Content Security for Tenant Systems
Content Security provides multiple security features and services for SRX Series Firewalls on the network, protecting users from security threats in a simplified way. Content Security secures the tenant systems from viruses, malware, or malicious attachments by scanning the incoming data using Deep Packet Inspection and prevents access to unwanted websites by installing Enhanced Web Filtering (EWF).
Understanding Content Security Features in Tenant Systems
Content Security in tenant systems provides several security features such as antispam, antivirus, content filtering, and Web filtering to secure users from multiple Internet-borne threats. The advantage of Content Security is streamlined installation and management of these multiple security capabilities. The tenant systems administrator configures the Content Security features. Configuring Content Security features for tenant systems is similar to configuring Content Security features on a device that is not configured for tenant systems.
The security features provided as part of the Content Security solution are:
Antispam Filtering—E-mail spam consists of unwanted e-mail messages, usually sent by commercial, malicious, or fraudulent entities. The antispam feature examines transmitted e-mail messages to identify e-mail spam. The default antispam feature is configured at the tenant system administrator and it is applicable for all the tenant systems.
Content Filtering—Content filtering blocks or permits certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. The default content filtering feature is configured at the tenant system administrator and it is applicable for all the tenant systems.
Web Filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. The default Web filtering feature is configured at the tenant system administrator, and the tenant system inherit these default Web filtering configuration.
Sophos Antivirus —Sophos Antivirus scanning is offered as a less CPU-intensive alternative to the full file-based antivirus feature. Sophos Antivirus is as an in-the-cloud antivirus solution. The default antivirus feature is configured at the tenant system administrator, and the tenant system inherit these default antivirus configuration.
Avira Antivirus —Avira Antivirus feature profile settings include the scanning options, such as virus detection type, allowlist, blocklist, fallback and notification options. Only one Avira antivirus, Web filtering, Antispam filtering, or Content filtering engine is running in root system. You must configure the Avira antivirus, Web filtering, and Antispam filtering feature type in default configuration. It is configured by the root-user only. All tenants should use the same routing engine and profile type.
You must configure the custom objects for the Web filtering, anti-spam, and content filtering features before configuring the Content Security features. You can configure custom objects for each tenant system.
The predefined Content Security default policy parameters for Web filtering, content filtering,
antivirus, and antispam profiles are configured at the tenant system administrator. The
tenant system inherit the same antivirus and Web filtering features configured for the
tenant system administrator. The options such as mime-whitelist and
url-whitelist in antivirus profile, and
address-blacklist and address-whitelist in
antispam profile can be configured at the following hierarchy levels, respectively:
[edit security utm feature-profile anti-virus sophos-engine profile][edit security utm feature-profile anti-spam sbl profile]
The options url-whitelist and url-blacklist are not supported in the Web fiterling profile, you can use the
custom category option to achieve the function.
Example: Configuring Content Security for the Tenant System
This example shows how to configure the Content Security features antivirus, antispam, content filtering, custom message, custom url category, and Web filtering in the tenant system. The tenant system administrator is responsible for assigning the Content Security features to the tenant system.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall configured with the tenant systems.
Junos OS Release 19.2R1 and later releases.
Before you begin:
Understand the tenant systems role and functions. See tenant systems overview.
Overview
The tenant system administrator assigns Content Security features antivirus, antispam, content filtering, and Web filtering to the tenant system.
This example shows how to configure the Content Security features for tenant system.
Configuration
CLI Quick Configuration
To quickly configure this example, log in
to the primary logical system as the primary administrator, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set tenants TSYS1 security utm custom-objects url-pattern cust-list value www.ask.com set tenants TSYS1 security utm custom-objects url-pattern cust-list value www.playboy.com set tenants TSYS1 security utm custom-objects url-pattern cust-list2 value www.baidu.com set tenants TSYS1 security utm custom-objects custom-url-category cust-list value cust-list set tenants TSYS1 security utm custom-objects custom-url-category cust-list2 value cust-list2 set tenants TSYS1 security utm feature-profile web-filtering juniper-local profile my_local1 default log-and-permit set tenants TSYS1 security utm feature-profile web-filtering juniper-local profile my_local1 category cust-list action log-and-permit set tenants TSYS1 security utm feature-profile web-filtering juniper-local profile my_local1 category cust-list2 action block set tenants TSYS1 security utm feature-profile web-filtering juniper-local profile my_local1 fallback-settings default log-and-permit set tenants TSYS1 security utm feature-profile web-filtering juniper-enhanced profile ewf_my_profile1 category Enhanced_Adult_Content action block set tenants TSYS1 security utm feature-profile web-filtering juniper-enhanced profile ewf_my_profile1 category Enhanced_Social_Web_Facebook action log-and-permit set tenants TSYS1 security utm feature-profile web-filtering juniper-enhanced profile ewf_my_profile1 category cust-list action block set tenants TSYS1 security utm utm-policy utmpolicy1 web-filtering http-profile ewf_my_profile1
Configuring Content Security for Tenant System
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
Log in to the tenant system and enter configuration mode.
user@host> configure admin@host#
Configure the custom objects for the tenant system.
[edit tenants TSYS1 security utm custom-objects] user@host# url-pattern cust-list value www.ask.com user@host# url-pattern cust-list value www.playboy.com user@host# url-pattern cust-list2 value www.baidu.com user@host# custom-url-category cust-list value cust-list user@host# custom-url-category cust-list2 value cust-list2
Configure the feature profile
web-filteringfor the tenant system.[edit tenants TSYS1 security utm feature-profile] user@host# set tenants TSYS1 security utm feature-profile web-filtering juniper-local profile my_local1 default log-and-permit user@host# set tenants TSYS1 security utm feature-profile web-filtering juniper-local profile my_local1 category cust-list action log-and-permit user@host# set tenants TSYS1 security utm feature-profile web-filtering juniper-local profile my_local1 category cust-list2 action block user@host# set tenants TSYS1 security utm feature-profile web-filtering juniper-local profile my_local1 fallback-settings default log-and-permit user@host# set tenants TSYS1 security utm feature-profile web-filtering juniper-enhanced profile ewf_my_profile1 category Enhanced_Adult_Content action block user@host# set tenants TSYS1 security utm feature-profile web-filtering juniper-enhanced profile ewf_my_profile1 category Enhanced_Social_Web_Facebook action log-and-permit user@host# set tenants TSYS1 security utm feature-profile web-filtering juniper-enhanced profile ewf_my_profile1 category cust-list action block
-
Configure the Content Security policy for the tenant system.
[edit tenants TSYS1 security utm ] user@host# set tenants TSYS1 security utm utm-policy utmpolicy1 web-filtering http-profile ewf_my_profile1
Results
From configuration mode, confirm your configuration by entering the
show tenants TSYS1 security utm custom-objectscommand. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.user@host# show tenants TSYS1 security utm custom-objects url-pattern { cust-list { value [ www.ask.com www.playboy.com ]; } cust-list2 { value www.baidu.com; } } custom-url-category { cust-list { value cust-list; } cust-list2 { value cust-list2; } }From configuration mode, confirm your configuration by entering the
show tenants TSYS1 security utm feature-profile web-filteringcommand. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.user@host# show tenants TSYS1 security utm feature-profile web-filtering juniper-local { profile my_local1 { default log-and-permit; category { cust-list { action log-and-permit; } cust-list2 { action block; } } fallback-settings { default log-and-permit; } } } juniper-enhanced { profile ewf_my_profile1 { category { Enhanced_Adult_Content { action block; } Enhanced_Social_Web_Facebook { action log-and-permit; } cust-list { action block; } } } }
From configuration mode, confirm your configuration by entering the
show tenants TSYS1 security utmcommand. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.user@host# show tenants TSYS1 security utm utm-policy utmpolicy1 { web-filtering { http-profile ewf_my_profile1; } }
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Web Filtering Configuration
Purpose
Verify that the Web filtering feature is configured for the tenant system.
Action
From operational mode, enter the show security
utm web-filtering statistics tenant TSYS1 command to view the
details of the Web filtering feature configured for the tenant system.
user@host> show security utm web-filtering statistics tenant TSYS1
UTM web-filtering statistics:
Total requests: 19784932
white list hit: 0
Black list hit: 0
No license permit: 0
Queries to server: 19782736
Server reply permit: 18819472
Server reply block: 0
Meaning
The output displays the Web filtering statistics for the tenant system.