Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Content Filtering

 

Content Filtering provides basic data loss prevention functionality. Content filtering filters traffic is based on MIME type, file extension, and protocol commands. You can also use the content filter module to block ActiveX, Java Applets, and other types of content. Content filtering does not require a separate license. For more information, see the following topics:

Content Filtering Overview

Content filtering blocks or permits certain types of traffic based on the MIME type, file extension, and protocol command. The content filter controls file transfers across the gateway by checking traffic against configured filter lists.

The content filter module evaluates traffic before all other UTM modules, except Web Filtering. Therefore, if traffic meets criteria configured in the content-filter, the content-filter acts first upon this traffic.

You can configure the following types of content filters:

  • MIME Pattern Filter — MIME patterns are used to identify the type of traffic in HTTP and MAIL protocols. There are two lists of MIME patterns that are used by the content filter to determine the action to be taken. The block MIME list contains a list of MIME type traffic that is to be blocked by the content filter. The MIME exception list contains MIME patterns that are not to be blocked by the content filter and are generally subsets of items on the block list. Note that the exception list has a higher priority than the block list. If you have MIME entries that appear on both lists, those MIME types are not blocked by the content filter because the exception list takes priority. Therefore, when adding items to the exception list, it is to your advantage to be specific.

  • Block Extension List — Because the name of a file is available during file transfers, using file extensions is a highly practical way to block or allow file transfers. The content filter list contains a list of file extensions to be blocked. All protocols support the use of the block extension list.

  • Protocol Command Block and Permit Lists — Different protocols use different commands to communicate between servers and clients. By blocking or allowing certain commands, traffic can be controlled on the protocol command level.

    The block and permit command lists are intended to be used in combination, with the permit list acting as an exception list to the block list.

    If a protocol command appears on the both the permit list and the block list, that command is permitted.

    Starting with Junos OS Release 15.1X49-D100, IPv6 pass-through traffic for HTTP, FTP, SMTP, POP3, IMAP protocols is supported for Web filtering and Content filtering security features of UTM.

Because not all harmful files or components can be controlled by the MIME type or by the file extension, you can also use the content filter module to block ActiveX, Java Applets, and other types of content. The following types of content blocking are supported only for HTTP:

  • Block ActiveX

  • Block Java applets

  • Block cookies

  • Block EXE files

  • Block ZIP files

Understanding Content Filtering Protocol Support

Each supported protocol may implement available content filters differently. Not all filtering capabilities are supported for each protocol. This topic contains the following sections:

HTTP Support

The HTTP protocol supports all content filtering features. With HTTP, the content filter remains in the gateway, checking every request and response between the HTTP client and server.

If an HTTP request is dropped due to content filtering, the client receives a response such as:

Therefore, a message may appear as follows:

FTP Support

The FTP protocol does not support all content filtering features. It supports only the following: Block Extension List and Protocol Command Block List.

When content filtering blocks an FTP request, the following response is sent through the control channel:

Therefore, a message may appear as follows:

E-Mail Support

E-mail protocols (SMTP, IMAP, POP3) have limited content filtering support for the following features: Block Extension List, Protocol Command Block List, and MIME Pattern Filtering. Support is limited for e-mail protocols for the following reasons:

  • The content filter scans only one level of an e-mail header. Therefore recursive e-mail headers and encrypted attachments are not scanned.

  • If an entire e-mail is MIME encoded, the content filter can only scan for the MIME type.

  • If any part of an e-mail is blocked due to content filtering, the original e-mail is dropped and replaced by a text file with an explanation for why the e-mail was blocked.

Starting from Junos OS Release 19.4R1, the antivirus and content filtering feature supports implicit and explicit SMTPS, IMAPS, and POP3S protocol, and supports only explicit passive mode FTPS.

Implicit mode—Connect to SSL/TLS encrypted port using secure channel.

Explicit mode—First connect to unsecured channel, then secure the communication by issuing STARTTLS command. For POP3S, use STLS command.

Specifying Content Filtering Protocols (CLI Procedure)

To configure content filtering protocols, use the following CLI configuration statements:

Content Filtering Configuration Overview

A content security filter blocks or allows certain type of traffic base on the mime type, file extension, protocol commands and embedded object type. The content filter controls file transfers across the gateway by checking traffic against configured filter lists. The content filtering module evaluates traffic before all other UTM modules, if traffic meets the criteria configured in the content filter, the content filter acts first upon this traffic. The following procedure lists the recommended order in which you should configure content filters:

  1. Configure UTM custom objects for the feature. See Example: Configuring Content Filtering Custom Objects.

  2. Configure the main feature parameters using feature profiles. See Example: Configuring Content Filtering Feature Profiles .

