Content Security for Logical Systems
Content Security provides multiple security features and services for SRX Series Firewalls on the network, protecting users from security threats in a simplified way. Content Security secures the logical systems from viruses, malware, or malicious attachments by scanning the incoming data using Deep Packet Inspection and prevents access to unwanted websites by installing Enhanced Web Filtering (EWF).
Understanding Content Security Features in Logical Systems
Content Security in logical systems provides several security features such as antispam, antivirus, content filtering, and Web filtering to secure users from multiple Internet-borne threats. The advantage of Content Security is streamlined installation and management of these multiple security capabilities. In logical systems the primary administrator configures the Content Security features for the primary logical system. Configuring Content Security features for logical systems is similar to configuring Content Security features on a device that is not configured for logical systems.
The security features provided as part of the Content Security solution are:
Antispam Filtering—E-mail spam consists of unwanted e-mail messages, usually sent by commercial, malicious, or fraudulent entities. The antispam feature examines transmitted e-mail messages to identify e-mail spam. The default antispam feature is configured at the primary logical system and it is applicable for all the user logical systems.
Content Filtering—Content filtering blocks or permits certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. The default content filtering feature is configured at the primary logical system and it is applicable for all the user logical systems.
Web Filtering—Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. The default Web filtering feature is configured at the primary logical system, and the user logical systems inherit these default Web filtering configuration.
Sophos Antivirus—Sophos Antivirus scanning is offered as a less CPU-intensive alternative to the full file-based antivirus feature. Sophos Antivirus is as an in-the-cloud antivirus solution. The default antivirus feature is configured at the primary logical system, and the user logical systems inherit these default antivirus configuration.
You must configure the custom objects for the Web filtering, anti-spam, and content filtering features before configuring the Content Security features. You can configure custom objects for each user logical system.
The predefined Content Security default policy parameters for Web filtering, content filtering,
antivirus, and antispam profiles are configured at the primary logical system. The
user logical systems inherit the same antivirus and Web filtering features
configured for the primary logical system. The options such as
mime-whitelist
and url-whitelist
in antivirus
profile, and address-blacklist
and
address-whitelist
in antispam profile can be configured at the
following hierarchy levels, respectively:
[edit security utm feature-profile anti-virus sophos-engine profile]
[edit security utm feature-profile anti-spam sbl profile]
The options url-whitelist
and url-blacklist
are not supported in the Web fiterling profile, you can use the custom category option to achieve the function.
Example: Configuring Content Security for the Primary Logical System
This example shows how to configure the Content Security features antivirus, antispam, content filtering, and Web filtering in the primary logical system. The primary administrator is responsible for assigning the Content Security features to the user logical systems.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall configured with the logical systems.
Junos OS Release 18.3R1 and later releases.
Before you begin:
Understand how to log in to the primary logical system as the primary administrator. See Primary Logical Systems Overview.
-
Configure the interfaces, routing instances, and static routes for the primary logical system. See Example: Configuring Interfaces, Routing Instances, and Static Routes for the Primary and Interconnect Logical Systems and Logical Tunnel Interfaces for the User Logical Systems (Primary Administrators Only).
Overview
By default, all system resources are assigned to the primary logical system, and the primary administrator allocates them to the user logical systems. The primary administrator manages the device and the logical systems.
This example shows how to configure the Content Security features described in Table 1 for the primary logical system.
Configuration Type |
Configuration Description |
Configuration Parameter |
---|---|---|
Custom objects |
Configure the MIME (Multipurpose Internet Mail Extension) types ( |
|
Define a set of file extensions ( |
|
|
Configure a URL pattern list ( |
|
|
Configure a custom URL category ( |
|
|
Antispam |
Configure the antispam type server-based spam block list (SBL). |
|
Antivirus |
Configure the antivirus type Sophos Antivirus ( |
|
Web filtering |
Specify an action for Enhanced Web Filtering (EWF) ( |
|
In this procedure, you define custom objects, configure feature profiles for Content Security features (antispam, antivirus, content filtering, and Web filtering), configure a Content Security policy and attach feature profiles, and apply the Content Security policy to the security policy as an application service. For more information, see the Unified Threat Management User Guide.
