Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering
SUMMARY Learn about Web filtering and how to filter URLs on Content Security-enabled SRX Series Firewalls by using J-Web. Web filtering helps you to allow or block access to the Web and to monitor your network traffic.
Content Security URL Filtering Overview
Today, most of us spend an amount of time on the Web. We surf our favorite sites, follow interesting links sent to us through E-mail, and use a variety of Web-based applications for our office network. This increased use of the network helps us both personally and professionally. However, it also exposes the organization to a variety of security and business risks, such as potential data loss, lack of compliance, and threats such as malware, viruses, and so on. In this environment of increased risk, it’s wise for businesses to implement Web or URL filters to control network threats. You can use a Web or URL filter to categorize websites on the Internet and to either allow or block user access.
Here's an example of a typical situation where a user of office network has access to a website blocked:
On the Web browser, the user types www.game.co.uk, a popular gaming site. The user receives a message such as Access Denied
or The Website is blocked
. Display of such a message means that your organization has inserted
a filter for the gaming websites, and you can’t access the site
from your workplace.
Juniper Web (J-Web) Device Manager supports Content Security Web filtering on SRX Series Firewalls.
Starting in Junos OS 22.2R1:
-
In the J-Web GUI, UTM term is replaced with Content Security.
-
In Junos CLI commands, we continue to use the legacy term UTM for content security.
In J-Web, a Web filtering profile defines a set of permissions and actions based on Web connections predefined by website categories. You can also create custom URL categories and URL pattern lists for a Web filtering profile.
You cannot inspect URLs within e-mails using J-Web Content Security Web filtering.
Benefits of Content Security Web Filtering
Local Web filtering:
Doesn’t require a license.
Enables you to define your own lists of allowed sites (allowlist) or blocked sites (blocklist) for which you want to enforce a policy.
Enhanced Web filtering:
Is the most powerful integrated filtering method and includes a granular list of URL categories, support for Google Safe Search, and a reputation engine.
Doesn’t require additional server components.
Provides real-time threat score for each URL.
Enables you to redirect users from a blocked URL to a user-defined URL rather than simply preventing user access to the blocked URL.
Redirect Web filtering:
Tracks all queries locally, so you don't need an Internet connection.
Uses the logging and reporting features of a standalone Websense solution.
Web Filtering Workflow
Scope
In this example, you’ll:
Create your own custom URL pattern lists and URL categories.
-
Create a Web filtering profile using the Local engine type. Here, you define your own URL categories, which can be allowed sites (allowlist) or blocked sites (blocklist) that are evaluated on the SRX Series Firewall. All URLs added for blocked sites are denied, while all URLs added for allowed sites are permitted.
Block inappropriate gaming websites and allow suitable websites (for example, www.juniper.net).
Define a custom message to display when users attempt to access gaming websites.
-
Apply the Web filtering profile to a Content Security policy.
-
Assign the Content Security policy to a security policy rule.
Web filtering and URL filtering have the same meaning. We’ll use the term Web filtering throughout our example.
Before You Begin
We assume that your device is set with the basic configuration. If not, see Configure Setup Wizard.
You do not need a license to configure the Web filtering profile if you use the Local engine type. This is because you will be responsible for defining your own URL pattern lists and URL categories.
You need a valid license (wf_key_websense_ewf) if you want to try the Juniper Enhanced engine type for the Web filtering profile. Redirect Web filtering does not need a license.
Ensure that the SRX Series Firewall you use in this example runs Junos OS Release 22.2R1 and later.
Note:Starting in Junos OS 22.2R1:
-
In the J-Web GUI, UTM term is replaced with Content Security.
-
In Junos CLI commands, we continue to use the legacy term UTM for content security.
-
Topology
In this topology, we have a PC connected to a Content Security-enabled SRX Series Firewall that has access to the Internet. Let's use J-Web to filter the HTTP/HTTPS requests sent to the Internet using this simple setup.
Sneak Peek – J-Web Content Security Web Filtering Steps
Step 1: List URLs That You Want to Allow or Block
In this step, we define custom objects (URLs and patterns) to handle the URLs that you want to allow or block.
You are here (in the J-Web UI): Security Services > Content Security > Custom Objects.
