Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Content Filtering

Content Filtering provides basic data loss prevention functionality. Content filtering filters traffic is based on MIME type, file extension, and protocol commands. You can also use the content filter module to block ActiveX, Java Applets, and other types of content. Content filtering does not require a separate license. For more information, see the following topics:

Content Filtering Overview

Content Filtering Based on File Type

Previously, content filtering was performed to block or permit certain types of traffic based on the MIME type, file extension, and protocol command. The content filter controls file transfers across the gateway by checking traffic against configured filter lists. This type of evaluation based on file type is supported only on Junos OS Releases prior to Junos OS Release 21.4R1.

Starting in Junos OS Release 21.4R1, content evaluation is done based of the file content. The file type-based evaluation of content is deprecated and the related configurations are hidden.

You can use the legacy functionality if you do not want to migrate to enhanced content filtering functionality. You will be allowed to use the legacy configurations, but all the legacy configuration knobs are deprecated and hidden. Also, you will receive system logs and error message warnings when you use the legacy configuration options.

In this type of evaluation the content filter module evaluates the traffic before all other Content Security modules, except Web Filtering. Therefore, if traffic meets criteria configured in the content-filter, the content-filter acts first upon this traffic.

You can configure the following types of content filters:

  • MIME Pattern Filter — MIME patterns are used to identify the type of traffic in HTTP and MAIL protocols. There are two lists of MIME patterns that are used by the content filter to determine the action to be taken. The block MIME list contains a list of MIME type traffic that is to be blocked by the content filter. The MIME exception list contains MIME patterns that are not to be blocked by the content filter and are generally subsets of items on the blocklist. Note that the exception list has a higher priority than the blocklist. If you have MIME entries that appear on both lists, those MIME types are not blocked by the content filter because the exception list takes priority. Therefore, when adding items to the exception list, it is to your advantage to be specific.

  • Block Extension List — Because the name of a file is available during file transfers, using file extensions is a highly practical way to block or allow file transfers. The content filter list contains a list of file extensions to be blocked. All protocols support the use of the block extension list.

  • Protocol Command Block and Permit Lists — Different protocols use different commands to communicate between servers and clients. By blocking or allowing certain commands, traffic can be controlled on the protocol command level.

    The block and permit command lists are intended to be used in combination, with the permit list acting as an exception list to the blocklist.

    If a protocol command appears on the both the permit list and the blocklist, that command is permitted.

    Starting with Junos OS Release 15.1X49-D100, IPv6 pass-through traffic for HTTP, FTP, SMTP, POP3, IMAP protocols is supported for Web filtering and Content filtering security features of Content Security.

Because not all harmful files or components can be controlled by the MIME type or by the file extension, you can also use the content filter module to block ActiveX, Java Applets, and other types of content. The following types of content blocking are supported only for HTTP:

  • Block ActiveX

  • Block Java applets

  • Block cookies

  • Block EXE files

  • Block ZIP files

Content Filtering Based on File Content

Content filtering was previously performed based on file type, mime-type, content-type, and protocol command. File detection using the MIME type, protocol command filters, or by file extension filters is not reliable always.The easiest way to identify a file type is by file name extensions, but it is not authentic as any extension can be given to any kind of file.

Starting in Junos OS Release 21.4R1, Content Security performs content filtering to determine the file type based on the file content and not based on the file extensions. The file content is first analyzed to accurately determine the file type. This feature complements application identification (App ID) and allows you to configure the firewall for identifying and controlling access to Web (HTTP and HTTPS) traffic and to protect your network from attacks. When the final application match is confirmed by App ID, the matching Content Security policy is considered for content filtering.

Content Filtering Based on File Content

Content filtering based on file content is performed as follows:

  • File identification: For every file type, there are rules defined to examine the content and determine the file type. Content Security process uses the file content and matches it against the rules defined to determine the file type.

  • Define content filtering rules for traffic direction: The Content Security process reads configuration from CLI, parses and interprets rule-sets and rules. You can define the content filtering rules and enforce the rules to direct the traffic.

    Rule-set and rules configurations are added under the [edit security utm utm-policy <utm-policy-name> content-filtering] hierarchy level.

    You can configure connection reset option in the content filter rule. When the content listed within the rule is detected, protocol handlers perform TCP connection reset with the client and server exactly as configured in the policy.

    Note:

    Content filtering options based on mime-type, content-type, and protocol command is not supported. After you upgrade to Junos OS Release 21.4R1, previously existing file extension based content filtering options under the [edit security utm utm-policy <utm-policy-name> content-filtering] and [edt security utm feature-profile content-filtering profile <profile-name>hierarchies are not supported.