Configuration
CLI Quick Configuration
To quickly configure this example, log in to the primary logical system as the primary administrator, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit]
hierarchy level, and then enter commit
from configuration mode.
set security utm custom-objects mime-pattern my_blockmime01 value [ multipart/ application/ ] set security utm custom-objects filename-extension my_fileextlist01 value [ txt pl com zip ] set security utm custom-objects url-pattern black_list value www.example.com set security utm custom-objects custom-url-category cust_black value black_list set security utm default-configuration anti-virus type sophos-engine set security utm default-configuration web-filtering type juniper-enhanced set security utm default-configuration web-filtering juniper-enhanced cache timeout 1800 set security utm default-configuration web-filtering juniper-enhanced cache size 0 set security utm default-configuration anti-spam type sbl set security utm feature-profile anti-virus sophos-engine profile mysav scan-options uri-check set security utm feature-profile web-filtering juniper-enhanced profile myewf default log-and-permit set security utm utm-policy utm-p1 anti-virus http-profile mysav set security utm utm-policy utm-p1 content-filtering http-profile junos-cf-defaults set security utm utm-policy utm-p1 web-filtering http-profile myewf set security utm utm-policy utm-p1 anti-spam smtp-profile junos-as-defaults set security policies from-zone trust to-zone untrust policy p1 match source-address any set security policies from-zone trust to-zone untrust policy p1 match destination-address any set security policies from-zone trust to-zone untrust policy p1 match application junos-http set security policies from-zone trust to-zone untrust policy p1 then permit application-services utm-policy utm-p1
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
Log in to the primary logical system as the primary administrator and enter configuration mode.
admin@host> configure admin@host#
Configure the custom objects for the primary logical system.
[edit security utm custom-objects] admin@host# set mime-pattern my_blockmime01 value [ multipart/ application/ ] admin@host# set filename-extension my_fileextlist01 value [ txt pl com zip ] admin@host# set url-pattern black_list value www.example.com admin@host# set custom-url-category cust_black value black_list
-
Define the Content Security default configuration for the primary logical system.
[edit security utm default-configuration] admin@host# set anti-virus type sophos-engine admin@host# set web-filtering type juniper-enhanced admin@host# set web-filtering juniper-enhanced cache timeout 1800 admin@host# set web-filtering juniper-enhanced cache size 0 admin@host# set anti-spam type sbl
Configure the feature profile for the primary logical system.
[edit security utm feature-profile] admin@host# set anti-virus sophos-engine profile mysav scan-options uri-check admin@host# set web-filtering juniper-enhanced profile myewf default log-and-permit
-
Configure the Content Security policy for the primary logical system.
[edit security utm utm-policy] admin@host# set utm-p1 anti-virus http-profile mysav admin@host# set utm-p1 content-filtering http-profile junos-cf-defaults admin@host# set utm-p1 web-filtering http-profile myewf admin@host# set utm-p1 anti-spam smtp-profile junos-as-defaults
Configure the security policies for the primary logical system.
[edit security policies] admin@host# set from-zone trust to-zone untrust policy p1 match source-address any admin@host# set from-zone trust to-zone untrust policy p1 match destination-address any admin@host# set from-zone trust to-zone untrust policy p1 match application junos-http admin@host# set from-zone trust to-zone untrust policy p1 permit application-services utm-policy utm-p1
Results
From configuration mode, confirm your configuration by entering the show security
command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
admin@host# show security utm { custom-objects { mime-pattern { my_blockmime01 { value [ multipart/ application/ ]; } } filename-extension { my_fileextlist01 { value [ txt pl com zip ]; } } url-pattern { black_list { value www.example.com; } } custom-url-category { cust_black { value black_list; } } } default-configuration { anti-virus { type sophos-engine; } web-filtering { type juniper-enhanced; juniper-enhanced { cache { timeout 1800; size 0; } } } anti-spam { type sbl; } } feature-profile { anti-virus { sophos-engine { profile mysav { scan-options { uri-check; } } } } web-filtering { juniper-enhanced { profile myewf { default log-and-permit; } } } } utm-policy utm-p1 { anti-virus { http-profile mysav; } content-filtering { http-profile junos-cf-defaults; } web-filtering { http-profile myewf; } anti-spam { smtp-profile junos-as-defaults; } } } policies { from-zone trust to-zone untrust { policy p1 { match { source-address any; destination-address any; application junos-http; } then { permit { application-services { utm-policy utm-p1; } } } } } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying Antivirus Configuration
- Verifying Antispam Configuration
- Verifying Content Filtering Configuration
- Verifying Web Filtering Configuration
Verifying Antivirus Configuration
Purpose
Verify that the antivirus feature is configured for the primary logical system.
