Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

UTM Supported Features

 

WELF Logging for UTM Features

Understanding WELF Logging for UTM Features

UTM features support the WELF standard. The WELF Reference defines the WebTrends industry standard log file exchange format. Any system logging to this format is compatible with Firewall Suite 2.0 and later, Firewall Reporting Center 1.0 and later, and Security Reporting Center 2.0 and later.

A WELF log file is composed of records. Each record is a single line in the file. Records are always in chronological order. The earliest record is the first record in the file; the most recent record is the last record in the file. WELF places no restrictions on log filenames or log file rotation policies.

Note

Each WELF record is composed of fields. The record identifier field (id=) must be the first field in a record. All other fields can appear in any order.

The following is a sample WELF record:

The fields from the example WELF record include the following required elements (all other fields are optional):

  • id (Record identifier)

  • time (Date/time)

  • fw (Firewall IP address or name)

  • pri (Priority of the record)

Example: Configuring WELF Logging for UTM Features

This example shows how to configure WELF logging for UTM features.

Requirements

Before you begin, review the fields used to create a WELF log file and record. See UTM Overview.

Overview

A WELF log file is composed of records. Each record is a single line in the file. Records are always in chronological order. The earliest record is the first record in the file; the most recent record is the last record in the file. WELF places no restrictions on log filenames or log file rotation policies. In this example, the severity level is emergency and the name of the security log stream is utm-welf.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure WELF logging for UTM features:

  1. Set the security log source IP address.
    Note

    You must save the WELF logging messages to a dedicated WebTrends server.

  2. Name the security log stream.
  3. Set the format for the log messages.
  4. Set the category of log messages that are sent.
  5. Set the severity level of log messages that are sent.
  6. Enter the host address of the dedicated WebTrends server to which the log messages are to be sent.

Results

From configuration mode, confirm your configuration by entering the show security log command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Security Log

Purpose

Verify that the WELF log for UTM features is complete.

Action

From operational mode, enter the show security utm status command to verify if the UTM service is running or not.

Explicit Proxy for UTM

UTM support the use of an explicit proxy for the cloud-based connectivity for Enhanced Web Filtering (EWF) and Sophos antivirus (SAV) on unified threat management (UTM). The explicit proxy hides the identity of the source device and establishes a connection with the destination device.

Understanding Explicit Proxy

An explicit proxy hides the identity of source device, communicates directly with the Websense Threatseeker Cloud (TSC) server and establishes a connection with the destination device. The explicit proxy configuration consists of port address and direct IP address or hostname.

To use the explicit proxy, create one or more proxy profiles and refer to those profiles:

  • In EWF, the explicit proxy is configured by referring to the created proxy-profile in security utm default-configuration web-filtering juniper-enhanced server hierarchy. The connection is established with the TSC server.

  • In EWF predefined category upgrading and base filter, the explicit proxy is configured by referring to the created proxy-profile in security utm custom-objects category-package proxy-profile hierarchy. You can download and dynamically load new EWF categories without any software upgrade. The proxy-profile category file is installed and used for transfer of the traffic.

    SRX device sends CONNECT request to the proxy server, the SRX device and TSC server communicates through the HTTP connection. Then the proxy server is expected to identify the configured IP addresses, allowlist and allow SRX device to send traffic to the TSC server in cloud via proxy. After proxy filtering, it will create connection to real TSC server.

  • In Sophos Antivirus (SAV), the explicit proxy is configured by referring to the created proxy-profile in security utm default-configuration anti-virus sophos-engine pattern-update hierarchy. The utmd process connects to the proxy host instead of the SAV pattern update server on the cloud.

On EWF, if the proxy profile is configured in UTM Web filtering configuration, the TSC server connection is established with the proxy host instead of the UTM server on the cloud.

On SAV, if the proxy profile is configured, the utmd process connects to the proxy host instead of the SAV pattern update server on the cloud.

Note

The proxy server authentication is not supported if the proxy-profile is configured.

Configuring the Explicit Proxy on Juniper Enhanced Server

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

Create a proxy profile with host and port information, and refer it in the Juniper enhanced server to establish a connection to the UTM cloud server.

The following configuration shows how to configure the explicit proxy on Juniper enhanced server.

  1. Assigning host IP address for proxy profile.
  2. Assigning port address for proxy profile.
  3. Assign the proxy profile to the Web filtering Juniper enhanced server.

Results

From configuration mode, confirm your configuration by entering the show security and show services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verifying the Explicit Proxy Configuration on Juniper Enhanced Server

Purpose

Display the status of explicit server on Juniper enhanced server.

Action

From operational mode, enter the show security utm web-filtering status command.

user@host> show security utm web-filtering status

UTM web-filtering status:

Server status: Juniper Enhanced using Websense server UP

Meaning

This command provides information on server status of Enhanced Web Filtering (EWF) using Websense Threatseeker Cloud (TSC).