  • Use the rules and rules sets defined for content filtering: You can use the rules and rule sets defined above from the [edit security utm default-configuration content-filtering hierarchy. These rules and rule-set allows you to configure direction specific content filters and connection reset.
  • Content Security policy selection for content filtering: Once final application match is confirmed by APP ID, the matching potential Content Security policy in which content filtering rules are defined is chosen for processing.

    For every Content Security policy, a chain is created with list of rule-set nodes and all rules configured under a rule-set are added to a list and then attached to the respective rule-set node.

    After all checks are passed, a unique ID is allocated for each rule-set and rule configured to preserve and organize respective information in the local memory. This storage in the local memory is required to track the configuration changes you make and to synchronize the updates.

  • Verification: Use the following commands to view the content-filtering system statistics and errors.

    • To display content filtering statistics in a policy within root-logical-system use the show security utm content-filtering statistics utm policy <utm policy name> and show security utm content-filtering statistics root-logical-system utm-policy <utm policy name> commands.

    • To display content filtering statistics in a policy within a specified logical system use the show security utm content-filtering statistics logical-system <logical-system-name> utm-policy <utm policy name> command.

If you migrate to this new feature and if there are legacy options in your configurations, then you will receive the following error messages and commit will fail.

Deprecated features can't go together with enhanced content filtering (rule-set/rule)\n");Remove configuration marked as deprecated to get ahead (For details: show security utm)\n")

You can use legacy content filtering functionality if you don’t want to migrate to the enhanced content filtering feature. The legacy configuration options are deprecated and are hidden. You will receive the following error message when you use the deprecated legacy options.

ERRMSG (“The config \'%s\' is deprecated”, “security utm utm-policy <> content-filtering http-profile")

Benefits

  • Provides safe web access and protects your network from attacks using accurately detected file-types in the content filtering rules.

  • Controls the traffic that traverses your network and enforces content filtering rules based on traffic direction.

  • Improved log messages to include user and source identity, session ID, and packet direction information.

Starting in Junos OS Release 22.4R1, Content Security content filtering module is integrated with the JDPI parser and the JDPI contexts are used to invoke the content filtering functionalities.

Content Security content filtering packet and stream plug-ins are added to handle plain traffic.

While taking actions for mail protocols, TCP proxy dependency is removed. notify-mail-sender CLI configuration support is removed for mail protocols.

Understanding Content Filtering Protocol Support

Each supported protocol may implement available content filters differently. Not all filtering capabilities are supported for each protocol. This topic contains the following sections:

HTTP Support

The HTTP protocol supports all content filtering features. With HTTP, the content filter remains in the gateway, checking every request and response between the HTTP client and server.

If an HTTP request is dropped due to content filtering, the client receives a response such as:

Therefore, a message may appear as follows:

FTP Support

The FTP protocol does not support all content filtering features. It supports only the following: Block Extension List and Protocol Command Block List.

When content filtering blocks an FTP request, the following response is sent through the control channel:

Therefore, a message may appear as follows:

E-Mail Support

E-mail protocols (SMTP, IMAP, POP3) have limited content filtering support for the following features: Block Extension List, Protocol Command Block List, and MIME Pattern Filtering. Support is limited for e-mail protocols for the following reasons:

  • The content filter scans only one level of an e-mail header. Therefore recursive e-mail headers and encrypted attachments are not scanned.

  • If an entire e-mail is MIME encoded, the content filter can only scan for the MIME type.

  • If any part of an e-mail is blocked due to content filtering, the original e-mail is dropped and replaced by a text file with an explanation for why the e-mail was blocked.

Starting from Junos OS Release 19.4R1, the antivirus and content filtering feature supports implicit and explicit SMTPS, IMAPS, and POP3S protocol, and supports only explicit passive mode FTPS.

Implicit mode—Connect to SSL/TLS encrypted port using secure channel.

Explicit mode—First connect to unsecured channel, then secure the communication by issuing STARTTLS command. For POP3S, use STLS command.

Specifying Content Filtering Protocols (CLI Procedure)

To configure content filtering protocols, use the following CLI configuration statements:

Content Filtering Configuration Overview

A content security filter blocks or allows certain type of traffic base on the mime type, file extension, protocol commands and embedded object type. The content filter controls file transfers across the gateway by checking traffic against configured filter lists. The content filtering module evaluates traffic before all other Content Security modules, if traffic meets the criteria configured in the content filter, the content filter acts first upon this traffic. The following procedure lists the recommended order in which you should configure content filters:

  1. Configure Content Security custom objects for the feature. See Example: Configuring Content Filtering Custom Objects.
  2. Configure the main feature parameters using feature profiles. See Example: Configuring Content Filtering Feature Profiles .
  3. Configure a Content Security policy for each protocol and attach this policy to a profile. See Example: Configuring Content Filtering Content Security Policies.
  4. Attach the Content Security policy to a security policy. See Example: Attaching Content Filtering Content Security Policies to Security Policies.

