Allow or Block Websites by Using J-Web Integrated UTM Web Filtering

UTM URL Filtering Overview

Today, most of us spend a considerable time on the Web. We surf our favorite sites, follow interesting links sent to us through e-mail, and use a variety of Web-based applications on our office network. This increased use of the network helps us both personally and professionally. However, it also exposes our organization to a variety of security and business risks, such as potential data loss, lack of compliance, and threats such as malware, virus, and so on. In this environment of increased risk, it is wise for businesses to implement Web or URL filters to control the network behaviors. To control network threats, you can use a Web or URL filter to categorize websites on the Internet and to either allow or block user access.

Here's an example of a typical situation where a user of your office network is blocked access to a website:

On the Web browser, the user types www.gameplay.com, a popular gaming site. The user receives a message such as Access Denied or The Website is blocked. Display of such a message means that your organization has inserted a filter for the gaming websites, and you can’t access the site from your workplace.

Juniper Web (J-Web) Device Manager supports UTM Web filtering on SRX Series devices.

In J-Web, a Web filtering profile defines a set of permissions and actions based on Web connections predefined by website categories. You can also create custom URL categories and URL pattern lists for a Web filtering profile.

Benefits of UTM Web Filtering

• Local Web filtering:

  • Doesn’t require a license.

  • Enables you to define your own lists of allowed sites (whitelist) or blocked sites (blacklist) for which you want to enforce a policy.

• Enhanced Web filtering:

  • Is the most powerful integrated filtering method and includes a granular list of URL categories, support for Google Safe Search, and a reputation engine.

  • Doesn’t require additional server components.

  • Provides real-time threat score for each URL.

  • Enables you to redirect users from a blocked URL to a user-defined URL rather than blocking user access to the blocked URL.

• Redirect Web filtering:

  • Tracks all queries locally, so you don't need an Internet connection.

  • Uses the logging and reporting features of a standalone Websense solution.

Web Filtering Workflow

Scope

In this example, you’ll:

1. Create your own custom URL pattern lists and URL categories.

2. Create a Web filtering profile using the Local engine type. Here, you define your own URL categories, which can be allowed sites (whitelist) or blocked sites (blacklist) that are evaluated on the SRX Series device. All URLs added for blocked sites are denied, while all URLs added for allowed sites are permitted.

3. Block inappropriate gaming websites and allow suitable websites (for example, www.juniper.net).

4. Define a custom message to display when users attempt to access the gaming websites.

5. Apply the Web filtering profile to a UTM policy.

6. Assign the UTM policy to a security policy rule.

Before You Begin

• You do not need a license to configure the Web filtering profile if you use the Local engine type. This is because you will be responsible for defining your own URL pattern lists and URL categories.

• You need a valid license (wf_key_websense_ewf) if you want to try the Juniper Enhanced engine type for the Web filtering profile.

• Ensure that the SRX Series device you use in this example runs Junos OS Release 20.4R1.

Topology

In this topology, we have a PC connected to a UTM-enabled SRX Series device that has access to the Internet. Let's use J-Web to filter the HTTP requests sent to the Internet with this simple setup.

Sneak Peek – J-Web UTM Web Filtering Steps

Step 1: List URLs That You Want to Allow or Block

In this step, we define custom objects (URLs and patterns) to handle the URLs that you want to allow or block.

You are here (in the J-Web UI): Security Services > UTM > Custom Objects.

1. Click the URL Pattern List tab.
2. Click the add icon (+) to add a URL pattern list.

   The Add URL Pattern List page appears. See Figure 1.

3. Complete the tasks listed in the Action column in the following table:

   Field	Action
   Name	Enter allowed-sites or blocked-sites. Note: Use a string beginning with a letter or underscore and consisting of alphanumeric characters and special characters such as dashes and underscores. The maximum length is 29 characters.
   Value	Click + to add a URL pattern value. Enter the following: For allowed-sites—www.juniper.net and www.google.com For blocked-sites—www.gamestu.com and www.gameplay.com Click the tick icon .

   Figure 1: Add URL Pattern List

   

4. Click OK to save the changes.

   Good job! Here's the result of your configuration:

   

   

Step 2: Categorize the URLs That You Want to Allow or Block

We’ll now assign the created URL patterns to URL category lists. The category list defines the action of mapping. For example, the Gambling category should be blocked.

You are here: Security Services > UTM > Custom Objects.

1. Click the URL Category List tab.
2. Click the add icon (+) to add a URL category list.

   The Add URL Category List page appears. See Figure 2.

3. Complete the tasks listed in the Action column in the following table:

   Field	Action
   Name	Enter the URL category list name as good-sites for the allowed-sites URL pattern or stop-sites for the blocked-sites URL pattern. Note: Use a string beginning with a letter or underscore and consisting of alphanumeric characters and special characters such as dashes and underscores. The maximum length is 59 characters.
   URL Patterns	Select the URL pattern values allowed-sites or blocked-sites from the Available column to associate the URL pattern values with the URL categories good-sites or stop-sites, respectively. Click the right arrow to move the URL pattern values to the Selected column.

