Wednesday, 21 November 2012

SRX UTM - Web Filtering

The Web filtering UTM module can block access to (HTTP) websites based on IP address or URL. Local and integrated web filtering will be configured. This post builds on UTM knowledge discussed in the UTM Overview Post, please feel free to reference this post first. The diagram below outlines the basic lab setup for this exercise.

Configure Local Web Filtering
1. Create Custom Objects for Black/Whitelists
To create a white or black list a url-pattern list must be created containing URLs. These url-pattern lists must be added to a 'custom-url-category'. The screenshot below outlines the commands.

2. Create Feature Profile
In this step a feature profile is created. Black and white lists are defined using the custom-url-categories created in the previous step. The default action is also set (the default action is used if a URL doesn't match the black or white list). The screenshot below outlines the commands.

3. Create UTM Policy
In this step a UTM policy is created. An http-profile is set for the web filtering UTM module, in this case it is the feature profile we created in the previous step. The screenshot below outlines the commands.

4. Attach UTM Policy to Security Policy
In this step the UTM policy is configured under the desired security policy. In this example we are using a preconfigured security policy that is used for general outbound internet access. The screenshot below outlines the commands.

Verify Local Web Filtering
1. Browse to
The output below confirms that we cannot browse to as this URL is on the blacklist.

2. Configure a Syslog File & View Web Filtering Logs
The screenshot below outlines the creation of a syslog file to capture web filtering logs. The match statement of "WEBFILTER_" is used to capture all web filtering logs.

The output below displays the log file. The default action was set to 'permit-and-log' this is why permitted URLs are shown in the log file.

To only view the blocked urls we can run the same command but match on URL_BLOCKED. This displays only the web filtering url blocked log events. The log file configuration could also be modified to match 'WEBFILTER_URL_BLOCKED' this would only write these types of events to the log file.

Configure Integrated Web Filtering (Surf Control)
1. Confirm Licensing
The integrated web filtering (SurfControl) does require a license. The command 'show system license' can be used to display the installed licenses. The license 'wf_key_surfcontrol_cpa' is needed for this exercise.

2. Create Custom Objects for Black/Whitelists
Whitelists and blacklists are used in conjunction with integrated web filtering. We will use the existing whitelist / blacklist that were configured in Step#1 on the previous exercise.

3. Create Feature Profile
In this step surf-control-integrated needs to be set as the type of filtering. Also a feature profile needs to be created. This profile will contain block or permit statements against surf control predefined categories along with default action and block message. The screenshot below outlines the commands  In this policy I set the category of 'Sports' to an action of block.

4. Create UTM Policy
A UTM policy is created and an http-profile is assigned to the web filtering module. Other than the feature profile name being different this step is the same as the previous exercise.

5. Attach UTM Policy to Security Policy
We intentionally used the same UTM policy as the previous example. This policy is already attached to our outbound internet security policy. Please see step #4 in the previous exercise for details.

Verify Integrated Web Filtering
1. Browse to a sports related website.
In the screenshot below I attempt to browse to I am not permitted to browse to this site as it is classified in the category of 'sports' and the action for this category is deny.

2. View Logs
Again, when the web filter logs are reviewed we can see the site was blocked and the reason was 'by predefined category'.

3. Confirm Surf Control Server is Operational
The command 'show security utm web-filtering status' can be used to verify that the surf control server is available.

4. Show Web Filter Statistics
The command 'show security utm web-filtering statistics' can be used to view overall statistics such as queries to servers and counters for categories and lists.

5. Test URL against Web Filtering Profile
The command 'test security utm web filtering' is a nice way to quickly verify a URL against a web filter policy. The screenshot below tests the URL against the policy WEBFILT-SURF.

Update Surf Control Cache Size and use Default SurfControl profile
1. Adjust Surf Control Cache
As mentioned in the UTM summary post, the SRX will maintain a cache of URL/Category mappings. This reduced the amount of requests that are sent to the Surf Control service as common used web sites categorization will reside in cache. This cache size is 500kB by default, the screenshot below outlines the command to change the cache size.

2. Update UTM Policy to use Predefined Feature Profile.
It can take quite a long time to create a feature-profile and specify actions for all categories. For people who want a quicker approach default feature profiles can be used. The screenshot below outlines the configuration of a default feature profile against our already configure UTM policy.

Test Predefined Feature Profile
1. Confirm the settings in predefined feature profile
The command 'show configuration groups junos-defaults security utm feature-profile web-filtering' can be used to view the predefined feature profiles for web filtering.

2. Browse to site in a blocked category. 
From looking at the default feature-profile in the previous step we can see that the gambling category is blocked. The screenshot below tests the policy by browsing to a gambling site, as expected access to the site is denied.

3. View Logs
The log files also confirm that the website was blocked. The log messages also list the profile used, we can confirm that the default feature profile (junos-wf-cpa-default) is being used in this example.

The Websense-redirect method requires a server to redirect URLs to. For this reason I did not test this option. I would be curious to know if Websense offers this as a service so that customers don't need to have a physical server on premise.

The juniper-local filtering is a nice (license free) way of creating and managing a small number of sites on black and white lists. This option would not be feasible for full detailed URL filtering needs as it would become unmanageable very quickly.

The integrated web filtering provided by Surf Control is a good way to reduce the complexity by only managing categories. Configuration complexity can further be reduced by used a predefined feature profile.

In the next post I will review the UTM Content Filtering module.

No comments:

Post a Comment