To configure the URL filtering feature, you
must first configure jservices-urlf as the package-name at the [edit chassis fpc slot-number pic pic-number adaptive-services
service-package extension-provider] hierarchy level. For more
information on configuring the extension-provider package package-name configuration statement, see the package (Loading on PIC) statement.
URL filtering is configured on a service PIC. The interfaces
you are dealing with are services interfaces (which use the ms prefix) or aggregated multiservices (AMS) interfaces (which use
the ams prefix). For more information on AMS interfaces,
see the Adaptive Services Interfaces User Guide for Routing
Devices starting with Understanding Aggregated Multiservices Interfaces.
A URL filtering profile is a collection
of templates. Each template consists of a set of criteria that defines
which URLs are disallowed and how the recipient is notified.
To configure the URL profile:
- Assign a name to the URL profile.
[edit]
user@host# edit services (web-filter | url-filter) profile profile-name
Starting in Junos OS
Release 18.3R1, for Adaptive Services. configure the profile at the [edit services web-filter] hierarchy level. Before Junos OS
Release 18.3R1, configure the profile at the [edit services url-filter] hierarchy level.Starting in Junos OS Release 19.3R2, this same functionality
is available for Next Gen Serices on MX240, MX480, and MX960.
- Specify the name of the URL filter database to use.
[edit services (web-filter | url-filter) profile profile-name]
user@host# set url-filter-database filename
- Configure one or more templates for the profile.
To configure each template:
- Name the template.
[edit services (web-filter | url-filter) profile profile-name]
user@host# set (url-filter-template template-name | template template-name)
Note: Starting
in Junos OS Release 18.3R1, configure the template with the url-filter-template statement. Before Junos OS Release 18.3R1, configure the template
with the template statement.
- Go to that new template hierarchy level.
[edit services (web-filter | url-filter) profile profile-name]
user@host# edit (url-filter-template template-name | template template-name)
- Specify the name of the URL filter database to use.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name)]
user@host# set url-filter-database filename
- Specify the loopback interface for which the source IP
address is picked for sending DNS queries.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name)]
user@host# set dns-source-interface loopback-interface-name
- Disable the filtering of HTTP traffic that contains an
embedded IP address (for example, http:/10.1.1.1) belonging to a disallowed
domain name in the URL filter database.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name)]
user@host# set disable-url-filtering
- Configure the DNS resolution time interval in minutes.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name)]
user@host# set dns-resolution-interval minutes
- Configure the number of retries for a DNS query in case
the query fails or times out.
[edit services (web-filter | url-filter) profile profile-name]
user@host# set dns-retries number
- Specify the IP addresses (IPv4 or IPv6) of DNS servers
to which the DNS queries are sent.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name)]
user@host# set dns-server [ip-address]
- Specify the client-facing logical interfaces on which
the URL filtering is configured.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name)]
user@host# set client-interfaces [ client-interface-name ]
- Specify the server-facing logical interfaces on which
the URL filtering is configured.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name)]
user@host# set server-interfaces [ server-interface-name ]
- Specify the routing instance on which the URL filtering
is configured.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name)]
user@host# set routing-instance routing-instance-name
- Specify the routing instance on which the DNS server is
reachable.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name)]
user@host# dns-routing-instance dns-routing-instance-name
- Configure the term information.
Terms are used in filters to segment the policy or filter into
small match and action pairs.
- Name the term.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name)]
user@host# set term term-name
- Go to the new term hierarchy level.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name)]
user@host# edit term term-name
- Specify the source IP address prefixes for traffic you
want to filter.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name) term term-name]
user@host# set from src-ip-prefix [prefix]
- Specify the destination ports for traffic you want to
filter.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name) term term-name]
user@host# set from dest-port [port]
- Configure an action to take.
[edit services (web-filter | url-filter) profile profile-name (url-filter-template template-name | template template-name) term term-name]
user@host# set then action
The action can be one of the following:
custom-page custom-page |
Send a custom page string to the
user.
|
http-status-code http-status-code |
Send an HTTP status code to the
user.
|
redirect-url redirect-url |
Send an HTTP redirect to the user.
|
tcp-reset |
Send a TCP reset to the user.
|
- Associate the URL profile with a next-hop service set.
Note: For URL filtering, you must configure the service set
as a next-hop service set.
[edit]
user@host# set services service-set service-set-name (web-filter-profile profile-name | url-filter-profile profile-name)
user@host# set services service-set service-set-name next-hop-service inside-service-interface interface-name.unit-number
user@host# set services service-set service-set-name next-hop-service outside-service-interface interface-name.unit-number
Note: The service interface can also be of the ams prefix. If you are using ams interfaces at the [edit
services service-set service-set-name] hierarchy
level for the URL filter, you must also configure the load-balancing-options
hash-keys statement at the [edit interfaces ams-interface-name unit number] hierarchy level. .
Note: Starting
in Junos OS Release 18.3R1, configure the service set with the web-filter-profile statement. Before Junos OS Release 18.3R1,
configure the service set with the url-filter-profile statement.
Release History Table
19.3R2
Starting in Junos OS Release 19.3R2, this same functionality
is available for Next Gen Serices on MX240, MX480, and MX960.
18.3R1
Starting in Junos OS
Release 18.3R1, for Adaptive Services. configure the profile at the [edit services web-filter] hierarchy level. Before Junos OS
Release 18.3R1, configure the profile at the [edit services url-filter] hierarchy level.
