Help Center User GuideGetting Started
 
X
User Guide
Getting Started
Contents  

Allow or Block Websites Using J-Web Integrated URL Filtering

Why URL Filtering

Today, most of us spend a considerable time on the Web. We surf our favorite sites, follow interesting links sent to us through e-mail, and use a variety of Web-based applications on our office network. This increased use of the network helps us both personally and professionally. However, it also exposes our organization to a variety of security and business risks, such as potential data loss, lack of compliance, and threats such as malware, virus, and so on. In this environment of increased risk, it is wise for businesses to implement Web or URL filters to control the network behaviors. To control network threats, you can use a Web or URL filter to categorize websites on the Internet and to either allow or block user access.

Let’s take an example of a typical situation where a user of your office network is blocked access to a website:

On the Web browser, the user types www.gameplay.com, a popular gaming site. The user receives a message such as Access Denied or The Website is blocked. Display of such a message means that your organization has inserted a filter for the gaming websites, and you can’t access the site from your workplace.

Web Filtering Workflow

Scope

Juniper Web (J-Web) Device Manager supports UTM Web filtering on SRX Series devices.

In J-Web, a Web filtering profile defines a set of permissions and actions based on Web connections predefined by website categories. You can also create custom URL categories and URL pattern lists for a Web filtering profile.

Note You cannot inspect URLs within e-mails using J-Web UTM Web filtering.

In this example, you’ll:

  1. Create your own custom URL pattern lists and URL categories.

  2. Create a Web filtering profile using the Local engine type. Here, you can define your own URL categories, which can be allowed sites (whitelist) or blocked sites (blacklist) that are evaluated on the SRX Series device. All URLs added for blocked sites are denied, while all URLs added for allowed sites are permitted.

  3. Block inappropriate gaming websites and allow suitable websites (for example, www.juniper.net).

  4. Define a custom message to display when users attempt to access the gaming websites.

  5. Apply the Web filtering profile to a UTM policy.

  6. Assign the UTM policy to a security policy rule.

Note Web filtering and URL filtering have the same meaning. We’ll use the term Web filtering throughout our example.

Before You Begin

Topology

In this topology, we have a PC connected to a UTM-enabled SRX Series device that has access to the Internet. Let's use J-Web to filter the HTTP requests sent to the Internet with this simple setup.

Sneak Peek – J-Web UTM Web Filtering Steps

Step 1: List URLs That You Want to Allow or Block

In this step, let’s define custom objects (URLs and patterns) to handle the URLs that you want to allow or block.

You are here: Configure > Security Services > UTM > Custom Objects

Procedure

To list URLs:

  1. Click the URL Pattern List tab.
  2. Click the add icon (+) to add a URL pattern list.

    The Add URL Pattern List page appears. See Figure 11.

  3. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    Name

    Enter allowed-sites or blocked-sites.

    Note: Use a string beginning with a letter or underscore and consisting of alphanumeric characters and special characters such as dashes and underscores. The maximum length is 29 characters.

    Value

    Procedure

    1. Click + to add a URL pattern value.
    2. Enter the following:
      • For allowed-sites—www.juniper.net and www.google.com

      • For blocked-sites—www.gamestu.com and www.gameplay.com

    3. Click the tick icon .

    Figure 11: Add URL Pattern List

    Add URL Pattern List
  4. Click OK to save the changes.

    Good job! Here's the result of your configuration:

Step 2: Categorize the URLs That You Want to Allow or Block

Let’s assign the created URL patterns to a URL category lists. The category list defines the action of mapping. For example, the Gambling category should be blocked.

You are here: Configure > Security Services > UTM > Custom Objects

Procedure

To categorize URLs:

  1. Click the URL Category List tab.
  2. Click the add icon (+) to add a URL category list.

    The Add URL Category List page appears. See Figure 12.

  3. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    Name

    Enter the URL category list name as good-sites for the allowed-sites URL pattern or stop-sites for the blocked-sites URL pattern.

    Note: Use a string beginning with a letter or underscore and consisting of alphanumeric characters and special characters such as dashes and underscores. The maximum length is 59 characters.

    URL Patterns

    Procedure

    1. Select the URL pattern values allowed-sites or blocked-sites from the Available column to associate the URL pattern values with the URL categories good-sites or stop-sites, respectively.
    2. Click the right arrow to move the URL pattern values to the Selected column.

    Figure 12: Add URL Category List

    Add URL Category List
  4. Click OK to save the changes.

    Good job! Here's the result of your configuration:

Step 3: Add a Web Filtering Profile

Now, let’s refer the created URL objects (patterns and categories) to a UTM Web filtering profile. This mapping helps you set different values for your filtering behavior.

You are here: Configure > Security Services > UTM > Web Filtering

Procedure

To create a Web filtering profile:

  1. Click the add icon (+) to add a Web filtering profile.

    The Create Web Filtering Profiles page appears. See Figure 13.

  2. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    General

    Name

    Enter wf-local for the Web filtering profile.

    Note: The maximum length is 29 characters.

    Timeout

    Enter 30 (in seconds) to wait for a response from the Local engine.

    The maximum value is 1800 seconds. The default value is 15 seconds.

    Engine type

    Select the Local engine type for Web filtering.