Action
From operational mode, enter the show security utm anti-virus statistics
command to view the details of the antivirus feature configured for the primary logical system.
admin@host> show security utm anti-virus statistics UTM Anti Virus statistics: MIME-whitelist passed: 0 URL-whitelist passed: 0 Session abort: 0 Scan Request: Total Clean Threat-found Fallback 9 7 1 1 Fallback: Log-and-Permit Block Permit Engine not ready: 0 0 0 Out of resources: 0 0 0 Timeout: 0 0 0 Maximum content size: 1 0 0 Too many requests: 0 0 0 Others: 0 0 0
Meaning
The output displays the antisvirus statistics for the primary logical system.
Verifying Antispam Configuration
Purpose
Verify that the antispam feature is configured for the primary logical system.
Action
From operational mode, enter the show security utm anti-spam statistics
command to view the details of the antispam feature configured for the primary logical system.
admin@host> show security utm anti-spam statistics UTM Anti Spam statistics: Total connections: 1 Denied connections: 1 Total greetings: 0 Denied greetings: 0 Total e-mail scanned: 0 White list hit: 0 Black list hit: 0 Spam total: 0 Spam tagged: 0 Spam dropped: 0 DNS errors: 0 Timeout errors: 0 Return errors: 0 Invalid parameter errors: 0
Meaning
The output displays the antispam statistics for the primary logical system.
Verifying Content Filtering Configuration
Purpose
Verify that the content filtering feature is configured for the primary logical system.
Action
From operational mode, enter the show security utm content-filtering statistics
command to view the details of the content filtering feature configured for the primary logical system.
admin@host> show security content-filtering statistics Content-filtering-statistic: Blocked Base on command list: 0 Base on mime list: 1 Base on extension list: 0 ActiveX plugin: 0 Java applet: 0 EXE files: 0 ZIP files: 0 HTTP cookie: 0
Meaning
The output displays the content filtering statistics for the primary logical system.
Verifying Web Filtering Configuration
Purpose
Verify that the Web filtering feature is configured for the primary logical system.
Action
From operational mode, enter the show security utm web-filtering statistics
command to view the details of the Web filtering feature configured for the primary logical system.
admin@host> show security web-filtering statistics UTM web-filtering statistics: Total requests: 4 white list hit: 1 Black list hit: 1 Custom category permit: 1 Custom category block: 1 Custom category quarantine: 0 Custom category qurantine block: 0 Custom category quarantine permit: 0 Web-filtering sessions in total: 64000 Web-filtering sessions in use: 0 Fallback: log-and-permit block Default 0 0 Timeout 0 0 Connectivity 0 0 Too-many-requests 0 0
Meaning
The output displays the Web filtering statistics for the primary logical system.
Example: Configuring Content Security for a User Logical System
This example shows how to configure the Content Security features antivirus, antispam, content filtering, and Web filtering for a user logical system. The primary administrator creates a user logical system and assigns an administrator for managing the user logical system. A user logical system can have multiple user logical system administrators.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall configured with the logical systems.
Junos OS Release 18.3R1 and later releases.
Before you begin:
Understand the user logical system administrator role and functions. See Understanding User Logical Systems and the User Logical System Administrator Role.
Understand how to log in to the user logical system as an administrator. See User Logical Systems Configuration Overview.
This example shows how to configure the Content Security features for the ls-product-design user logical system. To understand how to create the ls-product-design user logical system, see Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
Overview
The primary administrator assigns the Content Security features antivirus, antispam, content filtering, and Web filtering to the user logical system. The user logical system administrator can configure and manage the Content Security features for the user logical systems. The antispam, antivirus and Web filtering features are configured in the primary logical system are described in Table 2. All the user logical systems can use the same antispam, antivirus and Web filtering features with the same profile.