Configuring the Predefined Category Upgrading and Base Filter Configuration Using Explicit Proxy

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

Create a proxy profile with host and port information, and refer it in the predefined category upgrade and base filter to download and dynamically load new EWF categories without any software upgrade.

The following configuration shows how to configure the explicit proxy on predefined category upgrading and base filter.

  1. Assigning host IP address for proxy profile.
  2. Assign port address for proxy profile.
  3. Assign the proxy profile to the category packages in the custom objects.

Results

From configuration mode, confirm your configuration by entering the show security and show services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verifying the Predefined Category Upgrading and Base Filter Configuration

Purpose

Display the Enhanced Web Filtering (EWF) predefined category package download, install, and update status.

Action

From operational mode, enter the show security utm web-filtering category status CLI command to see the web filtering category status.

Note

Before you execute the show security utm web-filtering category status CLI command, you must execute the request security utm web-filtering category download-install CLI command to get the results.

Meaning

This command provides information on the number of installed and downloaded categories and the update status.

Configuring the Sophos Antivirus Pattern Update

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

Create a proxy profile with host and port information, and refer it in the Sophos Antivirus (SAV) pattern update. The utmd process connects to the proxy host instead of the SAV pattern update server on the cloud.

The following configuration shows how to configure the explicit proxy on SAV pattern update.

  1. Assigning host IP address for proxy profile.
  2. Assign port address for proxy profile.
  3. Assign the proxy profile to the Sophos antivirus pattern update.

Results

From configuration mode, confirm your configuration by entering the show security and show services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verifying the Sophos Antivirus Pattern Update

Purpose

Display the Sophos Antivirus (SAV) update pattern status.

Action

From operational mode, enter the show security utm anti-virus status CLI command to see the UTM antivirus status.

Meaning

This command provides information on the the Sophos Antivirus (SAV) pattern update server, update status, antivirus signature version, antivirus engine type and antivirus engine information.

Unified Policies for UTM

Understanding Unified Policies [Unified Threat Management (UTM)]

Unified policies are now supported on SRX Series devices, allowing granular control and enforcement of dynamic Layer 7 applications within the traditional security policy.

Unified policies are security policies in which you can use dynamic applications as match conditions along with existing 5-tuple or 6-tuple matching conditions (with user firewall) to detect application changes over time. The use of unified policies enable you to enforce a set of rules for the transit traffic. It uses the match criteria, namely, source zone, destination zone, source addresses, destination addresses, and application names. This results in potential match policies.

The unified policy configuration handles all Application Firewall (AppFW) functionalities and simplifies the task of configuring firewall policy to permit or block application traffic from the network. As part of the unified policy, a new dynamic application policy match condition is added to SRX Series devices, allowing an administrator to more effectively control the behavior of Layer 7 applications.

To accommodate Layer 7 application-based policies in UTM, the [edit security utm default-configuration] command is introduced. If any parameter in a specific UTM feature profile configuration is not configured, then the corresponding parameter from the UTM default configuration is applied.

Additionally, during the initial policy lookup phase which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different UTM profiles, the SRX Series device applies the default UTM profile until a more explicit match has occurred.

Understanding Default UTM Policy

A new predefined default UTM policy is available with the factory default configuration to provide a default UTM configuration. This predefined global UTM policy inherits the configuration from the default UTM configuration profile.

If there is an existing UTM policy defined, it will continue to be used to evaluate traffic based on the existing security policy configuration.

When a policy lookup is performed, existing UTM policies are evaluated prior to global policies. The predefined UTM default policy is leveraged if multiple UTM policies exist in the potential policy list during the UTM session creation process.

The predefined UTM default policy parameters are included under [edit security utm default-configuration] hierarchy level. These parameters are available for Web filtering, content filtering, antivirus, and antispam profile. If no UTM feature profile is configured (Web filtering, content filtering, antivirus, and antispam), the parameters in the predefined global UTM configuration are applied.

The predefined UTM default policy is available in [edit groups junos-defaults security utm]. You can modify certain parameters for Web filtering, content filtering, antivirus, and antispam. You can also modify default UTM profile parameters for Web filtering, content filtering, antivirus, and antispam features profiles at [edit security utm default-configuration].

UTM Support for Chassis Cluster

UTM is supported for active/active chassis cluster and active/backup chassis cluster configuration. For more information, see the following topics:

Understanding UTM Support for Active/Active Chassis Cluster

UTM requires a license for each device in the chassis cluster setup. For information about how to purchase a software license, contact your Juniper Networks sales representative at https://www.juniper.net/in/en/contact-us/ and for more information refer Licensing guide.

