Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Enhanced Web Filtering

Web Filtering provides URL filtering capability by using either a local Websense server or Internet-based SurfControl server. For more information, see the following topics:

Enhanced Web Filtering Overview

Enhanced Web Filtering (EWF) with Websense is an integrated URL filtering solution. When you enable the solution on the device, it intercepts the HTTP and the HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC). The TSC categorizes the URL into one of the 95 or more categories that are predefined and also provides site reputation information. The TSC further returns the URL category and the site reputation information to the device. The device determines if it can permit or block the request based on the information provided by the TSC.

Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, EWF supports HTTPS traffic by intercepting HTTPS traffic passing through the SRX Series Firewall. The security channel from the device is divided as one SSL channel between the client and the device and another SSL channel between the device and the HTTPS server. SSL forward proxy acts as the terminal for both channels and forwards the cleartext traffic to the Content Security. Content Security extracts the URL from the HTTP request message.

Starting in Junos OS Release 22.2R1, the web filtering uses JDPI-Decoder support for processing the application data. You must enable the JDPI-Decoder to enforce the web filtering functionality.

You can consider the EWF solution as the next-generation URL filtering solution, building upon the existing Surf-Control solution.

Enhanced Web Filtering supports the following HTTP methods:

  • GET

  • POST

  • OPTIONS

  • HEAD

  • PUT

  • DELETE

  • TRACE

  • CONNECT

User Messages and Redirect URLs for Enhanced Web Filtering (EWF)

Starting with Junos OS Release 15.1X49-D110, a new option, custom-message, is added for the custom-objects command that enables you to configure user messages and redirect URLs to notify users when a URL is blocked or quarantined for each EWF category. The custom-message option has the following mandatory attributes:

  • Name: Name of the custom message; maximum length is 59 bytes.

  • Type: Type of custom message: user-message or redirect-url.

  • Content: Content of the custom message; maximum length is 1024 bytes.

You configure a user message or redirect URL as a custom object and assign the custom object to an EWF category.

  • User messages indicate that website access has been blocked by an organization's access policy. To configure a user message, include the type user-message content message-text statement at the [edit security utm custom-objects custom-message message] hierarchy level.

  • Redirect URLs redirect a blocked or quarantined URL to a user-defined URL. To configure a redirect URL, include the type redirect-url content redirect-url statement at the [edit security utm custom-objects custom-message message] hierarchy level.

The custom-message option provides the following benefits:

  • You can configure a separate custom message or redirect URL for each EWF category.

  • The custom-message option allows you to fine-tune messages to support your polices to know which URL is blocked or quarantined.

    Only one custom-message configuration option is applied for each category. The custom-message configuration is supported only on Enhanced Web Filtering (EWF). Therefore, only the Juniper EWF engine type is supported.

Starting with Junos OS Release 17.4R1, support for custom category configuration is available for local and Websense redirect profiles.

See Also

Understanding the Enhanced Web Filtering Process

Web filtering enables you to manage Internet access, preventing access to inappropriate Web content. The Enhanced Web Filtering (EWF) feature intercepts, scans, and acts upon HTTP or HTTPS traffic in the following way:

  1. The device creates TCP socket connections to the Websense ThreatSeeker Cloud (TSC).

  2. The device intercepts an HTTP or an HTTPS connection and extracts URL or hostname or IP address to perform Web filtering. For an HTTPS connection, EWF is supported through SSL forward proxy.

    Starting with Junos OS Release 12.3X48-D25 and Junos OS Release 17.3R1, Enhanced Web Filtering (EWF) over SSL forward proxy supports HTTPS traffic.

  3. The device looks for the URL in the user-configured blocklist or allowlist.

    A blocklist or a allowlist action type is a user-defined category in which all the URLs or IP addresses are always blocked or permitted and optionally logged.

    • If the URL is in the user-configured blocklist, the device blocks the URL.

    • If the URL is in the user-configured allowlist, the device permits the URL.

  4. The device checks the user-defined categories and blocks or permits the URL based on the user-specified action for the category.

  5. The device looks for predefiend category in local cache or from cloud service.

    • If the URL is not available in the URL filtering cache, the device sends the URL in HTTP format to the TSC with a request for categorization. The device uses one of the connections made available to the TSC to send the request.

    • The TSC responds to the device with the categorization and a reputation score.

  6. The device performs the following actions based on the identified category:

    • If the URL is permitted, the device forwards the HTTP request to the HTTP server.

    • If the URL is blocked, the device sends a deny page to the HTTP client and also sends a reset message to the HTTP server to close the connection

    • If the URL is quarantined, the device sends a quarantine page with set-cookie to the HTTP client. If the client decided to continue, the device permits new request with cookie.

    • If the category is configured and the category action is available, the device permits or blocks the URL based on the category action.

    • If the category is not configured, the device permits or blocks the URL based on the global reputation action.

    • If the global reputation is not configured, the device permits or blocks the URL based on the default action configured in the Web filtering profile.

    By default, the EWF processes a URL in the order of blocklist, allowlist, custom category, and then predefined category.

Functional Requirements for Enhanced Web Filtering

The following items are required to use Enhanced Web Filtering (EWF):

  • License key— You need to install a new license to upgrade to the EWF solution.

    You can ignore the warning message "requires 'wf_key_websense_ewf' license” because it is generated by routine EWF license validation check.

    A grace period of 30 days, consistent with other Content Security features, is provided for the EWF feature after the license key expires.

