Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Content Security Supported Features

WELF Logging for Content Security Features

Understanding WELF Logging for Content Security Features

Content Security features support the WELF standard. The WELF Reference defines the WebTrends industry standard log file exchange format. Any system logging to this format is compatible with Firewall Suite 2.0 and later, Firewall Reporting Center 1.0 and later, and Security Reporting Center 2.0 and later.

A WELF log file is composed of records. Each record is a single line in the file. Records are always in chronological order. The earliest record is the first record in the file; the most recent record is the last record in the file. WELF places no restrictions on log filenames or log file rotation policies.

Note:

Each WELF record is composed of fields. The record identifier field (id=) must be the first field in a record. All other fields can appear in any order.

The following is a sample WELF record:

The fields from the example WELF record include the following required elements (all other fields are optional):

  • id (Record identifier)

  • time (Date/time)

  • fw (Firewall IP address or name)

  • pri (Priority of the record)

Example: Configuring WELF Logging for Content Security Features

This example shows how to configure WELF logging for Content Security features.

Requirements

Before you begin, review the fields used to create a WELF log file and record. See Content Security Overview.

Overview

A WELF log file is composed of records. Each record is a single line in the file. Records are always in chronological order. The earliest record is the first record in the file; the most recent record is the last record in the file. WELF places no restrictions on log filenames or log file rotation policies. In this example, the severity level is emergency and the name of the security log stream is utm-welf.

Configuration

Procedure
CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure WELF logging for Content Security features:

  1. Set the security log source IP address.

    Note:

    You must save the WELF logging messages to a dedicated WebTrends server.

  2. Name the security log stream.

  3. Set the format for the log messages.

  4. Set the category of log messages that are sent.

  5. Set the severity level of log messages that are sent.

  6. Enter the host address of the dedicated WebTrends server to which the log messages are to be sent.

Results

From configuration mode, confirm your configuration by entering the show security log command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Security Log
Purpose

Verify that the WELF log for Content Security features is complete.

Action

From operational mode, enter the show security utm status command to verify if the Content Security service is running or not.

Explicit Proxy for Content Security

Content Security support the use of an explicit proxy for the cloud-based connectivity for Enhanced Web Filtering (EWF) and Sophos antivirus (SAV) on Content Security. The explicit proxy hides the identity of the source device and establishes a connection with the destination device.

Understanding Explicit Proxy

An explicit proxy hides the identity of source device, communicates directly with the Websense Threatseeker Cloud (TSC) server and establishes a connection with the destination device. The explicit proxy configuration consists of port address and direct IP address or hostname.

To use the explicit proxy, create one or more proxy profiles and refer to those profiles:

  • In EWF, the explicit proxy is configured by referring to the created proxy-profile in security utm default-configuration web-filtering juniper-enhanced server hierarchy. The connection is established with the TSC server.

  • In EWF predefined category upgrading and base filter, the explicit proxy is configured by referring to the created proxy-profile in security utm custom-objects category-package proxy-profile hierarchy. You can download and dynamically load new EWF categories without any software upgrade. The proxy-profile category file is installed and used for transfer of the traffic.

    SRX Series Firewall sends CONNECT request to the proxy server, the SRX Series Firewall and TSC server communicates through the HTTP connection. Then the proxy server is expected to identify the configured IP addresses, allowlist and allow SRX Series Firewall to send traffic to the TSC server in cloud via proxy. After proxy filtering, it will create connection to real TSC server.

  • In Sophos Antivirus (SAV), the explicit proxy is configured by referring to the created proxy-profile in security utm default-configuration anti-virus sophos-engine pattern-update hierarchy. The utmd process connects to the proxy host instead of the SAV pattern update server on the cloud.

On EWF, if the proxy profile is configured in Content Security Web filtering configuration, the TSC server connection is established with the proxy host instead of the Content Security server on the cloud.

On SAV, if the proxy profile is configured, the utmd process connects to the proxy host instead of the SAV pattern update server on the cloud.

