Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating Web Filtering Profiles

Before You Begin

  • Read the Content Security Overview topic.

  • Decide the filtering profile you want for the Content Security policy: Web Filtering, Antispam, Antivirus, or Content Filtering.

  • Review the Web Filtering Profile main page for an understanding of your current data set. See Web Filtering Profile Main Page Fields for field descriptions.

Use the Content Security policy page to configure Web filtering profiles.

Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. The following Web filtering solutions are supported:

  • Integrated Web Filtering—Blocks or permits Web access after the device identifies the category for a URL, either from user-defined categories or from a category server (SurfControl Content Portal Authority provided by Websense).

    Note:

    Integrated Web filtering feature is a separately licensed subscription service.

  • Redirect Web Filtering—Intercepts HTTP requests and forwards the server URL to an external URL filtering server to determine whether to block or permit the requested Web access. Websense provides the URL filtering server.

    Note:

    Redirect Web filtering does not require a license.

  • Juniper Local Web Filtering—Intercepts every HTTP request in a TCP connection. In this case, the decision making is done on the device after it looks up a URL to determine if it is in the allowlist or blocklist based on its user-defined category.

    Note:

    Local Web filtering does not require a license or a remote category server.

Once you create a profile, you can assign it to Content Security policies. Within the Content Security policy, you can apply either the same Web filtering profile or create one inline.

To create a Web filtering profile:

  1. Select Configure > UTM Policy > Web Filtering.
  2. Click the + icon to create a new Web filtering profile.
  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click Finish. A new Web filtering profile is created that you can associate with an Content Security policy.
Table 1: Web Filtering Profile Settings

Setting

Guideline

General Information

Name

Enter a unique name for the Web filtering profile that is a string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 29 characters.

Description

Enter a description for the Web filtering profile; maximum length is 255 characters.

Engine Type

Select the required engine type from the drop-down list:

  • Juniper Enhanced— Configure Content Security enhanced Web filtering.

  • Surf Control—Configure a profile for the Web filtering surf-control integrated feature.

  • Websense Redirect—Configure a redirect Web filtering profile.

Default Action

Select the default action from the drop-down list.

Note:

This option is available only for Juniper Enhanced and Surf Control engine types.

Safe Search

Select a safe search solution to ensure that the embedded objects such as images on the URLs received from the search engines are safe and that no undesirable content is returned to the client.

By default, the Safe Search check box is selected

Note:

This option is available only for the Juniper Enhanced engine type. Save search redirect supports HTTP only. You cannot extract the URL for HTTPS. Therefore, it is not possible to generate a redirect response for HTTPS search URLs. Safe search redirects can be disabled by clearing the Safe Search check box.

Custom Block Message

Specify a custom message to be sent when HTTP requests are blocked.

Note:

If a message begins with http: or https:, the message is considered a block message URL. Messages that begin with values other than http: or https: are considered custom block messages.

Custom Quarantine Message

Custom Quarantine Message Use Content Security enhanced Web filtering to support block, log and permit, and permit actions on HTTP/HTTPS requests. Additionally, it supports the quarantine action, which allows or denies access to the blocked site based on the user’s response to the message.

The quarantine message contains the following information:

  • URL name

  • Quarantine name

  • Category (if available)

  • Site-reputation (if available)

Example: If you set the action for Enhanced_Search_Engines_and_Portals to quarantine, and you try to access www.search.yahoo.com, the quarantine message is as follows:

***The requested webpage is blocked by your organization’s access policy***.

Base Filter

When a URL category version is downloaded, a predefined base filter with default actions are also downloaded. All categories have default actions in a base filter. The base filter can be attached to user profile, which acts like a backup filter. The base filter takes action for the categories that are not configured in a user profile.

URL Categories

 

A URL category is a list of URL patterns grouped under a single title so a single action that applies to all URL patterns can be performed on the list.

Click the + icon to select one or more URL categories, an action, and a redirect profile. A redirect profile is applicable only for block and quarantine actions. You can create a new redirect profile by clicking Create New Redirect Profile. The created redirect profile is displayed in the Redirect Profile drop-down list. The following actions are available:

  • Log and Permit—Create a list of URL patterns that are logged, then permitted.

  • Block—Create a list of URL patterns that are denied access.

  • Quarantine—Create a list of URL patterns that are quarantined.

  • Permit—Create a list of URL patterns that are permitted.

Edit the action or redirect profile by clicking Apply Actions and updating the action and redirect profile.

Delete the URL category by selecting the URL category and clicking the X icon.

Fallback Options

 

The fallback options are used when the web filtering system experiences errors and must fallback to one of the previously configured actions to either deny (block) or permit the object.

  • Default Action— Select Log and Permit or Block from the drop-down list.

Global Reputation Actions

Uncategorized URL Actions

Select this check box if you want to apply global reputation actions.

Enhanced Web filtering intercepts HTTP and HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC). The TSC categorizes the URL into one of the predefined categories and also provides site reputation information for the URL to the device. The device determines if it can permit or block the request based on the information provided by the TSC.

The URLs can be processed using their reputation score if there is no category available. Select the action that you wish to take for the uncategorized URLs based on their reputation score:

  • Very Safe—Permit, log and permit, block, or quarantine a request if a site reputation of 90 through 100 is returned. By default, Permit is selected.

  • Moderately Safe—Permit, log and permit, block, or quarantine a request if a site reputation of 80 through 89 is returned. By default, Log and Permit is selected.

  • Fairly Safe—Permit, log and permit, block or quarantine a request if a site-reputation of 70 through 79 is returned. By default, Log and Permit is selected.

  • Suspicious—Permit, log and permit, block, or quarantine a request if a site reputation of 60 through 69 is returned. By default, Quarantine is selected.

  • Harmful—Permit, log and permit, block, or quarantine a request if a site reputation of 1 through 59 is returned. By default, Block is selected.

Note:

The Use global reputation check box is selected by default.