Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Content Security Overview

Content Security provides multiple security features and services in a single device or service on the network, protecting users from security threats in a simplified way. Content Security includes functions such as antivirus, antispam, content filtering, and web filtering. Content Security secures the network from viruses, malware, or malicious attachments by scanning the incoming data using Deep Packet Inspection and prevents access to unwanted websites by installing Enhanced Web filtering. For more information, see the following topics:

Content Security Overview

Content Security is a term used to describe the consolidation of several security features into one device, protecting against multiple threat types. The advantage of Content Security is streamlined installation and management of these multiple security capabilities.

The security features provided as part of the Content Security solution are:

  • Antispam Filtering— E-mail spam consists of unwanted e-mail messages, usually sent by commercial, malicious, or fraudulent entities. The antispam feature examines transmitted e-mail messages to identify e-mail spam. When the device detects an e-mail message deemed to be spam, it either drops the message or tags the message header or subject field with a preprogrammed string. The antispam feature uses a constantly updated spam block list (SBL). Sophos updates and maintains the IP-based SBL. The antispam feature is a separately licensed subscription service.

  • Content Filtering— Content filtering blocks or permits certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. Content filtering does not require a separate license.

  • Web Filtering— Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. There are three types of Web filtering solutions:

    1. The redirect Web filtering solution intercepts HTTP requests and forwards the server URL to an external URL filtering server provided by Websense to determine whether to block or permit the requested Web access. Redirect Web filtering does not require a separate license.

    2. The Juniper Local Web Filtering makes the decision for blocking or permitting Web access after it identifies the category for a URL from user-defined categories stored on the device. With Local filtering, there is no additional Juniper license or remote category server required.

    3. The enhanced Web filtering solution intercepts the HTTP and the HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC). The device determines if it can permit or block the request based on the information provided by the TSC. The enhanced Web filtering solution requires a separate license.

  • Starting with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, on SRX1500 Services Gateways and vSRX Virtual Firewall instances, Content Security policies, profiles, MIME patterns, filename extensions, and protocol-command numbers are increased to 500; custom URL patterns and custom URL categories are increased to 1000.

    Starting with Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, SRX4100 and SRX4200 devices support up to 500 Content Security policies, profiles, MIME patterns, filename extensions, and protocol commands, and up to 1000 custom URL patterns and custom URL categories.

    Starting with Junos OS Release 18.2R1, NFX150 devices support up to 500 Content Security policies, profiles, MIME patterns, filename extensions, and protocol commands, and up to 1000 custom URL patterns and custom URL categories.

    Starting with Junos OS Release 18.2R1, the following commands under the [edit security utm feature-profile] hierarchy level are deprecated:

    • set web-filtering type

    • set web-filtering url-blacklist

    • set web-filtering url-whitelist

    • set web-filtering http-persist

    • set web-filtering http-reassemble

    • set web-filtering traceoptions

    • set web-filtering juniper-enhanced cache

    • set web-filtering juniper-enhanced reputation

    • set web-filtering juniper-enhanced query-type

    • set anti-virus mime-whitelist

    • set anti-virus url-whitelist

    • set anti-virus type

    • set anti-virus traceoptions

    • set anti-virus sophos-engine

    • set anti-spam address-blacklist

    • set anti-spam address-whitelist

    • set anti-spam traceoptions

    • set content-filtering traceoptions

    Starting with Junos OS Release 18.4R3, on SRX1500, SRX4100, SRX4200, SRX4600, SRX4800, SRX5400, SRX5600, and SRX5800 devices, Content Security policies, profiles, MIME patterns, filename extensions, protocol commands, and custom messages, are increased up to 1500. Custom URL patterns and custom URL categories are increased up to 3000.

    This feature requires a license. To understand more about Content Security Licensing, see, Juniper Licensing User Guide. Please refer to the Juniper Licensing Guide for general information about License Management. Please refer to the product Data Sheets at SRX Series Firewalls for details, or contact your Juniper Account Team or Juniper Partner.

  • Antivirus— The Avira antivirus module in the Content Security solution consists of a virus pattern database, an application proxy, a scan manager, and a configurable scan engine. The antivirus module on the SRX Series Firewall scans specific application layer traffic to protect the user from virus attacks and to prevent viruses from spreading.

Understanding Content Security Custom Objects

Before you can configure most Content Security features, you must first configure the custom objects for the feature in question. Custom objects are global parameters for Content Security features. This means that configured custom objects can be applied to all Content Security policies where applicable, rather than only to individual policies.

The following Content Security features make use of certain custom objects:

Starting in Junos OS Release 18.2R1, a new dynamic application policy match condition is added to SRX Series Firewalls, allowing an administrator to more effectively control the behavior of Layer 7 applications. To accommodate Layer 7 application-based policies in Content Security, the [edit security utm default-configuration] hierarchy level is introduced. If any parameter in a specific Content Security feature profile configuration is not configured, then the corresponding parameter from the Content Security default configuration is applied. Additionally, during the initial policy lookup phase which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different Content Security profiles, the SRX Series Firewall applies the default Content Security profile until a more explicit match has occurred.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
18.4R3
Starting with Junos OS Release 18.4R3, on SRX1500, SRX4100, SRX4200, SRX4600, SRX4800, SRX5400, SRX5600, and SRX5800 devices, Content Security policies, profiles, MIME patterns, filename extensions, protocol commands, and custom messages, are increased up to 1500. Custom URL patterns and custom URL categories are increased up to 3000
18.2R1
Starting with Junos OS Release 18.2R1, NFX150 devices support up to 500 Content Security policies, profiles, MIME patterns, filename extensions, and protocol commands, and up to 1000 custom URL patterns and custom URL categories.
18.2R1
Starting with Junos OS Release 18.2R1, the following commands under the [edit security utm feature-profile] hierarchy level are deprecated:
18.2R1
Starting in Junos OS Release 18.2R1, a new dynamic application policy match condition is added to SRX Series Firewalls, allowing an administrator to more effectively control the behavior of Layer 7 applications. To accommodate Layer 7 application-based policies in Content Security, the [edit security utm default-configuration] hierarchy level is introduced. If any parameter in a specific Content Security feature profile configuration is not configured, then the corresponding parameter from the Content Security default configuration is applied. Additionally, during the initial policy lookup phase which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different Content Security profiles, the SRX Series Firewall applies the default Content Security profile until a more explicit match has occurred.
15.1X49-D70
Starting with Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, SRX4100 and SRX4200 devices support up to 500 Content Security policies, profiles, MIME patterns, filename extensions, and protocol commands, and up to 1000 custom URL patterns and custom URL categories.
15.1X49-D60
Starting with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, on SRX1500 Services Gateways and vSRX Virtual Firewall instances, Content Security policies, profiles, MIME patterns, filename extensions, and protocol-command numbers are increased to 500; custom URL patterns and custom URL categories are increased to 1000.