    This feature requires a license. Please refer to the Licensing Guide for general information about License Management. Please refer to the product Data Sheets at SRX Series Firewalls for details, or contact your Juniper Account Team or Juniper Partner.

    When the grace period for the EWF feature has passed (or if the feature has not been installed), Web filtering is disabled, all HTTP requests bypass Web filtering, and any connections to the TSC are disabled. When you install a valid license, the connections to the server are established again.

  • The debug command provides the following information to each TCP connection available on the device:

    • Number of processed requests

    • Number of pending requests

    • Number of errors (dropped or timed-out requests)

  • TCP connection between a Web client and a webserver—An application identification (APPID) module is used to identify an HTTP connection. The EWF solution identifies an HTTP connection after the device receives the first SYN packet. If an HTTP request has to be blocked, EWF sends a block message from the device to the Web client. EWF further sends a TCP FIN request to the client and a TCP reset (RST) to the server to disable the connection. The device sends all the messages through the flow session. The messages follow the entire service chain.

  • HTTP request interception—EWF intercepts the first HTTP request on the device and performs URL filtering on all methods defined in HTTP 1.0 and HTTP 1.1. The device holds the original request while waiting for a response from the TSC. If the first packet in the HTTP URL is fragmented or if the device cannot extract the URL for some reason, then the destination IP address is used for the categorization. If you turn on http-reassemble, EWF can recover the whole request from fragment and get URL.

    For HTTP 1.1 persistent connections, the subsequent requests on that session are ignored by the EWF module.

    If the device holds the original request for a long time, then the client will retransmit the request. The URL filtering code will detect the retransmitted packets. If the original HTTP request has already been forwarded, then EWF forwards the retransmitted packet to the server. However, if EWF is in the middle of first-packet processing or makes the calculation to block the session, then the solution drops the retransmitted packet. A counter tracks the number of retransmitted packets received by the device.

    If the TSC does not respond in time to the categorization request from the device, then the original client request is blocked or permitted according to the timeout fallback setting.

  • HTTPS request interception—Starting with Junos OS 15.1X49-D40 and Junos OS Release 17.3R1, EWF intercepts HTTPS traffic passing through the SRX Series Firewall. The security channel from the device is divided as one SSL channel between the client and the device and another SSL channel between the device and the HTTPS server. SSL forward proxy acts as the terminal for both channels and forwards the cleartext traffic to the Content Security. Content Security extracts the URL from the HTTP request message.

  • Blocking message—The blocking message sent to the Web client is user-configurable and is of the following types:

    • The Juniper Networks blocking message is the default message defined in the device that can be modified by the user. The default blocking message contains the reason why the request is blocked and the category name (if it is blocked because of a category).

    • Syslog message.

    For example, if you have set the action for Enhanced_Search_Engines_and_Portals to block, and you try to access www.example.com, the blocking message is of the following form: Juniper Web Filtering:Juniper Web Filtering has been set to block this site. CATEGORY: Enhanced_Search_Engines_and_Portals REASON: BY_PRE_DEFINED . However, the corresponding syslog message on the device under test (DUT) is: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" 56.56.56.2(59418)->74.125.224.48(80) CATEGORY="Enhanced_Search_Engines_and_Portals" REASON="by predefined category" PROFILE="web-ewf" URL=www.example.com OBJ=/ .

  • Monitoring the Websense server—The URL filtering module uses two methods to determine if the TSC is active: socket connections and heartbeat. EWF maintains persistent TCP sockets to the TSC. The server responds with a TCP ACK if it is enabled. EWF sends an application layer NOOP keepalive to the TSC. If the device does not receive responses to three consecutive NOOP keepalives in a specific period, it determines the socket to be inactive. The EWF module attempts to open a new connection to the TSC. If all sockets are inactive, the TSC is considered to be inactive. Therefore an error occurs. The error is displayed and logged. Subsequent requests and pending requests are either blocked or passed according to the server connectivity fallback setting until new connections to the TSC are opened again.

  • HTTP protocol communication with the TSC—EWF uses the HTTP 1.1 protocol to communicate with the TSC. This ensures a persistent connection and transmission of multiple HTTP requests through the same connection. A single HTTP request or response is used for client or server communication. The TSC can handle queued requests; for optimal performance, an asynchronous request or response mechanism is used. The requests are sent over TCP, so TCP retransmission is used to ensure request or response delivery. TCP also ensures that valid in-order, non-retransmitted HTTP stream data is sent to the HTTP client on the device.

  • Responses—The responses adhere to the basic HTTP conventions. Successful responses include a 20x response code (typically 200). An error response includes a 4xx or 5xx code. Error responses in the 4xx series indicate issues in the custom code. Error responses in the 5xx series indicate issues with the service.

    Error codes and meanings are as follows:

    • 400–Bad request

    • 403–Forbidden

    • 404–Not found

    • 408–Request canceled or null response

    • 500–Internal server error

    Errors in the 400 series indicate issues with the request. Errors in the 500 series indicate issues with the TSC service. Websense is notified of these errors automatically and responds accordingly.

    You can configure the default fallback setting to determine whether to pass or block the request: set security utm feature-profile web-filtering juniper-enhanced profile juniper-enhanced fallback-settings default ?

    The response also contains the site categorization and site reputation information.

  • Categories—A category list is available on the device. This list consists of categories, each containing a category code, a name, and a parent ID. Categories can also be user-defined. Each category consists of a list of URLs or IP addresses. Categories are not updated dynamically and are tied to the Junos OS release because they have to be compiled into the Junos OS image. Any update in categories needs to be synchronized with the Junos OS release cycle.

