Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Allow or Block Websites by Using J-Web Integrated UTM Web Filtering

 
Summary

Learn about Web filtering and how to filter URLs on UTM-enabled SRX Series devices by using J-Web. Web filtering helps you to allow or block access to the Web and to monitor your network traffic.

UTM URL Filtering Overview

Today, most of us spend an amount of time on the Web. We surf our favorite sites, follow interesting links sent to us through e-mail, and use a variety of Web-based applications for our office network. This increased use of the network helps us both personally and professionally. However, it also exposes the organization to a variety of security and business risks, such as potential data loss, lack of compliance, and threats such as malware, viruses, and so on. In this environment of increased risk, it’s wise for businesses to implement Web or URL filters to control network threats. You can use a Web or URL filter to categorize websites on the Internet and to either allow or block user access.

Here's an example of a typical situation where a user of office network has access to a website blocked:

On the Web browser, the user types www.gameplay.com, a popular gaming site. The user receives a message such as Access Denied or The Website is blocked. Display of such a message means that your organization has inserted a filter for the gaming websites, and you can’t access the site from your workplace.

Juniper Web (J-Web) Device Manager supports UTM Web filtering on SRX Series devices.

In J-Web, a Web filtering profile defines a set of permissions and actions based on Web connections predefined by website categories. You can also create custom URL categories and URL pattern lists for a Web filtering profile.

Note

You cannot inspect URLs within e-mails using J-Web UTM Web filtering.

Benefits of UTM Web Filtering

  • Local Web filtering:

    • Doesn’t require a license.

    • Enables you to define your own lists of allowed sites (allowlist) or blocked sites (blocklist) for which you want to enforce a policy.

  • Enhanced Web filtering:

    • Is the most powerful integrated filtering method and includes a granular list of URL categories, support for Google Safe Search, and a reputation engine.

    • Doesn’t require additional server components.

    • Provides real-time threat score for each URL.

    • Enables you to redirect users from a blocked URL to a user-defined URL rather than simply preventing user access to the blocked URL.

  • Redirect Web filtering:

    • Tracks all queries locally, so you don't need an Internet connection.

    • Uses the logging and reporting features of a standalone Websense solution.

Web Filtering Workflow

Scope

In this example, you’ll:

  1. Create your own custom URL pattern lists and URL categories.

  2. Create a Web filtering profile using the Local engine type. Here, you define your own URL categories, which can be allowed sites (allowlist) or blocked sites (blocklist) that are evaluated on the SRX Series device. All URLs added for blocked sites are denied, while all URLs added for allowed sites are permitted.

  3. Block inappropriate gaming websites and allow suitable websites (for example, www.juniper.net).

  4. Define a custom message to display when users attempt to access gaming websites.

  5. Apply the Web filtering profile to a UTM policy.

  6. Assign the UTM policy to a security policy rule.

Note

Web filtering and URL filtering have the same meaning. We’ll use the term Web filtering throughout our example.

Before You Begin

  • We assume that your device is set with the basic configuration. If not, see Configure SRX Devices Using the J-Web Setup Wizard.

  • You do not need a license to configure the Web filtering profile if you use the Local engine type. This is because you will be responsible for defining your own URL pattern lists and URL categories.

  • You need a valid license (wf_key_websense_ewf) if you want to try the Juniper Enhanced engine type for the Web filtering profile. Redirect Web filtering does not need a license.

  • Ensure that the SRX Series device you use in this example runs Junos OS Release 20.4R1 and later.

Topology

In this topology, we have a PC connected to a UTM-enabled SRX Series device that has access to the Internet. Let's use J-Web to filter the HTTP/HTTPS requests sent to the Internet using this simple setup.

Sneak Peek – J-Web UTM Web Filtering Steps

Step 1: List URLs That You Want to Allow or Block

In this step, we define custom objects (URLs and patterns) to handle the URLs that you want to allow or block.

