Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

SUMMARY Learn about Web filtering and how to filter URLs on Content Security-enabled SRX Series Firewalls by using J-Web. Web filtering helps you to allow or block access to the Web and to monitor your network traffic.

Content Security URL Filtering Overview

Today, most of us spend an amount of time on the Web. We surf our favorite sites, follow interesting links sent to us through E-mail, and use a variety of Web-based applications for our office network. This increased use of the network helps us both personally and professionally. However, it also exposes the organization to a variety of security and business risks, such as potential data loss, lack of compliance, and threats such as malware, viruses, and so on. In this environment of increased risk, it’s wise for businesses to implement Web or URL filters to control network threats. You can use a Web or URL filter to categorize websites on the Internet and to either allow or block user access.

Here's an example of a typical situation where a user of office network has access to a website blocked:

On the Web browser, the user types www.game.co.uk, a popular gaming site. The user receives a message such as Access Denied or The Website is blocked. Display of such a message means that your organization has inserted a filter for the gaming websites, and you can’t access the site from your workplace.

Juniper Web (J-Web) Device Manager supports Content Security Web filtering on SRX Series Firewalls.

Note:

Starting in Junos OS 22.2R1:

  • In the J-Web GUI, UTM term is replaced with Content Security.

  • In Junos CLI commands, we continue to use the legacy term UTM for content security.

In J-Web, a Web filtering profile defines a set of permissions and actions based on Web connections predefined by website categories. You can also create custom URL categories and URL pattern lists for a Web filtering profile.

Note:

You cannot inspect URLs within e-mails using J-Web Content Security Web filtering.

Benefits of Content Security Web Filtering

  • Local Web filtering:

    • Doesn’t require a license.

    • Enables you to define your own lists of allowed sites (allowlist) or blocked sites (blocklist) for which you want to enforce a policy.

  • Enhanced Web filtering:

    • Is the most powerful integrated filtering method and includes a granular list of URL categories, support for Google Safe Search, and a reputation engine.

    • Doesn’t require additional server components.

    • Provides real-time threat score for each URL.

    • Enables you to redirect users from a blocked URL to a user-defined URL rather than simply preventing user access to the blocked URL.

  • Redirect Web filtering:

    • Tracks all queries locally, so you don't need an Internet connection.

    • Uses the logging and reporting features of a standalone Websense solution.

Web Filtering Workflow

Scope

In this example, you’ll:

  1. Create your own custom URL pattern lists and URL categories.

  2. Create a Web filtering profile using the Local engine type. Here, you define your own URL categories, which can be allowed sites (allowlist) or blocked sites (blocklist) that are evaluated on the SRX Series Firewall. All URLs added for blocked sites are denied, while all URLs added for allowed sites are permitted.

  3. Block inappropriate gaming websites and allow suitable websites (for example, www.juniper.net).

  4. Define a custom message to display when users attempt to access gaming websites.

  5. Apply the Web filtering profile to a Content Security policy.

  6. Assign the Content Security policy to a security policy rule.

Note:

Web filtering and URL filtering have the same meaning. We’ll use the term Web filtering throughout our example.

Before You Begin

  • We assume that your device is set with the basic configuration. If not, see Configure Setup Wizard.

  • You do not need a license to configure the Web filtering profile if you use the Local engine type. This is because you will be responsible for defining your own URL pattern lists and URL categories.

  • You need a valid license (wf_key_websense_ewf) if you want to try the Juniper Enhanced engine type for the Web filtering profile. Redirect Web filtering does not need a license.

  • Ensure that the SRX Series Firewall you use in this example runs Junos OS Release 22.2R1 and later.

    Note:

    Starting in Junos OS 22.2R1:

    • In the J-Web GUI, Content Security term is replaced with Content Security.

    • In Junos CLI commands, we continue to use the legacy term Content Security for content security.

Topology

In this topology, we have a PC connected to a Content Security-enabled SRX Series Firewall that has access to the Internet. Let's use J-Web to filter the HTTP/HTTPS requests sent to the Internet using this simple setup.

Topology

Sneak Peek – J-Web Content Security Web Filtering Steps

Sneak Peek – J-Web Content Security Web Filtering Steps

Step 1: List URLs That You Want to Allow or Block

In this step, we define custom objects (URLs and patterns) to handle the URLs that you want to allow or block.

You are here (in the J-Web UI): Security Services>Content Security>Custom Objects.

To list URLs:

  1. Click the URL Pattern List tab.
  2. Click the add icon (+) to add a URL pattern list.

    The Add URL Pattern List page appears. See Figure 1.