    Starting with Junos OS Release 17.4R1, you can download and dynamically load new EWF categories. The downloading and dynamic loading of the new EWF categories do not require a software upgrade. Websense occasionally releases new EWF categories. EWF classifies websites into categories according to host, URL, or IP address and performs filtering based on the categories.

    If the category file transfer fails between the primary and secondary devices, then the file transfer results in an upgrading error and an error log is generated.

    During new category file installation, if the category filename is changed, then the new category file overwrites the old category file in the internal system and all related output information is replaced with the new category name.

    Starting with Junos OS Release 17.4R1, predefined base filters, defined in a category file, are supported for individual EWF categories. Each EWF category has a default action in a base filter, which is attached to the user profile to act as a backup filter. If the categories are not configured in the user profile, then the base filter takes the action.

    A base filter is an object that contains a category-action pair for all categories defined in the category file. A base filter is a structured object, and is defined with the help of a filter name and an array of category-action pairs.

    The following is an example of a base filter with an array of category-action pairs. For the Enhanced_Adult_Material category, the action is block; for the Enhanced_Blog_Posting category, the action is permit; and so on.

    EWF supports up to 16 base filters. Junos OS Release 17.4R1 also supports online upgradation of base filters.

    If the user profile has the same name as the base filter, then the Web filter uses the wrong profile.

  • Caching—Successfully categorized responses are cached on the device. Uncategorized URLs are not cached. The size of the cache can be configured by the user.

  • Safe search (HTTP support only, not HTTPS)—A safe-search solution is used to ensure that the embedded objects, such as images on the URLs received from the search engines, are safe and that no undesirable content is returned to the client.

    A URL is provided to the TSC to provide categorization information. If it is a search URL, the TSC also returns a safe-search string. For instance, the safe-search string is safe=active. This safe-search string is appended to the URL, and a redirect response for redirecting the client's query with safe search is turned on. This ensures that no unsafe content is returned to the client. If the TSC indicates that it needs to be safe-searched, then you can perform the safe-search redirect.

    For example, the client makes a request to the URL https://www.google.com/search?q=test, which is permitted by EWF profile. On packet mode, the EWF on the DUT will generate a HTTP 302 response, with the redirect URL: https://www.google.com/search?q=test&safe=active. This response returns to the client. The client now sends out a safe redirect request to this URL. On stream mode, the EWF on the DUT rewrites the URL to https://www.google.com/search?q=test&safe=active and forwards it.

    Note:

    Safe-search redirect supports HTTP only. You cannot extract the URL for HTTPS. Therefore it is not possible to generate a redirect response for HTTPS search URLs. Safe-search redirects can be disabled by using the CLI option no-safe-search.

  • Site reputation—The TSC provides site reputation information. Based on these reputations, you can choose a block or a permit action. If the URL is not handled by a allowlist or a blocklist and does not fall in a user or predefined category, then the reputation can be used to perform a URL filtering decision.

    Starting with Junos OS Release 17.4R1, the reputation base scores are configurable. Users can apply global reputation values, provided by the Websense ThreatSeeker Cloud (TSC). For the non-category URLs, the global reputation value is used to perform filtering,

    The reputation scores are as follows:

    • 100-90–Site is considered very safe.

    • 80-89–Site is considered moderately safe.

    • 70-79–Site is considered fairly safe.

    • 60-69–Site is considered suspicious.

    • 0-59–Site is considered harmful.

    The device maintains a log for URLs that are blocked or permitted based on site reputation scores.

  • Profiles—A URL filtering profile is defined as a list of categories, with each profile having an action type (permit, log-and-permit, block, quarantine) associated with it. A predefined profile, junos-wf-enhanced-default, is provided to users if they choose not to define their own profile.

    You can also define an action based on site reputations in a profile to specify the action when the incoming URL does not belong to any of the categories defined in the profile. If you do not configure the site reputation handling information, then you can define a default action. All URLs that do not have a defined category or defined reputation action in their profile will be blocked, permitted, logged-and-permitted, or quarantined depending on the block or permit handling for the default action explicitly defined in the profile. If you do not specify a default action, then the URLs will be permitted. For search engine requests, if there is no explicit user-defined configuration, and the URL request is without the safe-search option, then EWF generates a redirect response and sends it to the client. The client will generate a new search request with the safe-search option enabled.

    A URL filtering profile can contain the following items:

    • Multiple user-defined and predefined categories, each with a permit or block action

    • Multiple site reputation handling categories, each with a permit or block action

    • One default action with a permit or block action

    The order of search is blocklist, allowlist, user-defined category, predefined category, safe-search, site reputation, and default action.

Cache Preload for Enhanced Web Filtering

Starting in Junos OS Release 23.2R1, cache is loaded with the top-rated, frequently visited URL list along with the classification information at the system startup stage. This is useful for users with a slow internet connection who experience high latency while accessing the Web due to the remote categorization service. It ensures that there is no lag even when the first request is made as the Web filter policy decision is based on the URL category information that is preloaded in the cache.

Cache is not enabled by default. Ensure that caching is enabled to use this feature. The following configurations are required to enable caching for Enhanced Web Filtering (EWF) and they are available in SRX Series Firewalls.

  • security utm default-configuration web-filtering juniper-enhanced cache timeout

  • security utm default-configuration web-filtering juniper-enhanced cache size

Use the following CLI configuration statement options for the Cache Preload for Enhanced Web Filtering:

Table 1: Options
feed-url

Used to download an alternate file instead of the default hard-coded file. It is not mandatory. Hard-coded defaults are used if it is not set.