You are here (in the J-Web UI): Security Services > UTM > Custom Objects.

To list URLs:

  1. Click the URL Pattern List tab.
  2. Click the add icon (+) to add a URL pattern list.

    The Add URL Pattern List page appears. See Figure 1.

  3. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    Name

    Enter allowed-sites or blocked-sites.

    Note: Use a string beginning with a letter or underscore and consisting of alphanumeric characters and special characters such as dashes and underscores. The maximum length is 29 characters.

    Value

    1. Click + to add a URL pattern value.
    2. Enter the following:
      • For allowed-sites—www.juniper.net and www.google.com

      • For blocked-sites—www.gamestu.com and www.gameplay.com

    3. Click the tick icon .
    Figure 1: Add URL Pattern List
    Add URL Pattern List
  4. Click OK to save the changes.

    Good job! Here's the result of your configuration:

Step 2: Categorize the URLs That You Want to Allow or Block

We’ll now assign the created URL patterns to URL category lists. The category list defines the action associated with the associated URLs. For example, the Gambling category should be blocked.

You are here: Security Services > UTM > Custom Objects.

To categorize URLs:

  1. Click the URL Category List tab.
  2. Click the add icon (+) to add a URL category list.

    The Add URL Category List page appears. See Figure 2.

  3. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    Name

    Enter the URL category list name as good-sites for the allowed-sites URL pattern or stop-sites for the blocked-sites URL pattern.

    Note: Use a string beginning with a letter or underscore and consisting of alphanumeric characters and special characters such as dashes and underscores. The maximum length is 59 characters.

    URL Patterns

    1. Select the URL pattern values allowed-sites or blocked-sites from the Available column to associate the URL pattern values with the URL categories good-sites or stop-sites, respectively.
    2. Click the right arrow to move the URL pattern values to the Selected column.
    Figure 2: Add URL Category List
    Add URL Category List
  4. Click OK to save the changes.

    Good job! Here's the result of your configuration:

Step 3: Add a Web Filtering Profile

Now, let’s link the created URL objects (patterns and categories) to a UTM Web filtering profile. This mapping allows you to set different values for your filtering behavior.

You are here: Security Services > UTM > Web Filtering Profiles.

To create a Web filtering profile:

  1. Click the add icon (+) to add a Web filtering profile.

    The Create Web Filtering Profiles page appears. See Figure 3.

  2. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    General

    Name

    Enter wf-local for the Web filtering profile.

    Note: The maximum length is 29 characters.

    Timeout

    Enter 30 (in seconds) to wait for a response from the Local engine.

    The maximum value is 1800 seconds. The default value is 15 seconds.

    Engine type

    Select the Local engine type for Web filtering. Click Next.

    Note: The default value is Juniper Enhanced.

    URL Categories

    +

    Click the add icon to open the Select URL Categories window.

    Select URL categories to apply to the list

    Select good-sites or stop-sites.

    Action

    Select Log and Permit for the good-sites category from the list.

    Select Block for the stop-sites category from the list.

    Custom Message

    Click Create New to add a new custom message for the stop-sites.

    • Name—Enter blocked-urls.

    • Type—Select User Message.

    • Content—Enter URL request is denied. Contact your IT department for help.

    Click Next and then click Next to skip the Fallback Options configuration.

    Figure 3: Create Web Filtering Profile
    Create Web
Filtering Profile
  3. Click Finish. Review the summary of the configuration and click OK to save changes.

    Good job! Here's the result of your configuration:

  4. Click Close after you see a successful-configuration message.

Step 4: Reference a Web Filtering Profile in a UTM Policy

We now need to assign the Web filtering profile (wf-local) to a UTM policy that can be applied to a security policy.

You are here: Security Services > UTM > UTM Policies.

To create a UTM policy:

  1. Click the add icon (+) to add a UTM policy.

    The Create UTM Policies page appears.

  2. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    General – General Information

    Name

    Enter wf-custom-policy for the UTM policy.

