Configure Unified Threat Management (UTM) in CSO
Unified threat management (UTM) consolidates several security features to protect against multiple threat types. CSO allows you to configure antispam, antivirus, Web filtering, and content filtering profiles as part of a single UTM profile. You can then reference the UTM profile in a firewall policy intent and deploy the firewall policy to apply UTM, thereby protecting the site from multiple threat types. For more information about UTM, see UTM Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).
Explanation of Procedure
The high-level workflow for UTM in CSO is as follows:
Configure UTM Settings for a Tenant
You can configure unified threat management (UTM) antispam, antivirus, and Web filtering settings for a tenant that are applicable to all sites belonging to a tenant. The settings are pushed to all those sites to which a firewall policy intent with UTM enabled is applicable.
To configure UTM settings for a tenant:
Setting |
Guideline |
---|---|
Antispam Settings |
Specify the antispam settings for the tenant. |
Address Whitelist |
Select the URL pattern to be used as the antispam allow list. Alternatively, click Create a New URL Pattern to add a new URL pattern to use as an allowlist. For more information, see Add URL Patterns. |
Address Blacklist |
Select the URL pattern to be used as the antispam block list. Alternatively, click Create a New URL Pattern to add a new URL pattern to use as a block list. |
Antivirus Settings |
Specify the antispam settings for the tenant. |
MIME Whitelist |
Enter one or more MIME types (separated by commas) to include as part of the MIME allow list; these MIME types are excluded from antivirus scanning. |
Exception MIME Whitelist |
Enter one or more MIME types (separated by commas) that are to be excluded from the list of MIME types specified as part of the MIME allow list. This list is a subset of the MIME types that you specified in the MIME allow list. For example, if you specify video/ in the allow list and video/x-shockwave-flash in the exception allow list, all objects of MIME type video/ except MIME type video/x-shockwave-flash are excluded from antivirus scanning. |
URL Whitelist |
Select a URL category (that contains one or more URLs) that you want the antivirus to allow or select None if you don’t want to add any URLs to the allow list.. Alternatively, click Create a New URL Category to add a new URL category to use as an allow list. For more information, see Add URL Categories |
Web Filtering Settings |
Specify the Web filtering settings for the tenant. |
URL Whitelist |
Select a URL category (that contains one or more URLs) that you want the Web filtering system to allow or select None if you don’t want to add any URLs to the allow list. Alternatively, click Create a New URL Category to add a new URL category to use as an allow list. |
URL Blacklist |
Select a URL category (that contains one or more URLs) that you want the Web filtering system to add to the block list or select None if you don’t want to add any URLs to the block list. Alternatively, click Create a New URL Category to add a new URL category to use as a block list. |
Site Reputation |
Use the slider to specify the site reputation ranges (for the tenant) for different site categories:
|
Add UTM Profiles
To add a UTM profile:
Setting |
Guideline |
---|---|
General |
|
Name |
Enter a unique name for the UTM profile. The name can contain alphanumeric characters, hyphens, or underscores and cannot exceed 29 characters. |
Description |
Enter a description for the UTM profile. |
Traffic Options |
In an attempt to consume all available resources, a malicious user might generate a large amount of traffic all at once. To prevent such activity from succeeding, you can impose traffic options. |
Connection Limit per Client |
For client connections on the device, enter the connection limit per client. The default is 2000; enter 0 to indicate that there is no connection limit. |
Action when connection limit is reached |
Specify the action that must be taken when the connection limit is reached:
Click Next to continue. |
Web Filtering |
|
Web Filtering By Traffic Protocol |
You can click Create Another Profile to add a Web filtering profile that you can then assign. See Add Web Filtering Profiles. |
HTTP |
Select the Web filtering profile to be applied for HTTP traffic, or select None if you don’t want to apply a Web filtering profile. Click Next to continue. |
Antivirus |
|
Antivirus Profiles by Traffic Protocol |
You can click Create Another Profile to add an antivirus profile that you can then assign. See Add Antivirus Profiles. |
Apply to all protocols |
Click the toggle button to enable the application of a single antivirus profile to all traffic protocols. You must then specify the profile in the Default Profile field. If you disable this toggle button, which is the default, you can specify antivirus profiles for each traffic type. |
Default Profile |
If you specified that a single antivirus profile should be applied to all traffic protocols, select the antivirus profile. Click Next to continue. |
HTTP |
Select the antivirus profile to be applied to HTTP traffic. |
FTP Upload |
Select the antivirus profile to be applied to FTP upload traffic. |
FTP Download |
Select the antivirus profile to be applied to FTP download traffic. |
IMAP |
Select the antivirus profile to be applied to Internet Message Access Protocol (IMAP)traffic. |
SMTP |
Select the antivirus profile to be applied to SMTP traffic. |
POP3 |
Select the antivirus profile to be applied to Post Office Protocol 3 (POP3) traffic. Click Next to continue. |
Antispam |
|
Antispam Profiles by Traffic Protocol: |
You can click Create Another Profile to add an antispam profile that you can then assign. See Add Antispam Profiles. |
SMTP |
Select the antispam profile to be applied for SMTP traffic. Click Next to continue. |
Content Filtering |
|
Content Filtering Profiles by Traffic Protocol: |
You can click Create Another Profile to add a content filtering profile that you can then assign. See Add Content Filtering Profiles. |
Apply to all protocols |
