Web Filtering Configuration Page Options

  1. Select Configure>Security>UTM>Web Filtering in the J-Web user interface to display the Web Filtering configuration page.

    The Web Filtering configuration page appears, Table 65 explains the contents of this page.

  2. Click one:
    • Global Options—Defines general specifications for a Web filtering configuration. Enter information as specified in Table 66.
    • Add—Adds a new or duplicate Web filtering configuration. Enter information as specified in Table 67.
    • Edit—Edits the selected Web filtering configuration.
    • Delete—Deletes the selected Web filtering configuration.
  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.
    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.
    • Cancel—Cancels your entries and returns to the main configuration page.

To configure Web filtering using the J-Web Configuration editor, if you are using custom objects, you must create the custom objects (URL pattern list, custom URL category list).

In addition to custom object lists, you can use included default lists and whitelist and blacklist categories.

Configure a URL Pattern List Custom Object as follows:

Because you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure a custom URL category list.

  1. Select Configure>Security>UTM>Custom Objects.
  2. From the URL Pattern List tab , click Add to create URL pattern lists.
  3. Next to URL Pattern Name, enter a unique name for the list you are creating. This name appears in the Custom URL Category List Custom Object page for selection.
  4. Next to URL Pattern Value, enter the URL or IP address that you want to add to list for bypassing scanning.

    URL pattern wildcard support—The wildcard rule is as follows: \*\.[]\?* and you must precede all wildcard URLs with http://. You can only use “*” if it is at the beginning of the URL and is followed by a “.”. You can only use “?” at the end of the URL.

    The following wildcard syntax is supported: http://*.juniper.net, http://www.juniper.ne?, http://www.juniper.n??. The following wildcard syntax is not supported: *.juniper.net , www.juniper.ne?, http://*juniper.net, http://*.

  5. Click Add to add your URL pattern to the Values list box.

    The list can contain up to 8192 items. You can also select an entry and use the Delete button to delete it from the list. Continue to add URLs or IP addresses in this manner.

  6. Click OK to save the selected values as part of the URL pattern list you have created.
  7. If the configuration item is saved successfully, you receive a confirmation. Click OK. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Configure a custom URL category list custom object as follows:

Because you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure a custom URL category list.

  1. Select Configure>Security>UTM>Custom Objects.
  2. From the URL Category List tab, click Add to create URL category lists.
  3. Next to URL Category Name, enter a unique name for the list you are creating. This name appears in the URL Whitelist, Blacklist, and Custom Category lists when you configure Web filtering global options.
  4. In the Available Values box, select a URL Pattern List name from the list for bypassing scanning, and click the right arrow button to move it to the Selected Values box.
  5. Click OK to save the selected values as part of the custom URL list you have created.
  6. If the configuration item is saved successfully, you receive a confirmation. Click OK. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Now that your custom objects have been created, you can configure the integrated Web filtering feature profile.

Reviewer: Please confirm if this is correct.

The below steps use Surf Control Web filtering type. SRX1500 devices do not support Surf Control Integrated option. Hence replace Surf Control with Websense.

  1. Select Configure>Security>UTM>Global options.
  2. In the Web Filtering, next to URL whitelist, select the Custom URL list you created from the available options.

    This is the first filtering category that both integrated and redirect Web filtering use. If there is no match, the URL is sent to the SurfControl server.

    The SurfControl option is not supported on SRX1500 devices. For SRX1500 devices, the URL is sent to the Websense server.

  3. Next to URL blacklist, select the Custom URL list that you have created from the list.

    This is the first filtering category that both integrated and redirect Web filtering use. If there is no match, the URL is sent to the SurfControl server.

  4. In the Filtering Type section, select the type of Web filtering engine you are using.

    In this case, you would select Surf Control Integrated.

  5. In the SurfControl Integrated options section, next to Cache timeout, enter a timeout limit, in minutes, for expiring cache entries (24 hours is the default and the maximum allowed life span).
  6. Next to Cache Size, enter a size limit, in kilobytes, for the cache (500 KB is the default).
  7. Next to Server Host, enter the Surf Control server name or IP address.
  8. Next to Server Port, enter the port number for communicating with the Surf Control server (default ports are 80, 8080, and 8081).
  9. Click OK to save these values.
  10. If the configuration item is saved successfully, you receive a confirmation. Click OK. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.
  11. Select Web Filtering, under UTM, in the left pane.
  12. In Web filtering Profiles Configuration, click Add to create a profile for Surf Control Integrated Web filtering. (To edit an existing item, select it and click Edit.)
  13. In Profile name, enter a unique name for this Web filtering profile.
  14. Select the Profile Type. In this case, select Surf Control.
  15. Next to Default action, select Permit, Log and permit, or Block.