    Note: The maximum length is 29 characters.

    Click Next and then click Next to skip the Antivirus configuration.

    Web Filtering - Web Filtering Profiles by Traffic Protocol

    HTTP

    Select wf-local from the list and click Next till the end of the workflow.

  3. Click Finish. Review the summary of the configuration and click OK to save changes.

    Almost there! Here's the result of your configuration:

  4. Click Close after you see a successful message.

    Good news! You’re done with UTM Web filtering configurations.

Step 5: Assign a UTM Policy to a Security Policy

You haven’t yet assigned the UTM configuration to the security policy from the TRUST zone to the INTERNET zone. Filtering actions are taken only after you assign the UTM policy to security policy rules that act as the match criteria.

When the security policy rules are permitted, the SRX Series device:

  1. Intercepts an HTTP/HTTPS connection and extracts each URL (in the HTTP/HTTPS request) or IP address.

    Note

    For an HTTPS connection, Web filtering is supported through SSL forward proxy.

  2. Searches for URLs in the user-configured blocklist or allowlist under Web Filtering (Security Services > UTM > Default Configuration). Then, if the URL is in the:

    1. User-configured blocklist, the device blocks the URL.

    2. User-configured allowlist, the device permits the URL.

  3. Checks the user-defined categories and blocks or allows the URL based on the user-specified action for the category.

  4. Allows or blocks the URL (if a category is not configured) based on the default action configured in the Web filtering profile.

You are here: Security Policies & Objects > Security Policies.

To create security policy rules for the UTM policy:

  1. Click the add icon (+).
  2. Complete the tasks listed in the Action column in Table 1.

    Table 1: Rule Settings

    Field

    Action

    General – General Information

    Rule Name

    Enter wf-local-policy for the security policy allowing the good-sites category and denying the stop-sites category.

    Rule Description

    Enter a description for the security policy rule.

    Source Zone

    1. Click +.

      The Select Sources page appears.

    2. Zone—Select TRUST from the list.
    3. Addresses—Leave this field with the default value Any.
    4. Click OK

    Destination Zone

    1. Click +.

      The Select Destination page appears.

    2. Zone—Select INTERNET from the list.
    3. Addresses—Leave this field with the default value Any.
    4. Services—Leave this field with the default value Any.
    5. URL Category—Leave this field blank.
    6. Click OK

    Action

    By default, Permit is selected. Leave as is.

    Advanced Security

    1. Click +.

      The Select Advanced Security page appears.

    2. UTM—Select wf-custom-policy from the list.
    3. Click OK
    Note

    Navigate to Security Policies & Objects > Zones/Screens to create zones. Creating zones is outside the scope of this documentation.

  3. Click the tick icon and then click Save to save changes.Note

    Scroll back the horizontal bar if the inline tick and cancel icons are not available when creating a new rule.

    Good job! Here's the result of your configuration:

  4. Click the commit icon (at the right side of the top banner) and select Commit.

    The successful-commit message appears.

    Congratulations! We’re ready to filter the URL requests.

Step 6: Verify That the URLs Are Allowed or Blocked from the Server

Let’s verify that our configurations and security policy work fine with the defined URLs in the topology:

What’s Next

What to do?

Where?

Monitor UTM Web filtering information and statistics.

In J-Web, go to Monitor > Security Services > UTM Web Filtering.

Generate and view reports on URLs allowed and blocked.

In J-Web, go to Reports. Generate reports for Threat Assessment Reports and Top Blocked Applications via Webfilter logs.

Learn more about UTM features.

Unified Threat Management User Guide

Sample Configuration Output

In this section, we present samples of configurations that allow and block the websites defined in this example.

You configure the following UTM configurations at the [edit security utm] hierarchy level.

Creating custom objects:

Creating the Web filtering profile:

Creating the UTM policy:

You configure the security policy rules at the [edit security policies] hierarchy level.

Creating rules for a security policy: