Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Configuring Unified Threat Management for a Branch SRX Series

This example shows how to configure UTM quickly on your branch SRX Series by using the predefined UTM components.

Requirements

Before you begin, install or verify a UTM feature license. See Updating Licenses for a Branch SRX Series .

This example uses the following hardware and software components:

  • An SRX210
  • Junos OS Release 12.1X44-D10

Overview

In this example, you enable UTM components (antispam, antivirus, and Web filtering) on the SRX210 by applying the following preconfigured profiles:

  • Antispam protection by using the junos-as-defaults profile to block and filter spam e-mail messages.
  • Antivirus protection by using the junos-av-defaults profile to detect and block malicious codes.
  • Web filtering by using the junos-wf-cpa-default profile to block access to (HTTP) websites based on IP address or URL.

After you create a UTM policy, attach the UTM policy to the default security policy.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security utm utm-policy policy-utm-all anti-spam smtp-profile junos-as-defaultsset security utm utm-policy policy-utm-all anti-virus http-profile junos-av-defaultsset security utm utm-policy policy-utm-all web-filtering http-profile junos-wf-cpa-defaultset security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any destination-address any application anyset security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services utm-policy policy-utm-all

Step-by-Step Procedure

To configure UTM components:

  1. Create a UTM policy and apply the default antispam profile to the UTM policy.
    [edit]user@srx210-host# set security utm utm-policy policy-utm-all anti-spam smtp-profile junos-as-defaults
  2. Attach a predefined antivirus profile for the HTTP protocol to the UTM policy.
    [edit]user@srx210-host# set security utm utm-policy policy-utm-all anti-virus http-profile junos-av-defaults

    Note: A separate antivirus profile is required for each protocol. The available protocols include HTTP, SMTP, POP3, and IMAP.

  3. Attach a predefined Web filtering profile for HTTP to the UTM policy.
    [edit]user@srx210-host# set security utm utm-policy policy-utm-all web-filtering http-profile junos-wf-cpa-default
  4. Attach the UTM policy to the default security policy (policy from the trust zone to the untrust zone), and set the application services to be allowed.
    [edit]user@srx210-host# set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any destination-address any application anyuser@srx210-host# set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services utm-policy policy-utm-all

Results

From configuration mode, confirm your configuration by entering the show security utm and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@srx210-host# show security utm
utm-policy policy-utm-all {anti-virus {http-profile junos-av-defaults;}web-filtering {http-profile junos-wf-cpa-default;}anti-spam {smtp-profile junos-as-defaults;}}
[edit]user@srx210-host# show security policies from-zone trust to-zone untrust policy trust-to-untrust
policy trust-to-untrust {match {source-address any;destination-address any;application any;}then {permit {application-services {utm-policy policy-utm-all;}}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Web Filtering Status

Purpose

Verify that the Web filtering status configuration is working properly.

Action

From operational mode, enter the show security utm web-filtering status command.

user@srx210-host# show security utm web-filtering status
  
 UTM web-filtering status: 
    Server status: SC-CPA server up

Verifying Antispam Status

Purpose

Verify that the antispam filtering configuration is active.

Action

From operational mode, enter the show security utm anti-spam status command.

user@srx210-host>show security utm anti-spam status
 
SBL Whitelist Server:
SBL Blacklist Server:
    msgsecurity.example.net

DNS Server:
    Primary  :   208.67.222.222, Src Interface: ge-0/0/0
    Secondary:   208.67.220.220, Src Interface: ge-0/0/1
    Ternary  :    10.189.132.70, Src Interface: fe-0/0/2

Verifying Antivirus Protection

Purpose

Verify that the antivirus protection configuration is working properly.

Action

From operational mode, enter the show security utm anti-virus status command.

user@srx210-host>show security utm anti-virus status
 
UTM anti-virus status:

Anti-virus key expire date: 2010-12-31 00:00:00
Update server: http://update.juniper-updates.net/AV/SRX210
Interval: 120 minutes
Pattern update status: next update in 54 minutes
Last result: already have latest database
Anti-virus signature version: 09/03/2009 07:01 GMT-8, virus records: 467973
Anti-virus signature compiler version: N/A
Scan engine type: kaspersky-lab-engine
Scan engine information: last action result: No error(0x00000000)
 

Related Documentation

 

Modified: 2016-06-24

Previous Page Next Page