Default feed URL: https://update.juniper-updates.net/EWF-CACHE-PRELOAD/

One of the following defaults are used based on the feed type:

https://update.juniper-updates.net/EWF-CACHE-PRELOAD/abs_urls_feed.tgz

https://update.juniper-updates.net/EWF-CACHE-PRELOAD/server_names_feed.tgz

automatic Used to set download and preload cache automatically without user interaction.
automatic interval <time-in-hours>

Used to schedule automatic cache preload. It is mandatory if the automatic option is specified.
automatic retry <time-in-hours>

Used to schedule retry if automatic cache preload fails for some reason. It is mandatory if the automatic option is specified.
automatic feed-type <abs-urls-feed or server-names-feed>

Used to specify feed type to use by auto download and preload functions. It is mandatory if the automatic option is specified.
Note:

You can limit the maximum number of entries in the cache using the following command:

set security utm default-configuration web-filtering juniper-enhanced cache size ?

Possible completions:

<size> Juniper enhanced cache size (0..4096 kilobytes)

New operational commands are available from the CLI for the Enhanced Web Filtering Cache Preload feature.

You can use the operational commands to download the URL feed of your choice from the remote server. The Feed-URL option is useful for downloading an alternate file instead of the default hard coded file. Even with the Feed-URL option, server-names-feed option and abs-urls-feed option are required to indicate the type of feed that is available in the package you have specified.

  • request security utm web-filtering cache-preload download abs-urls-feed

  • request security utm web-filtering cache-preload download server-names-feed

  • request security utm web-filtering cache-preload download server-names-feed feed-url https://update.juniper-updates.net/EWF-CACHE-PRELOAD/server_names_fp_feed.tgz

  • request security utm web-filtering cache-preload download abs-urls-feed feed-url https://update.juniper-updates.net/EWF-CACHE-PRELOAD/abs_urls_fp_feed.tgz

Note:

The user specified package of type server-names-feed must contain the server_names_feed.csv and server_names_feed.ver files.

The user specified package of type abs-urls-feed must contain the abs_urls_feed.csv and abs_urls_feed.ver files.

The following are the hard coded links. The program chooses a link based on the feed-type.

https://update.juniper-updates.net/EWF-CACHE-PRELOAD/abs_urls_feed.tgz

https://update.juniper-updates.net/EWF-CACHE-PRELOAD/server_names_feed.tgz

Use the following operational commands to trigger the cache preloading using the existing URL feed within the system. These commands load the cache if the package was already installed using the commands for downloading. Use server-names-feed option to preload categorized server names. Use abs-urls-feed to preload categorized URL feed.

  • request security utm web-filtering cache-preload load-active-local server-names-feed

  • request security utm web-filtering cache-preload load-active-local abs-urls-feed

Use the following to download, install the default URL feed from remote server, and also load the cache. Use server-names-feed option to download categorized server names. Use abs-urls-feed to download categorized URL feed.

  • request security utm web-filtering cache-preload load-active server-names-feed

  • request security utm web-filtering cache-preload load-active abs-urls-feed

To check the status of the cache preload function, use the following command:

User Messages and Redirect URLs for Enhanced Web Filtering (EWF)

Starting with Junos OS Release 15.1X49-D110, a new option, custom-message, is added for the custom-objects statement that enables you to configure user messages and redirect URLs to notify users when a URL is blocked or quarantined for each EWF category. The custom-message option has the following mandatory attributes:

  • Name: Name of the custom message; maximum length is 59 ASCII characters.

  • Type: Type of custom message: user-message or redirect-url.

  • Content: Content of the custom message; maximum length is 1024 ASCII characters.

You configure a user message or redirect URL as a custom object and assign the custom object to an EWF category.

  • User messages indicate that website access has been blocked by an organization's access policy. To configure a user message, include the type user-message content message-text statement at the [edit security utm custom-objects custom-message message] hierarchy level.

  • Redirect URLs redirect a blocked or quarantined URL to a user-defined URL. To configure a redirect URL, include the type redirect-url content redirect-url statement at the [edit security utm custom-objects custom-message message] hierarchy level.

The custom-message option provides the following benefits:

  • You can configure a separate custom message or redirect URL for each EWF category.

  • The custom-message option allows you to fine-tune messages to support your polices to know which URL is blocked or quarantined.

    Only one custom-message configuration option is applied for each category. The custom-message configuration is supported only on Enhanced Web Filtering (EWF). Therefore, only the Juniper EWF engine type is supported.

Starting with Junos OS Release 17.4R1, support for custom category configuration is available for local and Websense redirect profiles.

Intelligent Web Filtering Profile Selection

Starting in Junos OS Release 23.2R1, dynamic app information from JDPI is used to retrieve policy information before the final policy match is done. The Web Filter profile is updated again after the final policy selection based on the final application match.

The Content Security profile that is retrieved based on the dynamic app information is more accurate than applying the default profile, which was the earlier approach.

The dynamic app-based policy detection is now the default behavior. The following knob is added in the Web Filtering default configuration hierarchy to disable the dynamic app profile detection feature if required.

set security utm default-configuration web-filtering disable-dynapp-profile-selection

To make one of the Content Security policy as default, the following command is introduced:

set security utm default-policy <pol_name>

You can choose any Content Security policy as the default policy by using this command. If the default policy is configured in a unified multi-policy configuration scenario, the default Content Security Web Filtering policy is used. If it is not configured, junos-default-utm-policy is used as the default policy.

Note:

The default policy changes apply only to Web Filtering and not to Content Filtering, Antivirus, or Antispam.

The following CLI command is used to display the configuration of dynapp-profile-selection:

show security utm web-filtering status

Content Security Web-filtering status:

Use the following command to display the debug counter values for policy lookup activities:

show security utm l7-app-policy statistics

New counters are added to the web filtering statistics for debugging.

Table 2: New Counters Added to Web Filtering Statistics

Sessions matched with dynapp policy

 Increases whenever the policy associated with a uf_ng session changes based on the newly identified app-id.

Sessions matched with default policy

 Increases when the Content Security policy action taken for a connection is based on the user configured default policy. This counter increases when the user configured default policy is same as the policy identified by new dynamic-app or when the user configured default policy has a valid Content Security Web Filtering profile and the no policy has matched with existing firewall policy.

Sessions matched with final policy

 Increases when action is taken on an Content Security policy without any conflict of policies.
Note:

Use the show services application-identification application-system-cache command to check the dynamic application identified by AppID module.

See Also

Predefined Category Upgrading and Base Filter Configuration Overview

You can download and dynamically load new Enhanced Web Filtering (EWF) categories without any software upgrade. The predefined base filters defined in a category file are supported for individual EWF categories.

To configure a predefined category upgrade without any software upgrade:

  1. Configure Content Security custom objects for the Content Security features. Set the interval, set the start time, and enter the URL of category package download:
  2. Configure the predefined base filters. Each EWF category has a default action in a base filter, which is attached to the user profile to act as a backup filter. If the categories are not configured in the user profile, then the base filter takes the action. You can also upgrade the base filters online.

show security Content Security custom-objects

show security Content Security feature-profile web-filtering juniper-enhanced

See Also

Example: Configuring Enhanced Web Filtering

This example shows how to configure Enhanced Web filtering (EWF) for managing website access. This feature is supported on all SRX Series Firewalls. The EWF solution intercepts HTTP and the HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC). The TSC categorizes the URL into one of the 151 or more predefined categories and also provides site reputation information. The TSC further returns the URL category and the site reputation information to the device. The SRX Series Firewall determines whether it can permit or block the request based on the information provided by the TSC.

Requirements

This example uses the following hardware and software components:

  • SRX5600 device

  • Junos OS Release 12.1X46-D10 or later

Before you begin, you should be familiar with Web filtering and Enhanced Web filtering (EWF). See Web Filtering Overview and Understanding Enhanced Web Filtering Process.

Overview

Web filtering is used to monitor and control how users access the website over HTTP and HTTPS. In this example, you configure a URL pattern list (allowlist) of URLs or addresses that you want to bypass. After you create the URL pattern list, define the custom objects. After defining the custom objects, you apply them to feature profiles to define the activity on each profile, apply the feature profile to the Content Security policy, and finally attach the Web filtering Content Security policies to the security policies. Table 3 shows information about EWF configuration type, steps, and parameters used in this example.

Table 3: Enhanced Web filtering (EWF) Configuration Type, Steps, and Parameters

Configuration Type

Configuration Steps

Configuration Parameters

URL pattern and custom objects

Configure a URL pattern list (allowlist) of URLs or addresses that you want to bypass.

Create a custom object called urllist3 that contains the pattern http://www.example.net 1.2.3.4

  • [http://www.example.net 1.2.3.4]

  • value urllist3

  • http://www.untrusted.com

  • http://www.trusted.com

Add the urllist3 custom object to the custom URL category custurl3.

  • urllistblack

  • urllistwhite

Feature profiles

Configure the Web filtering feature profile:

  

  • Set the URL blocklist filtering category to custblacklist, set the allowlist filtering category to custwhitelist, and set the type of Web filtering engine to juniper-enhanced. Then you set the cache size and cache timeout parameters.

  • custwhitelist

  • custblacklist

  • juniper-enhanced

  • cache size 500

  • cache timeout 1800

  • Name the EWF server and enter the port number for communicating with it. (Default port is 80.) Then you create an EWF profile name.

  • rp.cloud.threatseeker.com

  • port 80

  • http-profile my_ewfprofile01

  • Select a category from the included allowlist and blocklist categories or select a custom URL category list you created for filtering against.

  • http-reassemble

  • http-persist

  • Action: log-and-permit

  • site-reputation-action:

    • very-safe permit

  • Enter a custom message to be sent when HTTP requests are blocked. Finally, enter a timeout value in seconds.

  • ewf_my_profile-default block

  • custom-block-message "***access denied ***"

  • fallback-settings:

    • server-connectivity block

    • timeout block

    • too-many-requests block

  • quarantine-custom-message “**The requested webpage is blocked by your organization's access policy**”.

  • quarantine-message type custom-redirect-url

  • quarantine-message url besgas.spglab.example.net

  • ewf_my_profile-default:

    • timeout 10

    • no-safe-search

Configuration

This example shows how to configure custom URL patterns, custom objects, feature profiles, and security policies.

Configuring Enhanced Web Filtering Custom Objects and URL Patterns

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Starting with Junos OS Release 15.1X49-D110, the “* “ in a wildcard syntax, required to create URL pattern for Web filtering profile, matches all subdomains. For example, *.example.net matches:

  • http://a.example.net

  • http://example.net

  • a.b.example.net

A custom category does not take precedence over a predefined category when it has the same name as one of the predefined categories. Do not use the same name for a custom category that you have used for a predefined category.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure custom objects and URL patterns in Enhanced Web Filtering:

  1. Configure a URL pattern list (allowlist) of URLs or addresses that you want to bypass. After you create the URL pattern list, you create a custom URL category list and add the pattern list to it. Configure a URL pattern list custom object by creating the list name and adding values to it as follows:

    Note:

    Because you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure custom URL category lists.