  3. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    Name

    Type allowed-sites or blocked-sites.

    Note:

    Use a string beginning with a letter or underscore and consisting of alphanumeric characters and special characters such as dashes and underscores. The maximum length is 29 characters.

    Value

    1. Click + to add a URL pattern value.

    2. Type the following:

      • For allowed-sites—www.juniper.net and www.google.com

      • For blocked-sites—www.gematsu.com and www.game.co.uk

    3. Click the tick icon .
    Figure 1: Add URL Pattern ListAdd URL Pattern List
  4. Click OK to save the changes.

    Good job! Here's the result of your configuration:

Step 2: Categorize the URLs That You Want to Allow or Block

We’ll now assign the created URL patterns to URL category lists. The category list defines the action associated with the associated URLs. For example, the Gambling category should be blocked.

You are here: Security Services>Content Security>Custom Objects.

To categorize URLs:

  1. Click the URL Category List tab.
  2. Click the add icon (+) to add a URL category list.

    The Add URL Category List page appears. See Figure 2.

  3. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    Name

    Type the URL category list name as good-sites for the allowed-sites URL pattern or stop-sites for the blocked-sites URL pattern.

    Note:

    Use a string beginning with a letter or underscore and consisting of alphanumeric characters and special characters such as dashes and underscores. The maximum length is 59 characters.

    URL Patterns

    1. Select the URL pattern values allowed-sites or blocked-sites from the Available column to associate the URL pattern values with the URL categories good-sites or stop-sites, respectively.

    2. Click the right arrow to move the URL pattern values to the Selected column.

    Figure 2: Add URL Category ListAdd URL Category List
  4. Click OK to save the changes.

    Good job! Here's the result of your configuration:

Step 3: Add a Web Filtering Profile

Now, let’s link the created URL objects (patterns and categories) to a Content Security Web filtering profile. This mapping allows you to set different values for your filtering behavior.

You are here: Security Services>Content Security>Web Filtering Profiles.

To create a Web filtering profile:

  1. Click the add icon (+) to add a Web filtering profile.

    The Create Web Filtering Profiles page appears. See Figure 3.

  2. Complete the tasks listed in the Action column in the following table:

    Field

    Action
    General

    Name

    Type wf-local for the Web filtering profile.

    Note:

    The maximum length is 29 characters.

    Timeout

    Type 30 (in seconds) to wait for a response from the Local engine.

    The maximum value is 1800 seconds. The default value is 15 seconds.

    Engine type

    Select the Local engine type for Web filtering. Click Next.

    Note:

    The default value is Juniper Enhanced.
    URL Categories

    +

    Click the add icon to open the Select URL Categories window.

    Select URL categories to apply to the list

    Select good-sites or stop-sites.

    Action

    Select Log and Permit for the good-sites category from the list.

    Select Block for the stop-sites category from the list.
    Figure 3: Create Web Filtering ProfileCreate Web Filtering Profile
  3. Click Finish. Review the summary of the configuration and click OK to save changes.

    Good job! Here's the result of your configuration:

  4. Click Close after you see a successful-configuration message.

Step 4: Reference a Web Filtering Profile in a Content Security Policy

We now need to assign the Web filtering profile (wf-local) to a Content Security policy that can be applied to a security policy.

You are here: Security Services>Content Security>Content Security Policies.

To create a Content Security policy:

  1. Click the add icon (+) to add a Content Security policy.

    The Create Content Security Policies page appears.

  2. Complete the tasks listed in the Action column in the following table:

    Field

    Action
    General – General Information

    Name

    Type wf-custom-policy for the Content Security policy.

    Note:

    The maximum length is 29 characters.

    Click Next and then click Next to skip the Antivirus configuration.
    Web Filtering - Web Filtering Profiles by Traffic Protocol

    HTTP

    Select wf-local from the list and click Next till the end of the workflow.
  3. Click Finish. Review the summary of the configuration and click OK to save changes.

    Almost there! Here's the result of your configuration:

  4. Click Close after you see a successful message.

    Almost done! Now, you create a default UTM web filtering policy that references your list of good and stop sites.

    You are here: Security Services>Content Security>Default Configuration>Web Filtering.

  5. Click the edit icon to modify the default web filterng policy.

    The Web Filtering page appears.

  6. Complete the tasks listed in the Action column in the following table:

    Field

    Action

    Type

    Select Juniper Local from the list to configure the use of the local Content Security filtering datadbase.