All the following UTM features are supported in active/active chassis cluster:

  • Antispam Filtering

  • Content Filtering

  • Sophos Antivirus Scanning

  • Enhanced Web Filtering

  • Local Web Filtering

  • Websense Redirect Web Filtering

  • On-box/Avira AV

UTM supports active/active chassis cluster configuration from Junos OS Release 19.4R1 onwards. Active/Active cluster is a cluster where interfaces can be active on both cluster nodes simultaneously. This is the case when there are more than one data-plane redundancy-groups, that is redundancy-groups 1 and higher or when local (non-reth) interfaces are used on the cluster nodes.

Enhanced Web Filtering cloud connection does not support failover, it will create new connection automatically after the old connection is retired.

Understanding UTM Support for Active/Backup Chassis Cluster

UTM requires a license for each device in the chassis cluster setup. For information about how to purchase a software license, contact your Juniper Networks sales representative at https://www.juniper.net/in/en/contact-us/.

The following UTM features are supported in chassis cluster:

  • Content filtering

  • URL (Web) filtering

  • Antispam filtering

  • Full file-based antivirus scanning

  • Sophos antivirus scanning

Active/Active cluster is a cluster where interfaces can be active on both cluster nodes at the same time. This is the case when there are more than one data-plane redundancy-groups, i.e. redundancy-groups 1 and higher or when local (non-reth) interfaces are used on the cluster nodes.

If multiple data-plane redundancy-groups are configured, UTM works only if all the redundancy groups are active in the single node. In case one of the redundancy-group failed over automatically to another node, UTM won't work.

Allowlist

A URL allowlist defines all the URLs listed for a specific category to always bypass the scanning process. The allowlist include hostnames that you want to exempt from undergoing SSL proxy processing. For more information, see the following topics:

Understanding MIME Allowlist

The gateway device uses MIME (Multipurpose Internet Mail Extension) types to decide which traffic may bypass antivirus scanning. The MIME allowlist defines a list of MIME types and can contain one or many MIME entries.

A MIME entry is case-insensitive. An empty MIME is an invalid entry and should never appear in the MIME list. If the MIME entry ends with a / character, prefix matching takes place. Otherwise, exact matching occurs.

There are two types of MIME lists used to configure MIME type antivirus scan bypassing:

  • mime-allowlist list—This is the comprehensive list for those MIME types that can bypass antivirus scanning.

  • exception list—The exception list is a list for excluding some MIME types from the mime-allowlist list. This list is a subset of MIME types found in the mime-allowlist.

    For example, if the mime-allowlist includes the entry,video/ and the exception list includes the entry video/x-shockwave-flash, by using these two lists, you can bypass objects with “video/” MIME type but not bypass “video/x-shockwave-flash” MIME type.

    You should note that there are limits for mime-allowlist entries as follows:

    • The maximum number of MIME items in a MIME list is 50.

    • The maximum length of each MIME entry is restricted to 40 bytes.

    • The maximum length of a MIME list name string is restricted to 40 bytes.

Example: Configuring MIME Allowlist to Bypass Antivirus Scanning

This example shows how to configure MIME allowlists to bypass antivirus scanning.

Requirements

Before you begin, decide the type of MIME lists used to configure MIME type antivirus scan bypassing. See Understanding MIME Allowlist.

Overview

In this example, you create MIME lists called avmime2 and ex-avmime2 and add patterns to them.

Configuration

Step-by-Step Procedure

To configure MIME allowlists to bypass antivirus scanning:

  1. Create MIME lists and add patterns to the lists.
  2. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security utm command.

Understanding URL Allowlist

A URL allowlist defines all the URLs listed for a specific category to always bypass the scanning process. The allowlist includes hostnames that you want to exempt from undergoing SSL proxy processing. There are also legal requirements to exempt financial and banking sites; such exemptions are achieved by configuring URL categories corresponding to those hostnames under the URL allowlists. If any URLs do not require scanning, corresponding categories can be added to this allowlisting.

Starting with Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the allowlisting feature is extended to include URL categories supported by UTM in the allowlist configuration of SSL forward proxy. For more information, see Application Security User Guide for Security Devices.

Starting with Junos OS Release 17.4R1, the allowlisting feature is extended to support custom URL categories supported by UTM in the allowlist configuration of SSL forward proxy.

Configuring URL Allowlist to Bypass Antivirus Scanning (CLI Procedure)

To configure URL allowlists, use the following CLI configuration statements:

Release History Table
Release
Description
Starting with Junos OS Release 17.4R1, the allowlisting feature is extended to support custom URL categories supported by UTM in the allowlist configuration of SSL forward proxy.
Starting with Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the allowlisting feature is extended to include URL categories supported by UTM in the allowlist configuration of SSL forward proxy. For more information, see Application Security User Guide for Security Devices.