    Note:

    The guideline to use a URL pattern wildcard is as follows: Use \*\.[]\?* and precede all wildcard URLs with http://. You can use “*” only if it is at the beginning of the URL and is followed by “.”. You can use “?” only at the end of the URL.

    The following wildcard syntaxes are supported: http://*.example.net, http://www.example.ne?, http://www.example.n??. The following wildcard syntaxes are not supported: *.example.???, http://*example.net, http://?.

  2. Create a custom object called urllist3 that contains the pattern http://www.example.net and then add the urllist3 custom object to the custom URL category custurl3.

  3. Create a list of untrusted and trusted sites.

  4. Configure the custom URL category list custom object by using the URL pattern list of untrusted and trusted sites.

Results

From configuration mode, confirm your configuration by entering the show security utm custom-objects command. If the output does not display the intended configuration, repeat the instructions in this example to correct.

If you are done configuring the device, enter commit from configuration mode.

Configuring Enhanced Web Filtering Feature Profiles

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Starting in Junos OS Release 12.3X48-D25, new CLI options are available. The http-reassemble and http-persist options are added in the show security utm feature-profile web-filtering command.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the EWF feature profiles:

  1. Configure the EWF engine and set the cache size and cache timeout parameters.

  2. Set the server name or IP address and the port number for communicating with the server. The default host value in the system is rp.cloud.threatseeker.com.

  3. Set the http-reassemble statement to reassemble the requested packet and the http-persist statement to check every HTTP request packet in the same session. If the http-reassemble statement is not configured for cleartext HTTP traffic, then EWF does not reassemble the fragmented HTTP request to avoid incomplete parsing in the packet-based inspection. If the http-persist statement is not configured for cleartext HTTP traffic, then EWF does not check every HTTP request packet in the same session.

  4. Specify the action to be taken depending on the site reputation returned for the URL if there is no category match found.

  5. Specify a default action for the profile, when no other explicitly configured action is matched.

  6. Configure the fallback settings (block or log and permit) for this profile.

  7. Enter a timeout value in seconds. When this limit is reached, fallback settings are applied. This example sets the timeout value to 10. You can also disable the safe-search functionality. By default, search requests have safe-search strings attached to them, and a redirect response is sent to ensure that all search requests are safe or strict.

    Note:

    The timeout value range for SRX210, SRX220, SRX240, SRX300, SRX320, SRX345, SRX380, SRX550, SRX1500, SRX4100, and SRX4200 is 0 through 1800 seconds and the default value is 15 seconds. The timeout value range for SRX3400 and SRX3600 is 1 through 120 seconds and the default value is 3 seconds.

  8. Configure a Content Security policy (mypolicy) for the Web-filtering HTTP protocol, associating ewf_my_profile to the Content Security policy, and attach this policy to a security profile to implement it.

Results

From configuration mode, confirm your configuration by entering the show security utm feature-profile command. If the output does not display the intended configuration, repeat the instructions in this example to correct.

If you are done configuring the device, enter commit from configuration mode.

Attaching Web Filtering Content Security Policies to Security Policies

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To attach a Content Security policy to a security policy:

  1. Create the security policy sec_policy.

  2. Specify the match conditions for sec-policy.

  3. Attach the Content Security policy mypolicy to the security policy sec_policy.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

After you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Status of the Web Filtering Server

Purpose

Verify the Web filtering server status.

Action

From the top of the configuration in operational mode, enter the show security utm web-filtering status command.

Meaning

The command output shows that the Web filtering server connection is up.

Verifying that Web Filtering Statistics Have Increased

Purpose

Verify the increase in Web filtering statistics. The initial counter value is 0; if there is an HTTP request URL hit, then there is a increase in the Web filtering statistics.

Action

From the top of the configuration in operational mode, enter the show security utm web-filtering statistics command.

Meaning

The output displays Web filtering statistics for connections including allowlist and blocklist hits and custom category hits. If there is an HTTP request URL hit, then there is a increase in the Web filtering statistics from an earlier value.

Verifying That the Web Filtering Content Security Policy Is Attached to the Security Policy

Purpose

Verify that the Web filtering Content Security policy mypolicy is attached to the security policy sec_policy.

Action

From operational mode, enter the show security policy command.

Meaning

The output displays a summary of all security policies configured on the device. If a particular policy is specified, it displays information specific to that policy. If Content Security is enabled, then mypolicy is attached to sec_policy.

See Also

Understanding the Quarantine Action for Enhanced Web Filtering

Content Security Enhanced Web Filtering supports block, log-and-permit, and permit actions for HTTP/HTTPS requests. In addition to this, Content Security Enhanced Web Filtering now supports the quarantine action which allows or denies access to the blocked site based on the user’s response to the message.

The following sequence explains how the HTTP or HTTPs request is intercepted, redirected, and acted upon by the quarantine action:

  • The HTTP client requests URL access.

  • The device intercepts the HTTP request and sends the extracted URL to the Websense Thread Seeker Cloud (TSC).

  • The TSC returns the URL category and the site reputation information to the device.

  • If the action configured for the category is quarantine, the device logs the quarantine action and sends a redirect response to HTTP client.

  • The URL is sent to the HTTP server for redirecting.

  • The device shows a warning message stating that the access to the URL is blocked according to the organization’s security policies and prompts the user to respond.