Configuration Type |
Configuration Description |
Configuration Parameter |
---|---|---|
Custom objects |
Configure a URL pattern ( |
www.abc.com |
Configure a custom URL category ( |
url1 |
|
Configure a custom message type ( |
|
|
Antispam |
Configure antispam profile ( |
|
Antivirus |
Configure antivirus profile ( |
log-and-permit |
Configure antivirus profile ( |
|
|
Web filtering |
Configure Web filtering profile ( |
|
Configure Web filtering profile ( |
|
|
Configure Web filtering profile ( |
|
|
Specify an action for Enhanced Web Filtering (EWF) ( |
|
Configuration
CLI Quick Configuration
To quickly configure this example, log in to the ls-product-design user logical system as the administrator, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit]
hierarchy level, and then enter commit
from configuration mode.
set security utm custom-objects url-pattern url1 value www.abc.com set security utm custom-objects custom-url-category cust1 value url1 set security utm custom-objects custom-message cust-msg1 type redirect-url content http://www.example1.com.cn set security utm feature-profile anti-virus sophos-engine profile sav1 fallback-options default log-and-permit set security utm feature-profile anti-virus sophos-engine profile sav1 scan-options uri-check set security utm feature-profile web-filtering juniper-enhanced profile ewf1 category cust1 action block set security utm feature-profile web-filtering juniper-enhanced profile ewf1 category cust1 custom-message custmsg1 set security utm feature-profile web-filtering juniper-enhanced profile ewf1 category Enhanced_Search_Engines_and_Portals action block set security utm feature-profile web-filtering juniper-enhanced profile ewf1 default log-and-permit set security utm feature-profile web-filtering juniper-enhanced profile ewf2 default log-and-permit set security utm feature-profile anti-spam sbl profile as1 spam-action block set security utm utm-policy utm-p1 anti-virus http-profile sav1 set security utm utm-policy utm-p1 web-filtering http-profile juniper-enhanced set security utm utm-policy utm-p1 anti-spam smtp-profile as1 set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy sec_policy match source-address any set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy sec_policy match destination-address any set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy sec_policy match application any set security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust policy sec_policy then permit application-services utm-policy utm-p1
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
Log in to the ls-product-design user logical system as the administrator and enter configuration mode.
lsdesignadmin1@host:ls-product-design> configure lsdesignadmin1@host:ls-product-design#
Configure the custom objects for the ls-product-design user logical system.
[edit security utm custom-objects] lsdesignadmin1@host:ls-product-design# set url-pattern url1 value www.abc.com lsdesignadmin1@host:ls-product-design# set custom-url-category cust1 value url1 lsdesignadmin1@host:ls-product-design# set custom-message cust-msg1 type redirect-url content http://www.example1.com.cn
Configure the feature profiles for the ls-product-design user logical system.
[edit security utm feature-profile] lsdesignadmin1@host:ls-product-design# set anti-virus sophos-engine profile sav1 fallback-options default log-and-permit lsdesignadmin1@host:ls-product-design# set anti-virus sophos-engine profile sav1 scan-options uri-check lsdesignadmin1@host:ls-product-design# set web-filtering juniper-enhanced profile ewf1 category cust1 action block lsdesignadmin1@host:ls-product-design# set web-filtering juniper-enhanced profile ewf1 category cust1 custom-message custmsg1 lsdesignadmin1@host:ls-product-design# set web-filtering juniper-enhanced profile ewf1 category Enhanced_Search_Engines_and_Portals action block lsdesignadmin1@host:ls-product-design# set web-filtering juniper-enhanced profile ewf1 default log-and-permit lsdesignadmin1@host:ls-product-design# set web-filtering juniper-enhanced profile ewf2 default log-and-permit lsdesignadmin1@host:ls-product-design# set anti-spam sbl profile as1 spam-action block
-
Configure the Content Security policy for the ls-product-design user logical system.
[edit security utm utm-policy] lsdesignadmin1@host:ls-product-design# set utm-p1 anti-virus http-profile sav1 lsdesignadmin1@host:ls-product-design# set utm-p1 web-filtering http-profile juniper-enhanced lsdesignadmin1@host:ls-product-design# set utm-p1 anti-spam smtp-profile as1
Configure the security policies for the ls-product-design user logical system.