   Figure 2: Add URL Category List

   

4. Click OK to save the changes.

   Good job! Here's the result of your configuration:

   

   

Step 3: Add a Web Filtering Profile

Now, let’s refer the created URL objects (patterns and categories) to a UTM Web filtering profile. This mapping helps you set different values for your filtering behavior.

You are here: Security Services > UTM > Web Filtering Profiles.

1. Click the add icon (+) to add a Web filtering profile.

   The Create Web Filtering Profiles page appears. See Figure 3.

2. Complete the tasks listed in the Action column in the following table:

   Field	Action
   General
   Name	Enter wf-local for the Web filtering profile. Note: The maximum length is 29 characters.
   Timeout	Enter 30 (in seconds) to wait for a response from the Local engine. The maximum value is 1800 seconds. The default value is 15 seconds.
   Engine type	Select the Local engine type for Web filtering. Note: The default value is Juniper Enhanced.
   URL Categories
   +	Click the add icon to select the URL categories.
   Select URL categories to apply to the list	Select good-sites or stop-sites.
   Action	Select Log and Permit for the good-sites category from the list. Select Block for the stop-sites category from the list.
   Custom Message	Click Create New to add a new custom message for the stop-sites. Name—Enter blocked-urls. Type—Select User Message. Content—Enter URL request is denied. Contact your IT department for help.

   Figure 3: Create Web Filtering Profile

   

3. Click Finish. Review the summary of the configuration and click OK to save changes.

   Good job! Here's the result of your configuration:

   

   

4. Click Close after you see a successful-configuration message.

Step 4: Reference a Web Filtering Profile in a UTM Policy

We now need to assign the Web filtering profile (wf-local) to a UTM policy that acts as an action to be applied.

You are here: Security Services > UTM > UTM Policies.

1. Click the add icon (+) to add a UTM policy.

   The Create UTM Policies page appears.

2. Complete the tasks listed in the Action column in the following table:

   Field	Action
   General – General Information
   Name	Enter wf-custom-policy for the UTM policy and click Next. Note: The maximum length is 29 characters.
   Web Filtering - Web Filtering Profiles by Traffic Protocol
   HTTP	Select wf-local from the list and click Next.

3. Click Finish. Review the summary of the configuration and click OK to save changes.

   Almost there! Here's the result of your configuration:

   

   

4. Click Close after you see a successful message.

   Good news! You’re done with UTM Web filtering configurations.

Step 5: Assign a UTM Policy to a Security Policy

You haven’t yet assigned the UTM configurations to the security policy from the TRUST zone to the INTERNET zone. Filtering actions are taken only after you assign the UTM policy to security policy rules that act as the match criteria.

When the security policy rules are permitted, the SRX Series device:

1. Intercepts an HTTP connection and extracts each URL (in the HTTP request) or IP address.

   Note

   For an HTTPS connection, Web filtering is supported through SSL forward proxy.

2. Searches for URLs in the user-configured blacklist or whitelist under Web Filtering (Security Services > UTM > Default Configuration). Then, if the URL is in the:

   1. User-configured blacklist, the device blocks the URL.

   2. User-configured whitelist, the device permits the URL.

3. Checks the user-defined categories and blocks or allows the URL based on the user-specified action for the category.

4. Allows or blocks the URL (if a category is not configured) based on the default action configured in the Web filtering profile.

You are here: Security Policies & Objects > Security Policies.

1. Click the add icon (+).
2. Complete the tasks listed in the Action column in Table 1.

   Table 1: Rule Settings

   Field	Action
   General – General Information
   Rule Name	Enter wf-local-policy for the security policy allowing the good-sites category and denying the stop-sites category.
   Rule Description	Enter a description for the security policy rule.
   Source Zone	Click +. The Select Sources page appears. Zone—Select TRUST from the list. Addresses—Leave this field with the default value any. Click OK
   Destination Zone	Click +. The Select Destination page appears. Zone—Select INTERNET from the list. Addresses—Leave this field with the default value any. Services—Leave this field with the default value any. Click OK
   Action	Select Permit from the list.
   Advanced Security	Click +. The Select Advanced Security page appears. UTM—Select wf-custom-policy from the list. Click OK

3. Click the tick icon to save changes.

   Good job! Here's the result of your configuration:

   

   

4. Click the commit icon (at the right side of the top banner) and select Commit.

   The successful-commit message appears.

   Congratulations! We’re ready to filter the URL requests.

Step 6: Verify That the URLs Are Allowed or Blocked from the Server

Let’s verify that our configurations and security policy work fine with the defined URLs in the topology:

• If you enter www.gamestu.com and www.gameplay.com, the SRX Series device should block the URLs and send the configured block message.

• If you enter www.juniper.net and www.google.com, the SRX Series device should allow the URLs with their homepage displayed.

What’s Next

Sample Configuration Output

In this section, we present samples of configurations that allow and block the websites defined in this example.

You configure the following UTM configurations at the [edit security utm] hierarchy level.

You configure the security policy rules at the [edit security policies] hierarchy level.