  • If the user response is “No,” the session is terminated. If the user response is “Yes,” the user is allowed access to the site and such access is logged and reported to the administrator.

Note:

The quarantine action is supported only for Content Security Enhanced Web Filtering or Juniper enhanced type of Web filtering.

Quarantine Message

The quarantine message sent to the HTTP client is user-configurable and is of the following types:

  • Default message

    The default quarantine message is displayed when a user attempts to access a quarantined website and it contains the following information:

    • URL name

    • Quarantine reason

    • Category (if available)

    • Site-reputation (if available)

    For example, if you have set the action for Enhanced_Search_Engines_and_Portals to quarantine, and you try to access www.search.example.com, the quarantine message is as follows:

    ***The requested webpage is blocked by your organization's access policy***.

  • Syslog message.

    The syslog message will be logged by the system when the user access the web page that has already been quarantined and marked as block or permit.

    The corresponding syslog message on the device under test is:

    Jan 25 15:10:40 rodian utmd[3871]: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" 99.99.99.4(60525)->74.125.224.114(80) CATEGORY="Enhanced_Search_Engines_and_Portals" REASON="by predefined category(quarantine)" PROFILE="ewf-test-profile" URL=www.search.example.com OBJ=/

    Starting in Junos OS 12.1X47-D40 and Junos OS Release 17.3R1, the structured log fields have changed. The structured log field changes in the Content Security Web filter logs WEBFILTER_URL_BLOCKED, WEBFILTER_URL_REDIRECTED, and WEBFILTER_URL_PERMITTED are as follows:

    • name -> category

    • error-message -> reason

    • profile-name -> profile

    • object-name -> url

    • pathname -> obj

User Messages and Redirect URLs for Enhanced Web Filtering (EWF)

Starting with Junos OS Release 15.1X49-D110, a new option, custom-message, is added for the custom-objects statement that enables you to configure user messages and redirect URLs to notify users when a URL is blocked or quarantined for each EWF category. The custom-message option has the following mandatory attributes:

  • Name: Name of the custom message; maximum length is 59 ASCII characters.

  • Type: Type of custom message: user-message or redirect-url.

  • Content: Content of the custom message; maximum length is 1024 ASCII characters.

You configure a user message or redirect URL as a custom object and assign the custom object to an EWF category.

  • User messages indicate that website access has been blocked by an organization's access policy. To configure a user message, include the type user-message content message-text statement at the [edit security utm custom-objects custom-message message] hierarchy level.

  • Redirect URLs redirect a blocked or quarantined URL to a user-defined URL. To configure a redirect URL, include the type redirect-url content redirect-url statement at the [edit security utm custom-objects custom-message message] hierarchy level.

The custom-message option provides the following benefits:

  • You can configure a separate custom message or redirect URL for each EWF category.

  • The custom-message option enables you to fine-tune messages to support your polices to know which URL is blocked or quarantined.

  • Only one custom-message configuration option is applied for each category. The custom-message configuration is supported only on Enhanced Web Filtering (EWF). Therefore, only the Juniper EWF engine type is supported.

Starting with Junos OS Release 17.4R1, support for custom category configuration is available for local and Websense redirect profiles.

See Also

Example: Configuring Site Reputation Action for Enhanced Web Filtering

This example shows how to configure the site reputation action for both categorized and uncategorized URLs.

Requirements

Before you begin, you should be familiar with Web Filtering and Enhanced Web Filtering. See Web Filtering Overview and Understanding Enhanced Web Filtering Process.

Overview

In this example, you configure Web Filtering profiles to URLs according to defined categories using the site reputation action. You set the URL allowlist filtering category to url-cat-white and the type of Web Filtering engine to juniper-enhanced. Then you set the cache size parameters for Web Filtering and the cache timeout parameters to 1.

Then you create a juniper-enhanced profile called profile ewf-test-profile, set the URL allowlist category to cust-cat-quarantine, and set the reputation action to quarantine.

You enter a custom message to be sent when HTTP requests are quarantined. In this example, the following message is sent: The requested webpage is blocked by your organization's access policy.

You block URLs in the Enhanced_News_and_Media category and permit URLs in the Enhanced_Education category. Then you quarantine the URLs in the Enhanced_Streaming_Media category and configure the device to send the following message: The requested webpage is blocked by your organization's access policy.

In this example, you set the default action to permit. You select fallback settings (block or log-and-permit) for this profile in case errors occur in each configured category. Finally, you set the fallback settings to block.

Configuration

Configuring Site Reputation Action

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the site reputation action:

  1. Specify the Enhanced Web Filtering engine, and set the cache size parameters.

  2. Configure the base reputation scores.

    Note:

    The base reputation value must be ordered.

  3. Set the cache timeout parameters.

  4. Create a profile name, and select a category from the allowlist categories.

  5. Create a profile name, and select a category from the allowlist categories.

  6. Enter a warning message to be sent when HTTP requests are quarantined.

  7. Select a default action (permit, log-and-permit, block, or quarantine) for the profile, when no other explicitly configured action (blocklist, allowlist, custom category, predefined category or site reputation ) is matched .

  8. Select fallback settings (block or log-and-permit) for this profile.

Results

From configuration mode, confirm your configuration by entering the show security utm command. If the output does not display the intended configuration, repeat the instructions in this example to correct.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Status of Content Security Service

Purpose

Verify the Content Security service status.

Action

From operational mode, enter the show security utm status command.

Sample Output
command-name

Verifying the Status of Content Security Session

Purpose

Verify the Content Security session status.