[edit security policies] lsdesignadmin1@host:ls-product-design# set from-zone lsys1-trust to-zone lsys1-untrust policy sec_policy match source-address any lsdesignadmin1@host:ls-product-design# set from-zone lsys1-trust to-zone lsys1-untrust policy sec_policy match destination-address any lsdesignadmin1@host:ls-product-design# set from-zone lsys1-trust to-zone lsys1-untrust policy sec_policy match application any lsdesignadmin1@host:ls-product-design# set from-zone lsys1-trust to-zone lsys1-untrust policy sec_policy then permit application-services utm-policy utm-p1
Results
From configuration mode, confirm your configuration by entering the show security
command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
lsdesignadmin1@host:ls-product-design# show security utm { custom-objects { url-pattern { url1 { value www.abc.com; } } custom-url-category { cust1 { value url1; } } custom-message { cust-msg1 { type redirect-url; content http://www.example1.com.cn; } } } feature-profile { anti-virus { sophos-engine { profile sav1 { fallback-options { default log-and-permit; } scan-options { uri-check; } } } } web-filtering { juniper-enhanced { profile ewf1 { category { cust1 { action block; custom-message custmsg1; } Enhanced_Search_Engines_and_Portals { action block; } } default log-and-permit; } profile ewf2 { default log-and-permit; } } } anti-spam { sbl { profile as1 { spam-action block; } } } } utm-policy utm-p1 { anti-virus { http-profile sav1; } web-filtering { http-profile juniper-enhanced; } anti-spam { smtp-profile as1; } } } policies { from-zone ls-product-design-trust to-zone ls-product-design-untrust { policy sec_policy { match { source-address any; destination-address any; application any; } then { permit { application-services { utm-policy utm-p1; } } } } } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying Antivirus Configuration
- Verifying Antispam Configuration
- Verifying Content Filtering Configuration
- Verifying Web Filtering Configuration
Verifying Antivirus Configuration
Purpose
Verify that the antivirus feature is configured for the ls-product-design user logical system.
Action
From operational mode, enter the show security utm anti-virus statistics
command to view the antivirus statistics information for the ls-product-design user logical system.
lsdesignadmin1@host:ls-product-design> show security utm anti-virus statistics UTM Anti Virus statistics: MIME-whitelist passed: 0 URL-whitelist passed: 0 Session abort: 0 Scan Request: Total Clean Threat-found Fallback 9 7 1 1 Fallback: Log-and-Permit Block Permit Engine not ready: 0 0 0 Out of resources: 0 0 0 Timeout: 0 0 0 Maximum content size: 1 0 0 Too many requests: 0 0 0 Others:
Meaning
The output displays the antisvirus statistics information for the ls-product-design user logical system.
Verifying Antispam Configuration
Purpose
Verify that the antispam feature is configured for the ls-product-design user logical system.
Action
From operational mode, enter the show security utm anti-spam statistics
command to view the antispam statistics information for the ls-product-design user logical system.
lsdesignadmin1@host:ls-product-design> show security utmnti-spam statistics UTM Anti Spam statistics: Total connections: 1 Denied connections: 1 Total greetings: 0 Denied greetings: 0 Total e-mail scanned: 0 White list hit: 0 Black list hit: 0 Spam total: 0 Spam tagged: 0 Spam dropped: 0 DNS errors: 0 Timeout errors: 0 Return errors: 0 Invalid parameter errors: 0
Meaning
The output displays the antispam statistics information for the ls-product-design user logical system.
Verifying Content Filtering Configuration
Purpose
Verify that the content filtering feature is configured for the ls-product-design user logical system.
Action
From operational mode, enter the show security utm content-filtering statistics
command to view the content filtering statistics information for the ls-product-design user logical system.
lsdesignadmin1@host:ls-product-design> show security content-filteringtatistics Content-filtering-statistic: Blocked Base on command list: 0 Base on mime list: 1 Base on extension list: 0 ActiveX plugin: 0 Java applet: 0 EXE files: 0 ZIP files: 0 HTTP cookie: 0
Meaning
The output displays the content filtering statistics information for the ls-product-design user logical system.
Verifying Web Filtering Configuration
Purpose
Verify that the Web filtering feature is configured for the ls-product-design user logical system.
Action
From operational mode, enter the show security utm web-filtering statistics
command to view the Web filtering statistics information for the ls-product-design user logical system.
lsdesignadmin1@host:ls-product-design> show security web-filteringstatistics UTM web-filtering statistics: Total requests: 4 white list hit: 1 Black list hit: 1 Custom category permit: 1 Custom category block: 1 Custom category quarantine: 0 Custom category qurantine block: 0 Custom category quarantine permit: 0 Web-filtering sessions in total: 64000 Web-filtering sessions in use: 0 Fallback: log-and-permit block Default 0 0 Timeout 0 0 Connectivity 0 0 Too-many-requests 0 0
Meaning
The output displays the Web filtering statistics information for the ls-product-design user logical system.