ng-juniper
Syntax
base-filter {
base-filter;
ng-default-filter;
}
category category-name {
action (block | log-and-permit | permit | quarantine);
custom-message custom-message;
}
custom-message custom-message;
default (block | log-and-permit | permit | quarantine);
fallback-settings {
default (block | permit);
server-connectivity (block | log-and-permit);
timeout (block | log-and-permit);
too-many-requests (block | log-and-permit);
}
no-safe-search;
server {
host host;
port port;
proxy-profile proxy-profile;
routing-instance routing-instance;
source-address source-address;
tls-profile tls-profile;
}
site-reputation-action (very-safe | moderately-safe | fairly-safe | suspicious | harmful);
timeout timeout; Hierarchy Level
[edit security utm default-configuration web-filtering ng-juniper] [edit security utm feature-profile web-filtering ng-juniper profile name]
Description
Configure the Juniper NextGen Web filtering engine. Juniper NextGen Web filtering acts as a gateway for the SRX Series devices seeking URL reputation or category from the Juniper NextGen Web Filtering (NGWF) cloud.
Options
| base-filter |
Juniper base filter. |
| ng-default-filter |
Juniper default base filter. |
| category name |
Juniper NextGen category name. |
| action |
Action to perform when web traffic matches category. The possible options are block, log and permit, permit, and quarantine. |
| custom-message |
Custom message for the action taken when web traffic matches category. |
| default |
Juniper NextGen default profile. |
| fallback-settings |
Juniper NextGen fallback settings. |
| no-safe-search |
Do not perform safe-search for Juniper NextGen protocol. |
| server |
Configure Juniper NextGen server. |
| host |
Server host IP address or string host name. |
| port |
Server port number.
|
| proxy-profile |
Proxy profile name. |
| routing-instance |
Routing instance name. |
| source-address |
Source IP address used to connect the server. |
| tls-profile |
SSL initiation profile. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 23.4R1.
You must configure SSL initiation profile for NGWF to communicate through HTTPS connections.
user@host#set security utm default-configuration web-filtering ng-juniper server ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups host Server host IP address or string host name
port Server port (1..65535)
proxy-profile Proxy profile
routing-instance Routing instance name
source-address Source IP address used to connect server tls-profile SSL initiation profile
tls-profile SSL initiation profile
The following is a configuration sample for SSL initiation profile:
-
Create a self-signed certificate that can be used for SSL handshake with the Content Security server.
request security pki generate-key-pair certificate-id utmcert size 1024 type rsa request security pki local-certificate generate-self-signed certificate-id utmcert subject "DC=Domain_component,CN=utmcert,OU=SLT_QA,O=Juniper,L=Sunnyvale,ST=CA,C=US" ip-address 0.0.0.0 domain-name juniper.net -
2. Configure the SSL initiation profile by calling the certificate that you created.
set services ssl initiation profile ssl_init_prof client-certificate utmcert set services ssl initiation profile ssl_init_prof actions ignore-server-auth-failure set services ssl initiation profile ssl_init_prof trusted-ca all
The following is a sample of the configurations that are required for NGWF to work:
set security policies from-zone trust to-zone untrust policy fw_policy match source-address any
set security policies from-zone trust to-zone untrust policy fw_policy match destination-address any
set security policies from-zone trust to-zone untrust policy fw_policy match application any
set security policies from-zone trust to-zone untrust policy fw_policy then permit application-services ssl-proxy profile-name ssl-profile
set security policies from-zone trust to-zone untrust policy fw_policy then permit application-services utm-policy WF