    This is the default action for this profile for requests that shows errors.

  16. Next to Custom Block Message, enter a custom message to be sent when HTTP requests are blocked.
  17. Next to Timeout, enter a value in seconds.

    Once this limit is reached, fail mode settings are applied. The default limit here is 10 seconds. You can enter a value from 10 to 240 seconds.

  18. Next to Custom block message subject, enter text to appear in the subject line of your custom message for this block notification.
  19. Select the Fallback options tab.
  20. Next to Default, select Log and Permit or Block as the action to occur when a request fails for any reason not specifically called out.
  21. Next to Server Connectivity, select Log and Permit or Block as the action to occur when a request fails for this reason.
  22. Next to Timeout, select Log and Permit or Block as the action to occur when a request fails for this reason.
  23. Next to Too Many Requests, select Log and Permit or Block as the action to occur when a request fails for this reason.
  24. Click Save.
  25. Select Custom Objects, under UTM, in the left pane.
  26. Select the URL category list tab.
  27. In the custom URL category list section, click Add to use a configured custom URL category list custom object in the profile.
  28. Next to Categories, select a configured custom object from the list.
  29. Next to Actions, select Permit, Block, or Log and Permit from the list.
  30. Click Add.
  31. Click OK.
  32. If the configuration item is saved successfully, you receive a confirmation. Click OK. If it is not saved successfully, click Details in the pop-up window that appears to discover why.

Next, you configure a UTM policy for Web filtering to which you attach the content filtering profile you have configured.

  1. Select Configure>Security>Policy>UTM Policies.
  2. From the UTM policy configuration window, click Add to configure a UTM policy.

    The policy configuration pop-up window appears.

  3. Select the Main tab in pop-up window.
  4. In the Policy Name box, enter a unique name for the UTM policy that you create.
  5. In the Session per client limit box, enter a session per client limit from 0 to 20000 for this UTM policy.
  6. For Session per client over limit, select one of the following: Log and Permit or Block. This is the action the device takes when the session per client limit for this UTM policy is exceeded.
  7. Select the Web Filtering profiles tab in the pop-up window.
  8. Next to HTTP profile, select the profile you have configured from the list.
  9. Click OK.
  10. If the policy is saved successfully, you receive a confirmation. Click OK. If the profile is not saved successfully, click Details in the pop-up window that appears to discover why.

Next, you attach the UTM policy to a security policy that you create.

  1. Select Configure>Security>Policy>FW Policies.
  2. From the Security Policy window, click Add to configure a security policy with UTM.

    The policy configuration pop-up window appears.

  3. In the Policy tab, enter a name in the Policy Name box.
  4. Next to From Zone, select a zone from the list.
  5. Next to To Zone, select a zone from the list.
  6. Choose a Source Address.
  7. Choose a Destination Address.
  8. Choose an Application. Do this by selecting junos-<protocol> (for all protocols that support Web filtering, http in this case) in the Application Sets box and click the —> button to move them to the Matched box.
  9. Next to Policy Action, select one of the following: Permit, Deny, or Reject.

    When you select Permit for Policy Action, several additional fields become available in the Applications Services tab, including UTM Policy.

  10. Select the Application Services tab in the pop-up window.
  11. Next to UTM Policy, select the appropriate policy from the list.

    This attaches your UTM policy to the security policy.

    There are several fields on this page that are not described in this section. See the section on Security Policies for detailed information on configuring security policies and all the available fields.

  12. Click OK.
  13. If the policy is saved successfully, you receive a confirmation. Click OK. If the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Table 65: Web Filtering Configuration Page

Field

Function

Profile Name

Displays the unique name of the antispam profile.

Profile Type

Displays the profile type selected.

Account

Displays the user account for which this profile is intended.

Server

Displays the server name.

Timeout

Displays the timeout interval.

Table 66: Global Options Web Filtering Configuration Details

Field FunctionAction

URL Whitelist

Specifies a unique customized list of all URLs or IP addresses for a given category that are to be bypassed for scanning.

Select the customized object from the list.

URL Blacklist

Specifies a unique customized list of all URLs or IP addresses for a given category that are scanned for blacklisting.

Select the customized object from the list.

