Creating Web Filtering Profiles
Use the Unified Threat Management (UTM) policy page to configure Web filtering profiles.
Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. The following Web filtering solutions are supported:
Integrated Web Filtering—Blocks or permits Web access after the device identifies the category for a URL, either from user-defined categories or from a category server (SurfControl Content Portal Authority provided by Websense).
Note Integrated Web filtering feature is a separately licensed subscription service.
Redirect Web Filtering—Intercepts HTTP requests and forwards the server URL to an external URL filtering server to determine whether to block or permit the requested Web access. Websense provides the URL filtering server.
Note Redirect Web filtering does not require a license.
Juniper Local Web Filtering—Intercepts every HTTP request in a TCP connection. In this case, the decision making is done on the device after it looks up a URL to determine if it is in the allowlist or blocklist based on its user-defined category.
Note Local Web filtering does not require a license or a remote category server.
Once you create a profile, you can assign it to UTM policies. Within the UTM policy, you can apply either the same Web filtering profile or create one inline.
Before You Begin
Read the UTM Overview topic.
Decide the filtering profile you want for the UTM policy: Web Filtering, Antispam, Antivirus, or Content Filtering.
Review the Web Filtering Profile main page for an understanding of your current data set. See Web Filtering Profile Main Page Fields for field descriptions.
To create a Web filtering profile:
- Select Configure > UTM Policy > Web Filtering.
- Click the + icon to create a new Web filtering profile.
- Complete the configuration according to the guidelines provided in Table 1.
- Click Finish. A new Web filtering profile is created that you can associate with an UTM policy.
Table 1: Web Filtering Profile Settings
Setting | Guideline |
|---|---|
General Information | |
Name | Enter a unique name for the Web filtering profile that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 29 characters. |
Description | Enter a description for the Web filtering profile; maximum length is 255 characters. |
Engine Type | Select the required engine type from the drop-down list:
|
Default Action | Select the default action from the drop-down list. Note: This option is available only for Juniper Enhanced and Surf Control engine types. |
Safe Search | Select a safe search solution to ensure that the embedded objects such as images on the URLs received from the search engines are safe and that no undesirable content is returned to the client. By default, the Safe Search check box is selected Note: This option is available only for the Juniper Enhanced engine type. Save search redirect supports HTTP only. You cannot extract the URL for HTTPS. Therefore, it is not possible to generate a redirect response for HTTPS search URLs. Safe search redirects can be disabled by clearing the Safe Search check box. |
Custom Block Message | Specify a custom message to be sent when HTTP requests are blocked. Note: If a message begins with http: or https:, the message is considered a block message URL. Messages that begin with values other than http: or https: are considered custom block messages. |
Custom Quarantine Message | Custom Quarantine Message Use UTM enhanced Web filtering to support block, log and permit, and permit actions on HTTP/HTTPS requests. Additionally, it supports the quarantine action, which allows or denies access to the blocked site based on the user’s response to the message. The quarantine message contains the following information:
Example: If you set the action for Enhanced_Search_Engines_and_Portals to quarantine, and you try to access www.search.yahoo.com, the quarantine message is as follows: ***The requested webpage is blocked by your organization’s access policy***. |
Base Filter | When a URL category version is downloaded, a predefined base filter with default actions are also downloaded. All categories have default actions in a base filter. The base filter can be attached to user profile, which acts like a backup filter. The base filter takes action for the categories that are not configured in a user profile. |
URL Categories | |
A URL category is a list of URL patterns grouped under a single title so a single action that applies to all URL patterns can be performed on the list. Click the + icon to select one or more URL categories, an action, and a redirect profile. A redirect profile is applicable only for block and quarantine actions. You can create a new redirect profile by clicking Create New Redirect Profile. The created redirect profile is displayed in the Redirect Profile drop-down list. The following actions are available:
Edit the action or redirect profile by clicking Apply Actions and updating the action and redirect profile. Delete the URL category by selecting the URL category and clicking the X icon. | |
Fallback Options | |
The fallback options are used when the web filtering system experiences errors and must fallback to one of the previously configured actions to either deny (block) or permit the object.
| |
Global Reputation Actions | |
Uncategorized URL Actions | Select this check box if you want to apply global reputation actions. Enhanced Web filtering intercepts HTTP and HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC). The TSC categorizes the URL into one of the predefined categories and also provides site reputation information for the URL to the device. The device determines if it can permit or block the request based on the information provided by the TSC. The URLs can be processed using their reputation score if there is no category available. Select the action that you wish to take for the uncategorized URLs based on their reputation score:
Note: The Use global reputation check box is selected by default. |