Click the toggle button to enable the application of a single content filtering profile to all traffic protocols. You must then specify the profile in the Default Profile field. If you disable this toggle button, which is the default, you can specify content filtering profiles for each traffic type. |
Default Profile |
If you specified that a single antivirus profile should be applied to all traffic protocols, select the antivirus profile. Click Next to continue. |
HTTP |
Select the content filtering profile to be applied to HTTP traffic. |
FTP Upload |
Select the content filtering profile to be applied to FTP upload traffic. |
FTP Download |
Select the content filtering profile to be applied to FTP download traffic. |
IMAP |
Select the content filtering profile to be applied to IMAP traffic. |
SMTP |
Select the content filtering profile to be applied to SMTP traffic. |
POP3 |
Select the content filtering profile to be applied to POP3 traffic. Click Next to continue. |
Add Web Filtering Profiles
Web filtering profiles enable you to manage Internet usage by preventing access to inappropriate Web content over HTTP.
To add a Web filtering profile:
Setting |
Guideline |
---|---|
General |
|
General Information |
|
Name |
Enter a unique name for the Web filtering profile. The name can contain alphanumeric characters, hyphens, or underscores and cannot exceed 29 characters. |
Description |
Enter a description for the Web filtering profile. |
Timeout |
Enter the time (in seconds) to wait for a response from the Websense server. The default is 15 seconds and the maximum is 1800 seconds. |
Engine Type |
Select an engine type for Web filtering:
For more information, see Web Filtering Overview. |
Safe Search |
Safe search ensures that embedded objects, such as images on the URLs received from the search engines, are safe and that undesirable content is not returned to the client. This setting is available only for the Juniper Enhanced engine type and is enabled by default. Click the toggle button to disable safe search redirects. Note:
Safe search redirect supports only HTTP and you cannot extract the URL for HTTPS. Therefore, it is not possible to generate a redirect response for HTTPS search URLs. |
Custom Block Message/URL |
Specify the redirect URL or a custom message to be sent when HTTP requests are blocked. The maximum length is 512 characters. Note:
If a message begins with http: or https:, the message is considered a block message URL. Messages that begin with values other than http: or https: are considered custom block messages. |
Custom Quarantine Message |
For Juniper Enhanced or local engine types, define a custom message to allow or deny access to a blocked site based on a user's response to the message. The maximum length is 512 characters. The quarantine message contains the following information:
Click Next to continue. |
Account |
Specify the user account associated with the Websense Redirect engine. |
Server |
Specify the hostname or IP address for the Websense server. |
Port |
Specify the port number to use to communicate with the Websense server. The default port value is 15,868. |
Sockets |
Enter the number of sockets used for communication between the client and the Websense server. The default value is 8. Click Next to continue. |
URL Categories |
|
Deny Action List |
Click the Add URL Categories link (next to the text box) to specify a list of URL categories that should be denied access. The Select URL Categories page appears. Complete the configuration according to the guidelines provided in Table 4. The list of URL categories selected is displayed in the text box. |
Log & Permit Action List |
Click the Add URL Categories link (next to the text box) to specify a list of URL categories that are logged and then permitted. The Select URL Categories page appears. Complete the configuration according to the guidelines provided in Table 4. The list of URL categories selected is displayed in the text box. |
Permit Action List |
Click the Add URL Categories link (next to the text box) to specify a list of URL categories that should be permitted access. The Select URL Categories page appears. Complete the configuration according to the guidelines provided in Table 4. The list of URL categories selected is displayed in the text box. |
Quarantine Action List |
Click the Add URL Categories link (next to the text box) to specify a list of URL categories that should be quarantined. The Select URL Categories page appears. Complete the configuration according to the guidelines provided in Table 4. The list of URL categories selected is displayed in the text box. Click Next to continue. |
Fallback Options |
|
Global Reputation Actions |
Enhanced Web filtering intercepts HTTP and HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC). The TSC categorizes the URL into one of the predefined categories and also provides site reputation information for the URL to the device. The device determines if it can permit or block the request based on the information provided by the TSC. By default, URLs can be processed using their reputation score if there is no URL category available. You can click the toggle button to disable global reputation actions or select the action to take for the uncategorized URLs based on their reputation score:
|
Default Action |
Choose the actions to be taken for URL categories with no assigned action and for uncategorized URLs. This is used only if no reputation action is assigned. |
Fallback Action |
Select the fallback action, which is used when:
Click Next to continue. |
Setting |
Guideline |
---|---|
Show |
Choose which URL categories should be displayed for selection: All categories, Custom URL categories, or Websense URL categories. The first column of the URL Categories field displays URL categories based on your selection. |
URL Categories |
Select one or more URL categories in the first column and click the forward arrow to confirm your selection. The selected URL categories are displayed in the second column. Click OK. You are returned to the Create Web Filtering Profiles page. |
Add Antivirus Profiles
The antivirus profile defines the content to scan for any malware and the action to be taken when malware is detected. You can add an antivirus profile and then assign it to a UTM profile.