Filtering Type

Surf Control Integrated

Specifies that the Surf Control CPA server intercepts every HTTP request in a TCP connection. The decision making is done on the device after it identifies a category for a URL either from user-defined categories or from the Surf Control category server.

Note: This option is not supported on SRX1500 devices.

Select this option to choose this type of Web filtering engine.

Websense Redirect

Specifies that the Web filtering module intercepts an HTTP request. The URL in the request is then sent to the external Websense server which makes a permit or a deny decision.

Select this option to choose this type of Web filtering engine.

Local

Specifies that the Web filtering module intercepts URLs and makes a permit/deny decision locally.

Select this option to choose this type of Web filtering engine.

Juniper Enhanced

Specifies that the Juniper Enhanced Web filtering intercepts the HTTP and the HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC).

Select this option to choose this type of Web filtering engine.

Table 67: Add Web Filtering Configuration Details

Field FunctionAction
Main

Profile Name

Displays the unique name of the Web filtering profile.

Enter a unique name for the Web filtering profile.

Note: The profile Name should not be longer than 29 characters.

Profile Type

Displays the profile type based on the Filtering Type selected. The options available are:

  • Websense—Select this option to use the Websense profile type.
  • Surf Control—Select this option to use Surf Control profile type.
  • Local—Select this option to use the Local profile type.
  • Juniper-Enhanced–Select this option to use the Juniper-enhanced profile type.

Select an option.

Account

Displays the user account for which this profile is intended.

Enter a user account name.

Server

Displays the server name.

Enter the server name.

Port

Displays the port number used to communicate with the server.

Enter the port number.

Sockets

Displays the number of sockets used for communicating between the client and server.

Enter the number of sockets.

Default Action

Displays the default action to be taken for Web filtering. The options available are:

  • Permit—Permits access to content.
  • Log and Permit—Logs details of the URL and permits access to content.
  • Block—Blocks access to content.

Select an option.

Timeout

Specifies the time interval to wait before the connection to the server is closed.

Type the interval in seconds.

Safe Search

Displays the search results based on the option selected.

A safe-search solution is used to ensure that the embedded objects such as images on the URLs received from the search engines are safe and that no undesirable content is returned to the client.

Safe-search is applicable to juniper-enhanced Web filtering type only.

Select this option to choose this type of search.

No Safe Search

Specifies not to perform safe-search for Juniper enhanced protocol.

Select this option to choose this type of search.

Custom Block Message

Specifies the customized block message to be displayed when content is blocked.

Enter a message to be displayed when content is blocked.

Note: The fields Account, Server, Port, and Sockets are displayed only when you select Websense-Redirect filtering type on the Global Configuration page.

Fallback Options

Default

Specifies all errors other than the categorized settings. These could include either unhandled system exceptions (internal errors) or other unknown errors. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Log and Permit.

Server Connectivity

Specifies that the server connection is not established during certain processes, for example, while the signature database is loading. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Log and Permit.

Timeout

Specifies that if the time taken to scan exceeds the timeout setting in the Web filtering profile, the processing is aborted and the content is passed or blocked without completing filtering. The decision is made based on the timeout fallback option. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Log and Permit.

Too Many Requests

Specifies that if the total number of messages received concurrently exceeds the device limits, the content is passed or blocked depending on the too-many-request fallback option. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Log and Permit.

Site Reputation Action

Very Safe

Specifies that the action that the device must take if the site reputation score is 90 through 100.

Select Permit, Log and Permit, or Block.

Moderately Safe

Specifies that the action that the device must take if the site reputation score is 80 through 89

Select Permit, Log and Permit, or Block.

Fairly Safe

Specifies that the action that the device must take if the site reputation score is 70 through 79

Select Permit, Log and Permit, or Block.

Suspicious

Specifies that the action that the device must take if the site reputation score is 60 through 69

Select Permit, Log and Permit, or Block.

Harmful

Specifies that the action that the device must take if the site reputation score is 0 through 59

Select Permit or Log and Permit.

URL Category Action List

Categories

Specifies a unique customized list of categories.

  • Add—Adds the selected category and the corresponding action to the list of available categories for the Juniper Enhanced Web Ffiltering profile.
  • Delete—Deletes the selected category from the list of available categories for the Juniper Enhanced Web Filtering profile.

Select a category from the list.

Action

Specifies the action that the device must take for the category selected.

Select Permit, Log and Permit, or Block.

Related Documentation

Copyright© 2017 Juniper Networks, Inc. All rights reserved.