To list URLs:
Step 2: Categorize the URLs That You Want to Allow or Block
We’ll now assign the created URL patterns to URL category lists. The category list defines the action associated with the associated URLs. For example, the Gambling category should be blocked.
You are here: Security Services > Content Security > Custom Objects.
To categorize URLs:
Step 3: Add a Web Filtering Profile
Now, let’s link the created URL objects (patterns and categories) to a Content Security Web filtering profile. This mapping allows you to set different values for your filtering behavior.
You are here: Security Services > Content Security > Web Filtering Profiles.
To create a Web filtering profile:
Step 4: Reference a Web Filtering Profile in a Content Security Policy
We now need to assign the Web filtering profile (wf-local) to a Content Security policy that can be applied to a security policy.
You are here: Security Services > Content Security > Content Security Policies.
To create a Content Security policy:
Step 5: Assign a Content Security Policy to a Security Policy
You haven’t yet assigned the Content Security configuration to the security policy from the TRUST zone to the INTERNET zone. Filtering actions are taken only after you assign the Content Security policy to security policy rules that act as the match criteria.
When the security policy rules are permitted, the SRX Series Firewall:
Intercepts an HTTP/HTTPS connection and extracts each URL (in the HTTP/HTTPS request) or IP address.
Note:For an HTTPS connection, Web filtering is supported through SSL forward proxy.
-
Searches for URLs in the user-configured blocklist or allowlist under Web Filtering (Security Services > Content Security > Default Configuration). Then, if the URL is in the:
-
User-configured blocklist, the device blocks the URL.
-
User-configured allowlist, the device permits the URL.
-
Checks the user-defined categories and blocks or allows the URL based on the user-specified action for the category.
Allows or blocks the URL (if a category is not configured) based on the default action configured in the Web filtering profile.
You are here: Security Policies & Objects > Security Policies.
To create security policy rules for the Content Security policy:
Step 6: Verify That the URLs Are Allowed or Blocked from the Server
Let’s verify that our configurations and security policy work fine with the defined URLs in the topology:
-
If you enter www.gematsu.com and www.game.co.uk, the SRX Series Firewall should block the URLs and send the configured blocked site message.
Note:Most sites use HTTPS. The blocked site messge is only seen for HTTP sites. For HTTPS, you can expect a Secure Connection Failed error message, such as
An error occurred during a connection to <blocked-siteurl> PR_CONNECT_RESET_ERROR
. -
If you enter www.juniper.net and www.google.com, the SRX Series Firewall should allow the URLs with their homepage displayed.
What’s Next
What to do? |
Where? |
---|---|
Monitor Content Security Web filtering information and statistics. |
In J-Web, go to Monitor > Security Services > Content Security > Web Filtering. |
Generate and view reports on URLs allowed and blocked. |
In J-Web, go to Reports. Generate reports for Threat Assessment Reports and Top Blocked Applications via Webfilter logs. |
Learn more about Content Security features. |
Sample Configuration Output
In this section, we present samples of configurations that allow and block the websites defined in this example.
You configure the following Content Security configurations at the [edit security
utm]
hierarchy level.
Creating custom objects:
custom-objects { url-pattern { blocked-sites { value [ http://*.gematsu..com http://*.game.co.uk]; } allowed-sites { value [ http://*.juniper.net http://*.google.com]; } } custom-url-category { good-sites { value allowed-sites; } stop-sites { value blocked-sites; } } }
Creating the Web filtering profile:
default-configuration { web-filtering { url-whitelist good-sites; url-blacklist stop-sites; type juniper-local; juniper-local { default block; custom-block-message "Juniper Web Filtering has been set to block this site."; fallback-settings { default log-and-permit; server-connectivity log-and-permit; timeout log-and-permit; too-many-requests log-and-permit; } } } }
feature-profile { web-filtering { juniper-local { profile wf-local { category { stop-sites { action block; } good-sites { action log-and-permit; } } timeout 30; } } } }
Creating the Content Security policy:
utm-policy wf-custom-policy { web-filtering { http-profile wf-local; } }
You configure the security policy rules at the [edit security
policies]
hierarchy level.
Creating rules for a security policy:
from-zone trust to-zone internet { policy wf-local-policy { match { source-address any; destination-address any; application any; } then { permit { application-services { utm-policy wf-custom-policy; } } } } }