To add an antivirus profile:
Setting |
Guideline |
---|---|
General |
|
General Information |
|
Name |
Enter a unique name for the antivirus profile. The name can contain alphanumeric characters, hyphens, or underscores and cannot exceed 29 characters. |
Description |
Enter a description for the antivirus profile. |
Engine Type |
Displays the engine type used for scanning. Currently, Sophos is the only antivirus engine supported. Sophos antivirus is an in-the-cloud antivirus solution. The virus and malware database is located on external servers maintained by Sophos (Sophos Extensible List) servers, thus there is no need to download and maintain large pattern databases on the Juniper Networks device. Click Next to continue. |
Fallback Options |
Fallback options are used when the antivirus system experiences errors and must fall back to one of the previously configured actions to either deny (block) or permit the object. You can specify the fallback options to use when there is a failure, or select the default action if no specific options are to be configured: |
Content Size |
Select the action to be taken on the content(None, Log and Permit, or , Block [default]) if the content size exceeds the defined limit. |
Content Size Limit |
Enter the content size limit, in kilobytes (KB), based on which action is taken. The range is 20 through 40,000 KB. The content size limit check occurs before the scan request is sent. The content size refers to accumulated TCP payload size. |
Engine Error |
Select the action to take (None, Log and Permit, or , Block [default]) when an engine error occurs. The term engine error refers all engine errors, including engine not ready, timeout, too many requests, password protected, corrupt file, decompress layer, and out of resources. |
Default Action |
Select the default action to take (None, Log and Permit, or , Block [default]) when an engine error occurs. Click Next to continue. |
Notification Options |
Use the notification options to configure a method of notifying the user when a fallback occurs (block or non-block) or when a virus is detected: |
Fallback Deny |
Click the toggle button to enable fallback notifications to e-mail senders when their messages are blocked. By default, fallback block notifications are disabled. If you enable notifications, you can configure the following additional parameters:
|
Fallback Non-Deny |
Click the toggle button to enable fallback notifications to e-mail senders when their messages are not blocked. By default, fallback unblock notifications are disabled. If you enable notifications, you can configure the following additional parameters:
|
Virus Detected |
Click the toggle button to enable notifications to e-mail senders when a virus is detected. By default, notifications are disabled. If you enable notifications, you can configure the following additional parameters:
Click Next to continue. |
Add Antispam Profiles
E-mail spam consists of unwanted e-mail messages usually sent by commercial, malicious, or fraudulent entities. When the device detects an e-mail message deemed to be spam, it either blocks the message or tags the message header or subject field with a preprogrammed string. Antispam filtering allows you to use a third-party server-based spam block list (SBL) and to optionally add your own local allow lists (benign) and block lists (malicious) for filtering against e-mail messages.
Sophos updates and maintains the IP-based SBL. Antispam is a separately licensed subscription service.
To add an antispam profile:
Setting |
Guideline |
---|---|
General Information |
|
Name |
Enter a unique name for the antispam profile. The name can contain alphanumeric characters, hyphens, or underscores and cannot exceed 29 characters. |
Description |
Enter a description for the antispam profile. |
Sophos Blacklist |
Click the toggle button to enable the use of server-based spam filtering. If the toggle button is disabled, which is the default, local spam filtering is used. Server-based antispam filtering requires Internet connectivity with the SBL server. Domain Name Service (DNS) is required to access the SBL server. The firewall performs SBL lookups using the DNS protocol. Note:
Server-based spam filtering supports only IP-based spam block list blocklist lookup. Sophos updates and maintains the IP-based spam block list. Server-based antispam filtering is a separately licensed subscription service. |
Action |
|
Default Action |
Select the action to be taken when spam is detected:
|
Custom Tag |
Enter the tag to use for identifying a message as spam. The maximum length is 512 characters, and the default is ***SPAM***. |
Add Content Filtering Profiles
Content filtering blocks or permits certain types of traffic based on the MIME type, file extension, and protocol command. The content filter controls file transfers across the device by checking traffic against configured filter lists. Table 7 displays the types of content filters that you can configure as part of a content filtering profile.