  3. Configure a UTM policy for each protocol and attach this policy to a profile. See Example: Configuring Content Filtering UTM Policies.
  4. Attach the UTM policy to a security policy. See Example: Attaching Content Filtering UTM Policies to Security Policies.

Example: Configuring Content Filtering Custom Objects

This example shows how to configure content filtering custom objects.

Requirements

Before you begin:

  1. Decide on the type of content filter you require. See Content Filtering Overview.
  2. Understand the order in which content filtering parameters are configured. See Content Filtering Configuration Overview.

Overview

In this example, you define custom objects that are used to create content filtering profiles. You perform the following tasks to define custom objects:

  1. Create two protocol command lists called ftpprotocom1 and ftpprotocom2, and add user, pass, port, and type commands to it.
  2. Create a filename extension list called extlist2, and add the .zip, .js, and .vbs extensions to it.
  3. Define block-mime list call cfmime1 and add patterns to the list.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure content filtering custom objects:

  1. Create two protocol command lists.
  2. Add protocol commands to the list.
  3. Create a filename extension list.
  4. Add extensions to the list.
  5. Create antivirus scanning lists.
  6. Add patterns to the lists.

Results

From configuration mode, confirm your configuration by entering the show security utm command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Content Filtering Custom Objects

Purpose

Verify the content filtering custom objects.

Action

From operational mode, enter the show configuration security utm command.

Example: Configuring Content Filtering UTM Policies

This example describes how to create a content filtering UTM policy to attach to your feature profile.

Requirements

Before you begin:

  1. Decide on the type of content filter you require. See Content Filtering Overview.
  2. Configure UTM custom objects for each feature and define the content-filtering profile. See Content Filtering Configuration Overview.

Overview

You configure UTM policies to selectively enforce various UTM solutions on network traffic passing through a UTM-enabled device. Through feature profiles you associate custom objects to these policies and specify blocking or permitting certain types of traffic.

In this example, you configure a UTM policy called utmp4, and then assign the preconfigured feature profile confilter1 to this policy.

Configuration

Step-by-Step Procedure

To configure a content filtering UTM policy:

You can configure different protocol applications in the UTM policy. The example only shows HTTP and not other protocols. Earlier you configured custom objects for FTP (ftpprotocom1 and ftpprotocom2). Next you should add a content filter policy for FTP, for example:

set security utm utm-policy utmp4 content-filtering ftp upload-profile confilter1

set security utm utm-policy utmp4 content-filtering ftp download-profile confilter1

  1. Create a UTM policy.
  2. Attach the UTM policy to the profile.
  3. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security utm command.

Example: Attaching Content Filtering UTM Policies to Security Policies

This example shows how to create a security policy and attach the UTM policy to the security policy.

Requirements

Before you begin:

  1. Configure UTM custom objects, define the content filtering profile, and create a UTM policy. See Content Filtering Configuration Overview.
  2. Enable and configure a security policy. See Example: Configuring a Security Policy to Permit or Deny All Traffic.

Overview

By attaching content filtering UTM policies to security policies, you can filter traffic transiting from one security zone to another.

In this example, you create a security policy called p4 and specify that traffic from any source address to any destination address with an HTTP application matches the criteria. You then assign a UTM policy called utmp4 to the security policy p4. This UTM policy applies to any traffic that matches the criteria specified in the security policy p4.

Configuration

CLI Quick Configuration

To quickly attach a content filtering UTM policy to a security policy, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To attach a UTM policy to a security policy:

  1. Create a security policy.
  2. Specify the match conditions for the policy.
  3. Attach the UTM policy to the security policy.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Attaching Content Filtering UTM Policies to Security Policies

Purpose

Verify the attachment of the content filtering UTM policy to the security policy.

Action

From operational mode, enter the show security policy command.

Monitoring Content Filtering Configurations

Purpose

View content filtering statistics.

Action

To view content filtering statistics in the CLI, enter the user@host > show security utm content-filtering statistics command.

The content filtering show statistics command displays the following information:

To view content filtering statistics using J-Web:

  1. Select Clear Content filtering statisticsMonitor>Security>UTM>Content FilteringMonitor>Security>UTM>Content Filtering.

    The following statistics become viewable in the right pane.

  2. You can click Clear Content filtering statistics to clear all current viewable statistics and begin collecting new statistics.
Release History Table
Release
Description
Starting with Junos OS Release 15.1X49-D100, IPv6 pass-through traffic for HTTP, FTP, SMTP, POP3, IMAP protocols is supported for Web filtering and Content filtering security features of UTM.