Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Understanding Local Web Filtering
With local Web filtering, the firewall intercepts every HTTP request in a TCP connection and extracts the URL. The decision making is done on the device after it looks up a URL to determine if it is in the whitelist or blacklist based on its user-defined category. If the URL is in the url-blacklist, the request is blocked; if it's in the url-whitelist, the request is permitted. If the URL is not in either list, the defined default action will occur (block, log-and-permit, or permit). You can permit or block access to a requested site by binding a Web filtering profile to a firewall policy. Local Web filtering provides basic Web filtering without requiring an additional license or external category server.
This topic contains the following sections:
- User-Defined URL Categories
- Local Web Filtering Process
- Local Web Filtering Profiles
- Profile Matching Precedence
User-Defined URL Categories
When defining your own URL categories, you can group URLs and create categories specific to your needs. Each category can have a maximum of 20 URLs. When you create a category, you can add either the URL or the IP address of a site. When you add a URL to a user-defined category, the device performs DNS lookup, resolves the hostname into IP addresses, and caches this information. When a user tries to access a site with the IP address of the site, the device checks the cached list of IP addresses and tries to resolve the hostname. Many sites have dynamic IP addresses, meaning that their IP addresses change periodically. A user attempting to access a site can type an IP address that is not in the cached list on the device. Therefore, if you know the IP addresses of sites you are adding to a category, enter both the URL and the IP address(es) of the site.
You define your own categories using URL pattern list and custom URL category list custom objects. Once defined, you assign your categories to the global user-defined url-blacklist (block) or url-whitelist (permit) categories.
 | Note: Web filtering is performed on all the methods defined in HTTP 1.0 and HTTP 1.1. |
Local Web Filtering Process
This is a general description of how Web traffic is intercepted and acted upon by the Web filtering module.
- The device intercepts a TCP connection.
- The device intercepts each HTTP request in the TCP connection.
- The device extracts each URL in the HTTP request and checks its URL against the user-defined whitelist and blacklist.
- If the URL is found in the blacklist, the request is not permitted and a deny page is sent to the http client. If the URL is found in the whitelist, the request is permitted.
- If the URL is not found in the whitelist or blacklist, the configured default fallback action is applied. If no fallback action is defined, then the request is permitted.
Local Web Filtering Profiles
You configure Web filtering profiles that permit or block URLs according to defined custom categories. A Web filtering profile consists of a group of URL categories assigned one of the following actions:
- Blacklist — The device always blocks access to the websites in this list. Only user-defined categories are used with local Web filtering.
- Whitelist — The device always allows access to the websites in this list. Only user-defined categories are used with local Web filtering.
A Web filtering profile can contain one blacklist or one whitelist with multiple user-defined categories each with a permit or block action. You can define a default fallback action when the incoming URL does not belong to any of the categories defined in the profile. If the action for the default category is block, the incoming URL is blocked if it does not match any of the categories explicitly defined in the profile. If an action for the default action is not specified, the default action of permit is applied to the incoming URL not matching any category.
Profile Matching Precedence
When a profile employs several categories for URL matching, those categories are checked for matches in the following order:
- If present, the global blacklist is checked first. If a match is made, the URL is blocked. If no match is found...
- The global whitelist is checked next. If a match is made, the URL is permitted. If no match is found...
- User-defined categories are checked next. If a match is made, the URL is blocked or permitted as specified.
Related Topics
Junos OS Feature Support Reference for SRX Series and J Series Devices