The content filtering profile evaluates traffic before all other UTM profiles. Therefore, if traffic meets criteria configured in the content filter, the content filter acts first upon this traffic.
Type |
Description |
---|---|
MIME pattern filter |
MIME patterns are used to identify the type of traffic in HTTP and MAIL protocols. There are two lists of MIME patterns that are used by the content filter to determine the action to be taken. The block MIME list contains a list of MIME type traffic that is to be blocked. The MIME exception list contains MIME patterns that are not to be blocked by the content filter and are generally subsets of items on the block list. Note:
The exception list has a higher priority than the block list. |
Block Extension List |
Because the name of a file is available during the transfers, using file extensions is a highly practical way to block or allow file transfers. All protocols support the use of the block extension list. |
Protocol Command Block and Permit Lists |
Different protocols use different commands to communicate between servers and clients. By blocking or allowing certain commands, traffic can be controlled on the protocol command level. The block or permit command lists are intended to be used in combination, with the permit list acting as an exception list to the block list. Note:
If a protocol command appears on both the permit list and the block list, the command is permitted. |
To add a content filtering profile:
Setting |
Guideline |
---|---|
General |
|
General Information |
|
Name |
Enter a unique name for the content filtering profile. The name can contain alphanumeric characters, hyphens, or underscores and cannot exceed 29 characters. |
Description |
Enter a description for the content filtering profile. |
Notification Options |
|
Notify Mail Sender |
Click the toggle button to enable a notification when a content filter is matched. Notifications are disabled by default. |
Notification Type |
Select the type of notification to send:
|
Custom Notification Message |
Enter a custom notification message. The maximum length is 512 characters. Click Next to continue. |
Filter Settings |
|
Protocol Commands |
|
Command Block List |
Enter the protocol commands to be blocked for the HTTP, FTP, SMTP, IMAP, and POP3 protocols. Use commas to separate each command. Protocol commands allow you to control traffic at the protocol-command level. |
Command Permit List |
Enter specific commands to be permitted for the HTTP, FTP, SMTP, IMAP, and POP3 protocols. Use commas to separate each command. |
Block Content Type |
Use the content filter to block other types of harmful files that the MIME type or the file extension cannot control. Select one or more of the following types of content blocking (supported only for HTTP):
|
Extension Block List |
You use a file extension list to define a set of file extensions to block over HTTP, FTP, SMTP, IMAP, and POP3. Enter file extensions to block separated by commas. For example, exe, pdf, js, and so on. |
MIME Block List |
Enter the MIME types that you want to block over HTTP, FTP, SMTP, IMAP, and POP3 connections. Use commas to separate each MIME type. |
MIME Permit List |
Enter the MIME types that you want to permit over HTTP, FTP, SMTP, IMAP, and POP3 connections. Use commas to separate each MIME type. Click Next to continue. |
Add URL Patterns
You can add URL patterns, and, optionally, assign URL patterns to a URL category.
To add a URL pattern:
Settings |
Guidelines |
---|---|
Name |
Enter a unique name for the URL pattern. The name must begin with a letter or an underscore (_) and can contain alphanumeric character, hyphens, and underscores. The maximum length is 29 characters. |
Description |
Enter a description for the URL pattern. The maximum length is 255 characters. |
URL Category |
Select the URL category to which you want to assign the URL pattern. Alternatively, click Create New URL Category to add a URL category, enter the URL category name in the text box, and click Save to assign the URL pattern to the new URL category. |
[Add URLs] |
Click the add (+) icon, enter the URL in the inline text box that appears in the table, and click √ (check mark) to save the URL. You can enter additional URLs if needed. Note:
|
Add URL Categories
A URL category is a list of URL patterns grouped under a single title.
To add a URL category:
Settings |
Guidelines |
---|---|
Name |
Enter a unique name for the URL category. The name must begin with a letter or an underscore (_) and can contain alphanumeric characters, hyphens, and underscores. The maximum length is 59 characters. |
Description |
Enter a description for the URL category. |
URL Patterns |
Select one or more URL patterns and click the forward arrow (>) to confirm your selection. The selected URL patterns are displayed in the column on the right. Alternatively, click Create a New Pattern to add a URL pattern and assign it to the URL category. For more information, see Add URL Patterns. |