ng-juniper
Syntax
ng-juniper {
base-filter {
base-filter;
ng-default-filter;
}
category category-name {
action (block | log-and-permit | permit | quarantine);
custom-message custom-message;
}
custom-message custom-message;
default (block | log-and-permit | permit | quarantine);
fallback-settings {
default (block | permit);
server-connectivity (block | log-and-permit);
timeout (block | log-and-permit);
too-many-requests (block | log-and-permit);
}
no-safe-search;
server {
host host;
port port;
proxy-profile proxy-profile;
routing-instance routing-instance;
source-address source-address;
tls-profile tls-profile;
}
site-reputation-action (very-safe | moderately-safe | fairly-safe | suspicious | harmful);
timeout timeout;
}Hierarchy Level
[edit security utm default-configuration web-filtering] [edit security utm feature-profile web-filtering ng-juniper profile name]
Description
Configure the Juniper NextGen Web filtering engine. Juniper NextGen Web filtering acts as a gateway for the SRX Series devices seeking URL reputation or category from the Juniper NextGen Web Filtering (NGWF) cloud.
You must configure SSL initiation profile for NGWF to communicate through HTTPS connections.
The following is a configuration sample for SSL initiation profile:
-
Create a self-signed certificate that can be used for SSL handshake with the Content Security server.
request security pki generate-key-pair certificate-id utmcert size 1024 type rsa request security pki local-certificate generate-self-signed certificate-id utmcert subject "DC=Domain_component,CN=utmcert,OU=SLT_QA,O=Juniper,L=Sunnyvale,ST=CA,C=US" ip-address 0.0.0.0 domain-name juniper.net -
Configure the SSL initiation profile by calling the certificate that you created.
set services ssl initiation profile ssl_init_prof client-certificate utmcert set services ssl initiation profile ssl_init_prof actions ignore-server-auth-failure set services ssl initiation profile ssl_init_prof trusted-ca all
The command set services ssl initiation profile ssl_init_prof
actions ignore-server-auth-failure is mandatory. This
command configures an SSL initiation profile named ssl_init_prof to
ignore server authentication failures. This means that the SRX Series
Firewall will not drop the SSL connection if it encounters errors
during the server certificate verification process.
The following is a sample of the configurations that are required for NGWF to work:
set security policies from-zone trust to-zone untrust policy fw_policy match source-address any
set security policies from-zone trust to-zone untrust policy fw_policy match destination-address any
set security policies from-zone trust to-zone untrust policy fw_policy match application any
set security policies from-zone trust to-zone untrust policy fw_policy then permit application-services ssl-proxy profile-name ssl-profile
set security policies from-zone trust to-zone untrust policy fw_policy then permit application-services utm-policy WF
Options
| base-filter |
Juniper base filter. |
| ng-default-filter |
Juniper default base filter. |
| category name |
Juniper NextGen category name. |
| action |
Action to perform when web traffic matches category. The possible options are block, log and permit, permit, and quarantine. |
| custom-message |
Custom message for the action taken when web traffic matches category. |
| default |
Juniper NextGen default profile. |
| fallback-settings |
Juniper NextGen fallback settings. |
| no-safe-search |
Do not perform safe-search for Juniper NextGen protocol. |
| server |
Configure Juniper NextGen server. |
| host |
Server host IP address or string host name. |
| port |
Server port number.
|
| proxy-profile |
Proxy profile name. |
| routing-instance |
Routing instance name. |
| source-address |
Source IP address used to connect the server. |
| tls-profile |
SSL initiation profile. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 23.4R1.