    Note: The default value is Juniper Enhanced.

    URL Categories

    +

    Click the add icon to select the URL categories.

    Select URL categories to apply to the list

    Select good-sites or stop-sites.

    Action

    Select Log and Permit for the good-sites category from the list.

    Select Block for the stop-sites category from the list.

    Custom Message

    Click Create New to add a new custom message for the stop-sites.

    • Name—Enter blocked-urls.

    • Type—Select User Message.

    • Content—Enter URL request is denied. Contact your IT department for help.

    Figure 13: Create Web Filtering Profile

    Create Web
Filtering Profile
  3. Click Finish. Read the summary of the configuration and click OK to save changes.

    Good job! Here's the result of your configuration:

  4. Click Close after you see a successful message.

Step 4: Reference a Web Filtering Profile in a UTM Policy

You now need to assign the Web filtering profile (wf-local) to a UTM policy that acts as an action to be applied.

You are here: Configure > Security Services > UTM > Policy

Procedure

To create a UTM policy:

  1. Click the add icon (+) to add a UTM policy.

    The Create UTM Policies page appears.

  2. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    General – General Information

    Name

    Enter wf-custom-policy for the UTM policy and click Next.

    Note: The maximum length is 29 characters.

    Web Filtering - Web Filtering Profiles by Traffic Protocol

    HTTP

    Select wf-local from the list and click Next.

  3. Click Finish. Read the summary of the configuration and click OK to save changes.

    Almost there! Here's the result of your configuration:

  4. Click Close after you see a successful message.

    Good news! You’re done with UTM Web filtering configurations!

Step 5: Assign a UTM Policy to a Security Policy

You haven’t yet assigned the UTM configurations to the security policy from the TRUST zone to the INTERNET zone. No action will be taken until you assign the UTM policy to security policy rules that act as the match criteria.

When the security policy rules are permitted, the SRX Series device:

  1. Intercepts an HTTP connection and extracts each URL (in the HTTP request) or IP address.

    Note For an HTTPS connection, Web filtering is supported through SSL forward proxy.

  2. Searches for URLs in the user-configured blacklist or whitelist under Web Filtering (Configure > Security Services > UTM > Default Configuration). Then, if the URL is in the:

    1. User-configured blacklist, the device blocks the URL.

    2. User-configured whitelist, the device permits the URL.

  3. Checks the user-defined categories and blocks or allows the URL based on the user-specified action for the category.

  4. Allows or blocks the URL (if a category is not configured) based on the default action configured in the Web filtering profile.

You are here: Configure > Security Services > Security Policy > Rules

Procedure

To create security policy rules for the UTM policy:

  1. Click the add icon (+).

    The Create Rule page appears.

  2. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    General – General Information

    Rule Name

    Enter wf-local-policy for the security policy allowing the good-sites category and denying the stop-sites category.

    Rule Description

    Enter a description for the security policy rule and click Next.

    Source

    Zone

    Select TRUST from the list.

    Address(es)

    Leave this field with the default value any.

    Destination

    Zone

    Select INTERNET from the list.

    Address(es)

    Leave this field with the default value any.

    Service(s)

    Leave this field with the default value any.

    Advanced Security

    Rule Action

    Select Permit from the list.

    UTM

    Select wf-custom-policy from the UTM list.

  3. Click Finish. Read the summary of the configuration and click OK to save changes.

    Good job! Here's the result of your configuration:

  4. Click the commit icon (at the right side of the top banner) and select Commit.

    The commit successful message appears.

    Congratulations! We’re ready to filter the URL requests!

Step 6: Verify That the URLs Are Allowed or Blocked from the Server

What’s Next

What to do?

Where?

Monitor UTM Web filtering information and statistics.

In J-Web, go to Monitor > Security Services > UTM Web Filtering.

Generate and view reports on URLs allowed and blocked.

In J-Web, go to Reports. Generate reports for Threat Assessment Reports and Top Blocked Applications via Webfilter logs.

Learn more about UTM features.

Unified Threat Management User Guide

Sample Configuration Output

Here are samples of configurations that allow and block the websites defined in this example.

You configure the following UTM configurations at the [edit security utm] hierarchy level.

Creating custom objects:

custom-objects {
url-pattern {
blocked-sites {
value [ http://*.gamestu.com http://*.gameplay.com];
}
allowed-sites {
value [ http://*.juniper.net http://*.google.com];
}
}
custom-url-category {
stop-sites {
value blocked-sites;
}
good-sites {
value allowed-sites;
}
}
custom-message {
blocked-urls {
type message;
content “URL request is denied. Contact your IT department for help.”;
}
}
}

Creating the Web filtering profile:

default-configuration {
web-filtering {
type juniper-local;
}
}
feature-profile {
web-filtering {
juniper-local {
profile wf-local {
category {
stop-sites {
action block;
custom-message blocked-urls;
}
good-sites {
action log-and-permit;
}
}
timeout 30;
}
}
}
}

Creating the UTM policy:

utm-policy wf-custom-policy {
web-filtering {
http-profile wf-local;
}
}

You configure the security policy rules at the [edit security policies] hierarchy level.

Creating rules for a security policy:

from-zone trust to-zone internet {
policy wf-local-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy wf-custom-policy;
}
}
}
}
}
Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit