | Select a default antispam action that the device should take when it detects spam.
|
Custom Tag | Enter a custom string for identifying a message as spam. Maximum length is 512 characters. By default, the device uses ***SPAM***. |
| Content Filtering | |
| Content Filtering Profiles by Traffic Protocol | |
Command Block List | Enter the protocol commands to be blocked. Use commas to separate each command. Use content filtering to block specific commands for HTTP, FTP, SMTP, IMAP, and POP3 protocols. |
Command Permit List | Enter the protocol commands to be permitted. Use commas to separate each command. Use content filtering to block specific commands for HTTP, FTP, SMTP, IMAP, and POP3 protocols. |
Type | Select the content filtering type. The options are Content-Filtering None and Content filtering local. |
Block Content Type | Select types of harmful HTTP content you want to block that the MIME type or file extension cannot control.
|
Extension Block List | Enter the file extensions that you want to block over HTTP, FTP, SMTP, IMAP, and POP3 connections. Use only commas to separate values and the maximum allowed characters for each value is 29 characters. Do not use spaces to separate values. For example: exe,pdf,js |
MIME Block List | Enter the special MIME types you want to block over HTTP, FTP, SMTP, and POP3 connections. Use commas to separate each MIME type. |
MIME Permit List | Enter the special MIME types you wish to permit over HTTP, FTP, SMTP, and POP3 connections. Use commas to separate each MIME type. |
| Notification Options | |
Notify Mail Sender | Select the check box to notify sender when a content block is triggered. |
Notification Type | Specifies the type of notification sent when a content block is triggered. Select Protocol or Message.
|
Custom Notification Message | Specifies the customized message text for the content-block notification. Enter the text for the custom notification message. Maximum length is 512 characters. |