Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

UTM Overview


Unified threat management (UTM) provides multiple security features and services in a single device or service on the network, protecting users from security threats in a simplified way. UTM includes functions such as antivirus, antispam, content filtering, and web filtering. UTM secures the network from viruses, malware, or malicious attachments by scanning the incoming data using Deep Packet Inspection and prevents access to unwanted websites by installing Enhanced Web filtering. For more information, see the following topics:

Unified Threat Management Overview

Unified Threat Management (UTM) is a term used to describe the consolidation of several security features into one device, protecting against multiple threat types. The advantage of UTM is streamlined installation and management of these multiple security capabilities.

The security features provided as part of the UTM solution for NFX devices are:

  • Antispam Filtering—E-mail spam consists of unwanted e-mail messages, usually sent by commercial, malicious, or fraudulent entities. The antispam feature examines transmitted e-mail messages to identify e-mail spam. When the device detects an e-mail message deemed to be spam, it either drops the message or tags the message header or subject field with a preprogrammed string. The antispam feature uses a constantly updated spam block list (SBL). Sophos updates and maintains the IP-based SBL. The antispam feature is a separately licensed subscription service.

  • Content Filtering—Content filtering blocks or permits certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. Content filtering does not require a separate license.

  • Web Filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. There are two types of Web filtering solutions. The redirect Web filtering solution intercepts HTTP requests and forwards the server URL to an external URL filtering server provided by Websense to determine whether to block or permit the requested Web access. Redirect Web filtering does not require a separate license. With Juniper Local Web Filtering, the decision-making for blocking or permitting Web access is done on the device after it identifies the category for a URL from user-defined categories stored on the device. With Local filtering, there is no additional Juniper license or remote category server required.

  • Sophos Antivirus—Sophos antivirus scanning is offered as a less CPU-intensive alternative to the full file-based antivirus feature. Sophos supports the same protocols as full antivirus and functions in much the same manner; however, it has a smaller memory footprint and is compatible with lower end devices that have less memory. Sophos antivirus is as an in-the-cloud antivirus solution. The virus pattern and malware database is located on external servers maintained by Sophos (Sophos Extensible List) servers, thus there is no need to download and maintain large pattern databases on the Juniper device. The Sophos antivirus scanner also uses a local internal cache to maintain query responses from the external list server to improve lookup performance.


The sessions-per-client limit CLI command, which imposes a session throttle to prevent a malicious user from generating large amounts of traffic simultaneously, supports the antispam, content filtering, and antivirus UTM features. It does not support Web filtering.


Starting with Junos OS Release 18.2 R1, the NFX150 devices support up to 500 UTM policies, profiles, MIME patterns, filename extensions, and protocol commands, and up to 1000 custom URL patterns and custom URL categories.

Understanding UTM Custom Objects

Before you can configure most UTM features, you must first configure the custom objects for the feature in question. Custom objects are global parameters for UTM features. This means that configured custom objects can be applied to all UTM policies where applicable, rather than only to individual policies.

The following UTM features make use of certain custom objects:

Understanding WELF Logging for UTM Features

UTM features support the WELF standard. The WELF Reference defines the WebTrends industry standard log file exchange format. Any system logging to this format is compatible with Firewall Suite 2.0 and later, Firewall Reporting Center 1.0 and later, and Security Reporting Center 2.0 and later.

A WELF log file is composed of records. Each record is a single line in the file. Records are always in chronological order. The earliest record is the first record in the file; the most recent record is the last record in the file. WELF places no restrictions on log filenames or log file rotation policies.


Each WELF record is composed of fields. The record identifier field (id=) must be the first field in a record. All other fields can appear in any order.

The following is a sample WELF record:

The fields from the example WELF record include the following required elements (all other fields are optional):

  • id (Record identifier)

  • time (Date/time)

  • fw (Firewall IP address or name)

  • pri (Priority of the record)

Example: Configuring WELF Logging for UTM Features

This example shows how to configure WELF logging for UTM features.


Before you begin, review the fields used to create a WELF log file and record. See Understanding WELF Logging for UTM Features.


A WELF log file is composed of records. Each record is a single line in the file. Records are always in chronological order. The earliest record is the first record in the file; the most recent record is the last record in the file. WELF places no restrictions on log filenames or log file rotation policies. In this example, the severity level is emergency and the name of the security log stream is utm-welf.


CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure WELF logging for UTM features:

  1. Set the security log source IP address.

    You must save the WELF logging messages to a dedicated WebTrends server.

  2. Name the security log stream.
  3. Set the format for the log messages.
  4. Set the category of log messages that are sent.
  5. Set the severity level of log messages that are sent.
  6. Enter the host address of the dedicated WebTrends server to which the log messages are to be sent.


From configuration mode, confirm your configuration by entering the show security log command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.


Verifying the Security Log


Verify that the WELF log for UTM features is complete.


From operational mode, enter the show security utm status command to verify if the UTM service is running or not.

Related Documentation