    URL Blocklist

    Select stop-sites from the list to link to the list of URLs that are not allowed (blocked).

    URL Allowlist

    Select good-sites from the list to link to the list of URLs that are allowed.

    Juniper Local>Global

    Custom Block Message

    Enter Juniper Web Filtering has been set to block this site.

    Default Action

    Select Block from the list.

    Skip other fields and click OK.
  7. Click OK to save changes.

    Almost there! Here's the result of your Content Security default Web filtering configuration.

    Good news! You’re done with Content Security Web filtering configuration.

Step 5: Assign a Content Security Policy to a Security Policy

You haven’t yet assigned the Content Security configuration to the security policy from the TRUST zone to the INTERNET zone. Filtering actions are taken only after you assign the Content Security policy to security policy rules that act as the match criteria.

Note:

When the security policy rules are permitted, the SRX Series Firewall:

  1. Intercepts an HTTP/HTTPS connection and extracts each URL (in the HTTP/HTTPS request) or IP address.

    Note:

    For an HTTPS connection, Web filtering is supported through SSL forward proxy.

  2. Searches for URLs in the user-configured blocklist or allowlist under Web Filtering (Security Services>Content Security>Default Configuration). Then, if the URL is in the:

    1. User-configured blocklist, the device blocks the URL.

    2. User-configured allowlist, the device permits the URL.

  3. Checks the user-defined categories and blocks or allows the URL based on the user-specified action for the category.

  4. Allows or blocks the URL (if a category is not configured) based on the default action configured in the Web filtering profile.

You are here: Security Policies & Objects>Security Policies.

To create security policy rules for the Content Security policy:

  1. Click the add icon (+).
  2. Complete the tasks listed in the Action column in Table 1.
    Table 1: Rule Settings

    Field

    Action
    General – General Information

    Rule Name

    Type wf-local-policy for the security policy allowing the good-sites category and denying the stop-sites category.

    Rule Description

    Enter a description for the security policy rule.

    Source Zone

    1. Click +.

      The Select Sources page appears.

    2. Zone—Select TRUST from the list.

    3. Addresses—Leave this field with the default value Any.

    4. Click OK

    Destination Zone

    1. Click +.

      The Select Destination page appears.

    2. Zone—Select INTERNET from the list.

    3. Addresses—Leave this field with the default value Any.

    4. Services—Leave this field with the default value Any.

    5. URL Category—Leave this field blank.

    6. Click OK

    Action

    By default, Permit is selected. Leave as is.

    Advanced Security

    1. Click +.

      The Select Advanced Security page appears.

    2. Content Security—Select wf-custom-policy from the list.

    3. Click OK
    Note:

    Navigate to Security Policies & Objects>Zones/Screens to create zones. Creating zones is outside the scope of this documentation.

  3. Click the tick icon and then click Save to save changes.
    Note:

    Scroll back the horizontal bar if the inline tick and cancel icons are not available when creating a new rule.

    Good job! Here's the result of your configuration:

  4. Click the commit icon (at the right side of the top banner) and select Commit.

    The successful-commit message appears.

    Congratulations! We’re ready to filter the URL requests.

Step 6: Verify That the URLs Are Allowed or Blocked from the Server

Let’s verify that our configurations and security policy work fine with the defined URLs in the topology:

  • If you enter www.gematsu.com and www.game.co.uk, the SRX Series Firewall should block the URLs and send the configured blocked site message.

    Note:

    Most sites use HTTPS. The blocked site messge is only seen for HTTP sites. For HTTPS, you can expect a Secure Connection Failed error message, such as An error occurred during a connection to <blocked-siteurl> PR_CONNECT_RESET_ERROR.

  • If you enter www.juniper.net and www.google.com, the SRX Series Firewall should allow the URLs with their homepage displayed.

What’s Next

What to do?

Where?

Monitor Content Security Web filtering information and statistics.

In J-Web, go to Monitor>Security Services>Content Security>Web Filtering.

Generate and view reports on URLs allowed and blocked.

In J-Web, go to Reports. Generate reports for Threat Assessment Reports and Top Blocked Applications via Webfilter logs.

Learn more about Content Security features.

Content Security User Guide

Sample Configuration Output

In this section, we present samples of configurations that allow and block the websites defined in this example.

You configure the following Content Security configurations at the [edit security utm] hierarchy level.

Creating custom objects:

Creating the Web filtering profile:

Creating the Content Security policy:

You configure the security policy rules at the [edit security policies] hierarchy level.

Creating rules for a security policy: