Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Content Security for Tenant Systems

Content Security provides multiple security features and services for SRX Series Firewalls on the network, protecting users from security threats in a simplified way. Content Security secures the tenant systems from viruses, malware, or malicious attachments by scanning the incoming data using Deep Packet Inspection and prevents access to unwanted websites by installing Enhanced Web Filtering (EWF).

Understanding Content Security Features in Tenant Systems

Content Security in tenant systems provides several security features such as antispam, antivirus, content filtering, and Web filtering to secure users from multiple Internet-borne threats. The advantage of Content Security is streamlined installation and management of these multiple security capabilities. The tenant systems administrator configures the Content Security features. Configuring Content Security features for tenant systems is similar to configuring Content Security features on a device that is not configured for tenant systems.

The security features provided as part of the Content Security solution are:

  • Antispam Filtering—E-mail spam consists of unwanted e-mail messages, usually sent by commercial, malicious, or fraudulent entities. The antispam feature examines transmitted e-mail messages to identify e-mail spam. The default antispam feature is configured at the tenant system administrator and it is applicable for all the tenant systems.

  • Content Filtering—Content filtering blocks or permits certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. The default content filtering feature is configured at the tenant system administrator and it is applicable for all the tenant systems.

  • Web Filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. The default Web filtering feature is configured at the tenant system administrator, and the tenant system inherit these default Web filtering configuration.

  • Sophos Antivirus —Sophos Antivirus scanning is offered as a less CPU-intensive alternative to the full file-based antivirus feature. Sophos Antivirus is as an in-the-cloud antivirus solution. The default antivirus feature is configured at the tenant system administrator, and the tenant system inherit these default antivirus configuration.

  • Avira Antivirus —Avira Antivirus feature profile settings include the scanning options, such as virus detection type, allowlist, blocklist, fallback and notification options. Only one Avira antivirus, Web filtering, Antispam filtering, or Content filtering engine is running in root system. You must configure the Avira antivirus, Web filtering, and Antispam filtering feature type in default configuration. It is configured by the root-user only. All tenants should use the same routing engine and profile type.

You must configure the custom objects for the Web filtering, anti-spam, and content filtering features before configuring the Content Security features. You can configure custom objects for each tenant system.

The predefined Content Security default policy parameters for Web filtering, content filtering, antivirus, and antispam profiles are configured at the tenant system administrator. The tenant system inherit the same antivirus and Web filtering features configured for the tenant system administrator. The options such as mime-whitelist and url-whitelist in antivirus profile, and address-blacklist and address-whitelist in antispam profile can be configured at the following hierarchy levels, respectively:

  • [edit security utm feature-profile anti-virus sophos-engine profile]

  • [edit security utm feature-profile anti-spam sbl profile]

The options url-whitelist and url-blacklist are not supported in the Web fiterling profile, you can use the custom category option to achieve the function.

Example: Configuring Content Security for the Tenant System

This example shows how to configure the Content Security features antivirus, antispam, content filtering, custom message, custom url category, and Web filtering in the tenant system. The tenant system administrator is responsible for assigning the Content Security features to the tenant system.

Requirements

This example uses the following hardware and software components:

  • SRX Series Firewall configured with the tenant systems.

  • Junos OS Release 19.2R1 and later releases.

Before you begin:

  • Understand the tenant systems role and functions. See tenant systems overview.

Overview

The tenant system administrator assigns Content Security features antivirus, antispam, content filtering, and Web filtering to the tenant system.

This example shows how to configure the Content Security features for tenant system.

Configuration

CLI Quick Configuration

To quickly configure this example, log in to the primary logical system as the primary administrator, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring Content Security for Tenant System

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

  1. Log in to the tenant system and enter configuration mode.

  2. Configure the custom objects for the tenant system.

  3. Configure the feature profile web-filtering for the tenant system.

  4. Configure the Content Security policy for the tenant system.

Results

  • From configuration mode, confirm your configuration by entering the show tenants TSYS1 security utm custom-objects command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show tenants TSYS1 security utm feature-profile web-filtering command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show tenants TSYS1 security utm command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Web Filtering Configuration

Purpose

Verify that the Web filtering feature is configured for the tenant system.

Action

From operational mode, enter the show security utm web-filtering statistics tenant TSYS1 command to view the details of the Web filtering feature configured for the tenant system.

Meaning

The output displays the Web filtering statistics for the tenant system.