Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create a Web Filtering Profile

Web filtering profiles enable you to manage Internet usage by preventing access to inappropriate Web content over HTTP.

To create a Web filtering profile:

  1. Select SRX > Security Subscriptions > Content Security > Web Filtering Profiles.

    The Web Filtering Profiles page appears.

  2. Click the add icon (+) to create a new Web filtering profile.

    The Create Web Filtering Profiles wizard appears, displaying brief instructions about creating a Web filtering profile.

  3. Click Next to navigate to the next page.
  4. Complete the configuration according to the guidelines provided in Table 1.
    Note:

    Fields marked with * are mandatory.
  5. Click Finish.

    A Web filtering profile is created, which you can associate with a content security profile. You are returned to the Web Filtering Profiles page where a confirmation message is displayed.

    Table 1: Creating Web Filtering Profiles Settings

    Setting

    Guideline

    General Information

    Name

    Enter a unique name for the Web filtering profile. The maximum length is 29 characters.

    Description

    Enter a description for the Web filtering profile. The maximum length is 255 characters.

    Timeout

    		 Enter a timeout (in seconds) to wait for a response from the Websense server. The default is 15 seconds and the maximum is 1800 seconds.

    Engine Type

    Select an engine type for Web filtering:

    • (Default) Juniper Enhanced—Content Security-enhanced Web filtering.

    • Juniper NextGen—Intercepts the HTTP and HTTPS traffic and sends URL information or the destination IP address to the Juniper NextGen Web Filtering (NGWF) Cloud. The NGWF Cloud categorizes the URL and provides site reputation information. Based on this information, SRX Series Firewall takes action on the traffic.

      Note:

      To use this option, you must have Junos OS version 23.4R1 or later installed.

    • Websense Redirect—Redirect Web filtering profile.

    • Local—Allows you to define custom URL categories, which can be included in blocklists and allowlists that are evaluated on the device.

    Safe Search

    Click the toggle button to enable (default) or disable the safe search. Safe search ensures that embedded objects, such as images on the URLs received from the search engines, are safe and that undesirable content is not returned to the client.

    Note:

    This option is available only for the Juniper Enhanced engine type. Save search redirect supports only HTTP and you cannot extract the URL for HTTPS. Therefore, it is not possible to generate a redirect response for HTTPS search URLs.

    Custom Block Message/URL

    Specify the redirect URL or a custom message to be sent when HTTP requests are blocked. The maximum length is 1024 characters.

    Note:

    If a message begins with http: or https:, the message is considered a block URL. Messages that begin with values other than http: or https: are considered custom block messages.

    Click Back to go the preceding step or click Next to go to the next step.

    Custom Quarantine Message

    Define a custom message to allow or deny access to a blocked site based on a user's response to the message. The maximum length is 512 characters.

    The quarantine message contains the following information:

    • URL name

    • Quarantine name

    • Category (if available)

    • Site reputation (if available)

    For example, if you set the action for Enhanced_Search_Engines_and_Portals to quarantine, and you try to access www.search.yahoo.com, the quarantine message is as follows: ***The requested webpage is blocked by your organization’s access policy***.

    Click Back to go the preceding step or click Next to go to the next step.

    Account

    Specify the user account associated with the Websense Web filtering profile.

    Server

    Specify the hostname or an IP address for the Websense server.

    Port

    Specify the port number to use to communicate with the Websense server. The default port value is 15968.

    Click Back to go the preceding step or click Next to go to the next step.

    Sockets

    Enter the number of sockets used for communication between the client and the server. The default value is 8.

    URL Categories

    Note:

    To select Juniper NextGen URL categories, you must have Junos OS version 23.4R1 or later installed.

    Deny Action List

    Click the Add URL Categories button to specify a list of URL categories that must be denied access.

    The Select URL Categories page appears. Complete the configuration according to the guidelines provided in Table 2.

    The list of URL categories selected is displayed in a text box.

    Log & Permit Action List

    Specify a list of URL categories that are logged and then permitted.

    The Select URL Categories page appears. Complete the configuration according to the guidelines provided in Table 2.

    The list of URL categories selected is displayed in a text box.

    Permit Action List

    Specify a list of URL categories that should be permitted access.

    The Select URL Categories page appears. Complete the configuration according to the guidelines provided in Table 2.

    The list of URL categories selected is displayed in a text box.

    Quarantine Action List

    Specify a list of URL categories that should be quarantined.

    The Select URL Categories page appears. Complete the configuration according to the guidelines provided in Table 2.

    The list of URL categories selected is displayed in a text box.

    Click Back to go the preceding step or click Next to go to the next step.

    Fallback Options

    Global Reputation Actions

    Enhanced Web filtering intercepts HTTP and HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC). The TSC categorizes the URL into one of the predefined categories and provides the site reputation information to the device. The device determines if it can permit or block the request based on the information provided by the TSC.

    By default, the URLs are processed using their reputation score if there is no category available. Click the toggle button to disable global reputation actions or select the action that you want to take for the uncategorized URLs based on their reputation score:

    • Very Safe—Permit, log and permit, block, or quarantine a request if a site reputation value is 90 through 100. By default, Permit is selected.

    • Moderately Safe—Permit, log and permit, block, or quarantine a request if a site reputation of 80 through 89 is returned. By default, Log and Permit is selected.

    • Fairly Safe—Permit, log and permit, block or quarantine a request if a site-reputation of 70 through 79 is returned. By default, Log and Permit is selected.

    • Suspicious—Permit, log and permit, block, or quarantine a request if a site reputation of 60 through 69 is returned. By default, Quarantine is selected.

    • Harmful—Permit, log and permit, block, or quarantine a request if a site reputation of zero through 59 is returned. By default, Block is selected.

    Note:

    The site reputation score for each level can be modified as per user requirements under Content Security Settings menu. For more information, see Configure the Content Security Settings.

    The site reputation score is not applicable for Juniper NextGen Web filtering.

    Default Action

    Choose the actions for URL categories with no assigned action and for uncategorized URLs. This is used only if no reputation action is assigned.
    Fallback Actions

    Default

    Select Log and Permit or Block (a default action) when an error occurs.

    Server connectivity

    Select Log and Permit or Block when the ThreatSeeker Websense Cloud servers are unreachable.

    Timeout

    Select Log and Permit or Block when a timeout occurs for requests to ThreatSeeker Cloud.

    Too many requests

    Select an option to specify whether the number of messages should be blocked (default) or logged and permitted if the messages received concurrently exceeds the device limits.
    Table 2: Select URL Categories Settings

    Setting

    Guideline

    Show

    Choose which URL categories for selection: All categories, Custom URL categories, or Juniper NextGen URL categories.

    The Available column of the URL Categories field displays URL categories based on your selection.

    URL Categories

    Select one or more URL categories in the Available column and click the forward arrow to confirm your selection. The selected URL categories are displayed in the Selected column.

    Alternatively, click Create New URL Category to create a URL category and assign it to the URL category. The Create URL Categories page appears; for more information, see Create a URL Category.

    Click OK to confirm your selection. You are returned to the Create Web Filtering Profiles page.