Example: Configuring Content Filtering Custom Objects

This example shows how to configure content filtering custom objects.

Requirements

Before you begin:

  1. Decide on the type of content filter you require. See Content Filtering Overview.

  2. Understand the order in which content filtering parameters are configured. See Content Filtering Configuration Overview.

Overview

In this example, you define custom objects that are used to create content filtering profiles. You perform the following tasks to define custom objects:

  1. Create two protocol command lists called ftpprotocom1 and ftpprotocom2, and add user, pass, port, and type commands to it.

  2. Create a filename extension list called extlist2, and add the .zip, .js, and .vbs extensions to it.

  3. Define block-mime list call cfmime1 and add patterns to the list.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure content filtering custom objects:

  1. Create two protocol command lists.

  2. Add protocol commands to the list.

  3. Create a filename extension list.

  4. Add extensions to the list.

  5. Create antivirus scanning lists.

  6. Add patterns to the lists.

Results

From configuration mode, confirm your configuration by entering the show security utm command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Content Filtering Custom Objects

Purpose

Verify the content filtering custom objects.

Action

From operational mode, enter the show configuration security utm command.

Example: Configuring Content Filtering Content Security Policies

This example describes how to create a content filtering Content Security policy to attach to your feature profile.

Requirements

Before you begin:

  1. Decide on the type of content filter you require. See Content Filtering Overview.

  2. Configure Content Security custom objects for each feature and define the content-filtering profile. See Content Filtering Configuration Overview.

Overview

You configure Content Security policies to selectively enforce various Content Security solutions on network traffic passing through a Content Security enabled device. Through feature profiles you associate custom objects to these policies and specify blocking or permitting certain types of traffic.

In this example, you configure a Content Security policy called utmp4, and then assign the preconfigured feature profile confilter1 to this policy.

Configuration

Procedure

Step-by-Step Procedure

To configure a content filtering Content Security policy:

You can configure different protocol applications in the Content Security policy. The example only shows HTTP and not other protocols. Earlier you configured custom objects for FTP (ftpprotocom1 and ftpprotocom2). Next you should add a content filter policy for FTP, for example:

set security utm utm-policy utmp4 content-filtering ftp upload-profile confilter1

set security utm utm-policy utmp4 content-filtering ftp download-profile confilter1

  1. Create a Content Security policy.

  2. Attach the Content Security policy to the profile.

  3. If you are done configuring the device, commit the configuration.

Verification

Verify the Security Content Security Configuration

Purpose

To verify the security Content Security configuration is working properly.

Action

From the operational mode, enter the show security utm command.

Example: Attaching Content Filtering Content Security Policies to Security Policies

This example shows how to create a security policy and attach the Content Security policy to the security policy.

Requirements

Before you begin:

  1. Configure Content Security custom objects, define the content filtering profile, and create a Content Security policy. See Content Filtering Configuration Overview.

  2. Enable and configure a security policy. See Example: Configuring a Security Policy to Permit or Deny All Traffic.

Overview

By attaching content filtering Content Security policies to security policies, you can filter traffic transiting from one security zone to another.

In this example, you create a security policy called p4 and specify that traffic from any source address to any destination address with an HTTP application matches the criteria. You then assign a Content Security policy called utmp4 to the security policy p4. This Content Security policy applies to any traffic that matches the criteria specified in the security policy p4.

Configuration

Procedure

CLI Quick Configuration

To quickly attach a content filtering Content Security policy to a security policy, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To attach a Content Security policy to a security policy:

  1. Create a security policy.

  2. Specify the match conditions for the policy.

  3. Attach the Content Security policy to the security policy.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Attaching Content Filtering Content Security Policies to Security Policies

Purpose

Verify the attachment of the content filtering Content Security policy to the security policy.

Action

From operational mode, enter the show security policy command.

Monitoring Content Filtering Configurations

Purpose

View content filtering statistics.

Action

To view content filtering statistics in the CLI, enter the user@host > show security utm content-filtering statistics command.

The content filtering show statistics command displays the following information:

To view content filtering statistics using J-Web:

  1. Select Clear Content filtering statisticsMonitor>Security>UTM>Content FilteringMonitor>Security>UTM>Content Filtering.

    The following statistics become viewable in the right pane.

  2. You can click Clear Content filtering statistics to clear all current viewable statistics and begin collecting new statistics.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1X49-D100
Starting with Junos OS Release 15.1X49-D100, IPv6 pass-through traffic for HTTP, FTP, SMTP, POP3, IMAP protocols is supported for Web filtering and Content filtering security features of Content Security.