Action

From operational mode, enter the show security utm session command.

Sample Output
command-name

Verifying the Status of Content Security Web Filtering

Purpose

Verify the Content Security Web filtering status.

Action

From operational mode, enter the show security utm web-filtering status command.

Sample Output
command-name

Verifying the Statistics of Content Security Web Filtering

Purpose

Verify the Web filtering statistics for connections including allowlist and blocklist hits and custom category hits.

Action

From operational mode, enter the show security utm web-filtering statistics command.

Sample Output
command-name

Verifying the URL status using Log file

Purpose

Verify the blocked and allowed URL status using log file.

Action

To see blocked and allowed URLs, send the Content Security logs to a syslog server using stream mode. For more information see: Configuring Off-Box Binary Security Log Files.

From operational mode, enter the show log messages | match RT_UTM command.

Sample Output
command-name

See Also

TAP Mode Support Overview for Content Security

In TAP mode, an SRX Series Firewall will be connected to a mirror port of the switch, which provides a copy of the traffic traversing the switch. An SRX Series Firewall in TAP mode processes the incoming traffic from TAP interface and generates security log to display the information on threats detected, application usage, and user details.

Starting in Junos OS Release 19.1R1 you can enable TAP mode on Content Security module. When you enable TAP mode on Content Security module, the SRX Series Firewall inspects the incoming and outgoing traffic that matches a firewall policy or policies with the enabled Content Security service. TAP mode can’t block traffic but generates security logs, reports, and statistics to show the number of threats detected, application usage, and user details. If some packet gets lost in the TAP interface, the Content Security terminates the connection, and the TAP mode do not generate any security logs, reports, and statistics for this connection. The Content Security configuration remains the same as non-TAP mode.

Content Security functionality configured on an SRX Series Firewall continues to work and exchange information from the server. To use Content Security functionality when the SRX Series Firewall is configured in TAP mode, you must configure the DNS server to resolve the cloud server’s IP addresses.

To use TAP mode, the SRX Series Firewall will be connected to a mirror port of the switch, which provides a copy of the traffic traversing the switch. SRX Series Firewall process the incoming traffic from TAP interface and generates security log information to display the information on threats detected, application usage, and user details.

When operating in TAP mode, the SRX Series Firewall performs:

  • Enhanced Web filtering (EWF) for mirrored HTTP traffic.

  • Sophos antivirus (SAV) for mirrored HTTP/FTP/SMTP/POP3/IMAP traffic.

  • Antispam (AS) for mirrored SMTP traffic.

See Also

Related Documentation

Release History Table
Release
Description
17.4R1
Starting with Junos OS Release 17.4R1, support for custom category configuration is available for local and Websense redirect profiles.
17.4R1
Starting with Junos OS Release 17.4R1, you can download and dynamically load new EWF categories. The downloading and dynamic loading of the new EWF categories do not require a software upgrade. Websense occasionally releases new EWF categories. EWF classifies websites into categories according to host, URL, or IP address and performs filtering based on the categories.
17.4R1
Starting with Junos OS Release 17.4R1, predefined base filters, defined in a category file, are supported for individual EWF categories. Each EWF category has a default action in a base filter, which is attached to the user profile to act as a backup filter. If the categories are not configured in the user profile, then the base filter takes the action.
17.4R1
Starting with Junos OS Release 17.4R1, the reputation base scores are configurable. Users can apply global reputation values, provided by the Websense ThreatSeeker Cloud (TSC). For the non-category URLs, the global reputation value is used to perform filtering,
17.4R1
Starting with Junos OS Release 17.4R1, support for custom category configuration is available for local and Websense redirect profiles.
17.4R1
Starting with Junos OS Release 17.4R1, support for custom category configuration is available for local and Websense redirect profiles.
15.1X49-D40
Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, EWF supports HTTPS traffic by intercepting HTTPS traffic passing through the SRX Series Firewall.
15.1X49-D40
Starting with Junos OS 15.1X49-D40 and Junos OS Release 17.3R1, EWF intercepts HTTPS traffic passing through the SRX Series Firewall. The security channel from the device is divided as one SSL channel between the client and the device and another SSL channel between the device and the HTTPS server. SSL forward proxy acts as the terminal for both channels and forwards the cleartext traffic to the Content Security. Content Security extracts the URL from the HTTP request message.
15.1X49-D110
Starting with Junos OS Release 15.1X49-D110, a new option, custom-message, is added for the custom-objects command that enables you to configure user messages and redirect URLs to notify users when a URL is blocked or quarantined for each EWF category.
15.1X49-D110
Starting with Junos OS Release 15.1X49-D110, a new option, custom-message, is added for the custom-objects statement that enables you to configure user messages and redirect URLs to notify users when a URL is blocked or quarantined for each EWF category.
15.1X49-D110
Starting with Junos OS Release 15.1X49-D110, the “* “ in a wildcard syntax, required to create URL pattern for Web filtering profile, matches all subdomains.
15.1X49-D110
Starting with Junos OS Release 15.1X49-D110, a new option, custom-message, is added for the custom-objects statement that enables you to configure user messages and redirect URLs to notify users when a URL is blocked or quarantined for each EWF category.
12.3X48-D25
Starting with Junos OS Release 12.3X48-D25 and Junos OS Release 17.3R1, Enhanced Web Filtering (EWF) over SSL forward proxy supports HTTPS traffic.
12.1X47-D40
Starting in Junos OS 12.1X47-D40 and Junos OS Release 17.3R1, the structured log fields have changed.