You are on page 1of 6

SRX UTM Web Filtering

On SRX, you can configure different types of web filtering. On this post, I would like to talk
about

Local Web Filtering

Enhanced Web Filtering

Topology of our setup is below. As obvious, we will filter HTTP requests sent by the PC towards
Internet.

Local Web Filtering


On this type of web filtering, we are using URL filters locally configured on the device. It
requires a bit of configuration but you will see that it is intuitive after you configure several
times.
First create some custom objects
[edit security utm]
root@srx# show custom-objec
url-pattern {
blocked-urls {

1
2
3
4
5
6
7
8

[edit security utm]


root@srx# show custom-objects
url-pattern {
blocked-urls {
value http://rtoodtoo.com;
}
allowed-urls {
value http://rtoodtoo.net;

9
10
11
12
13
14
15
16
17
18

}
}
custom-url-category {
bad-sites {
value blocked-urls;
}
good-sites {
value allowed-urls;
}
}
As you can see we create our objects (URLs or patterns) under url-pattern and
reference these objects under custom-url-category.
Now we create feature profile in which we reference our local URL objects along
with the fallback settings.
[edit security utm]
root@srx# show feature-profile
w eb-filtering {
url-w hitelist good-sites;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

[edit security utm]


root@srx# show feature-profile
web-filtering {
url-whitelist good-sites;
url-blacklist bad-sites;
type juniper-local;
juniper-local {
profile wf-local {
custom-block-message "Juniper UTM firewall blocked this request";
fallback-settings {
default log-and-permit;
server-connectivity block;
timeout block;
too-many-requests block;
}
}
}
}
type juniper-local is an important command that we need to understand
as we can have multiple web filtering types e.g juniper-enhanced and this
commands tells Junos which one is the active one.

Now we need to assign this local profile to a utm policy e.g wf-local
[edit security utm]
root@srx# show utm-policy w f
w eb-filtering {
http-profile w f-local;

1
2
3
4
5

[edit security utm]


root@srx# show utm-policy wf-local
web-filtering {
http-profile wf-local;
}
We are almost done. We have finished the UTM config but havent assigned
this to the policy which is from TRUST zone to INTERNET. Until you assign
it to a policy no action will be taken.
[edit]
root@srx# show security polici
from-zone TRUST to-zone INTER
policy trust-internet {

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

[edit]
root@srx# show security policies
from-zone TRUST to-zone INTERNET {
policy trust-internet {
match {
source-address n172.4.1.4_30;
destination-address any;
application [ junos-http junos-dns-udp junos-ping ];
}
then {
permit {
application-services {
utm-policy wf-local;
}
}
}
}
}
Now utm policy wf-local is assigned for this particular traffic. We are ready
to filter requests.

if the client PC tries to access http://rtoodtoo.com site, it will receive the


Juniper UTM firewall blocked this request message defined in the custom-block-message.
Enhanced Web Filtering
Enhanced filtering has already built-in categories. You just pick up the one you
like and set the action. Here we will block games and shopping sites and allow all others.
[edit security utm feature-profile
root@srx# show juniper-enhan
profile w f-enhanced {
category {

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

[edit security utm feature-profile web-filtering]


root@srx# show juniper-enhanced
profile wf-enhanced {
category {
Enhanced_Games {
action block;
}
Enhanced_Shopping {
action block;
}
}
default log-and-permit;
custom-block-message "Juniper UTM firewall blocked this request";
fallback-settings {
default log-and-permit;
server-connectivity block;
}
timeout 180;
}
if you have configured local web filtering in the previous step, SRX must have set
its type of filtering as local. Now we must change it to juniper-enhanced as below
[edit security utm feature-profile
root@srx# set type juniper-enh

1
2

[edit security utm feature-profile web-filtering]


root@srx# set type juniper-enhanced
Create a new policy referencing enhanced profile

[edit security utm]


root@srx# show utm-policy w f
w eb-filtering {
http-profile w f-enhanced;

1
2
3
4
5

[edit security utm]


root@srx# show utm-policy wf-enhanced
web-filtering {
http-profile wf-enhanced;
}
We are ready with the config now and assigning the policy is left.
[edit security policies from-zone
root@srx# show
policy trust-internet {
match {

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

[edit security policies from-zone TRUST to-zone INTERNET]


root@srx# show
policy trust-internet {
match {
source-address n172.4.1.4_30;
destination-address any;
application [ junos-http junos-dns-udp junos-ping ];
}
then {
permit {
application-services {
utm-policy wf-enhanced;
}
}
}
}
Now we have assigned enhanced utm policy wf-enhanced under security policy.
If you try to access a shopping site you will receive the following error now.
I dont want to name any shopping site name here:)
Juniper UTM firew all blocked thi
CATEGORY: Enhanced_Shoppi

1 Juniper UTM firewall blocked this request


2 CATEGORY: Enhanced_Shopping REASON: BY_PRE_DEFINED
If you want to see statistics and status of web filtering you can run the following
operational commands.
>show security utm w eb-filterin
>show security utm w eb-filterin

1
2

>show security utm web-filtering statistics


>show security utm web-filtering status
DISCLAIMER: Views expressed in this blog are my own and do not necessarily reflect those of