Note:

The proxy server authentication is not supported if the proxy-profile is configured.

Configuring the Explicit Proxy on Juniper Enhanced Server

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

Create a proxy profile with host and port information, and refer it in the Juniper enhanced server to establish a connection to the Content Security cloud server.

The following configuration shows how to configure the explicit proxy on Juniper enhanced server.

  1. Assigning host IP address for proxy profile.
  2. Assigning port address for proxy profile.
  3. Assign the proxy profile to the Web filtering Juniper enhanced server.

Results

From configuration mode, confirm your configuration by entering the show security and show services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verifying the Explicit Proxy Configuration on Juniper Enhanced Server

Purpose

Display the status of explicit server on Juniper enhanced server.

Action

From operational mode, enter the show security utm web-filtering status command.

user@host> show security utm web-filtering statusUTM web-filtering status: Server status: Juniper Enhanced using Websense server UP

Meaning

This command provides information on server status of Enhanced Web Filtering (EWF) using Websense Threatseeker Cloud (TSC).

Configuring the Predefined Category Upgrading and Base Filter Configuration Using Explicit Proxy

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

Create a proxy profile with host and port information, and refer it in the predefined category upgrade and base filter to download and dynamically load new EWF categories without any software upgrade.

The following configuration shows how to configure the explicit proxy on predefined category upgrading and base filter.

  1. Assigning host IP address for proxy profile.
  2. Assign port address for proxy profile.
  3. Assign the proxy profile to the category packages in the custom objects.

Results

From configuration mode, confirm your configuration by entering the show security and show services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verifying the Predefined Category Upgrading and Base Filter Configuration

Purpose

Display the Enhanced Web Filtering (EWF) predefined category package download, install, and update status.

Action

From operational mode, enter the show security utm web-filtering category status CLI command to see the web filtering category status.

Note:

Before you execute the show security utm web-filtering category status CLI command, you must execute the request security utm web-filtering category download-install CLI command to get the results.

Meaning

This command provides information on the number of installed and downloaded categories and the update status.

Configuring the Sophos Antivirus Pattern Update

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

Create a proxy profile with host and port information, and refer it in the Sophos Antivirus (SAV) pattern update. The utmd process connects to the proxy host instead of the SAV pattern update server on the cloud.

The following configuration shows how to configure the explicit proxy on SAV pattern update.

  1. Assigning host IP address for proxy profile.
  2. Assign port address for proxy profile.
  3. Assign the proxy profile to the Sophos antivirus pattern update.

Results

From configuration mode, confirm your configuration by entering the show security and show services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verifying the Sophos Antivirus Pattern Update

Purpose

Display the Sophos Antivirus (SAV) update pattern status.

Action

From operational mode, enter the show security utm anti-virus status CLI command to see the Content Security antivirus status.

Meaning

This command provides information on the the Sophos Antivirus (SAV) pattern update server, update status, antivirus signature version, antivirus engine type and antivirus engine information.

Unified Policies for Content Security

Understanding Unified Policies [Content Security]

Unified policies are now supported on SRX Series Firewalls, allowing granular control and enforcement of dynamic Layer 7 applications within the traditional security policy.

Unified policies are security policies in which you can use dynamic applications as match conditions along with existing 5-tuple or 6-tuple matching conditions (with user firewall) to detect application changes over time. The use of unified policies enable you to enforce a set of rules for the transit traffic. It uses the match criteria, namely, source zone, destination zone, source addresses, destination addresses, and application names. This results in potential match policies.

The unified policy configuration handles all Application Firewall (AppFW) functionalities and simplifies the task of configuring firewall policy to permit or block application traffic from the network. As part of the unified policy, a new dynamic application policy match condition is added to SRX Series Firewalls, allowing an administrator to more effectively control the behavior of Layer 7 applications.

To accommodate Layer 7 application-based policies in Content Security, the [edit security utm default-configuration] command is introduced. If any parameter in a specific Content Security feature profile configuration is not configured, then the corresponding parameter from the Content Security default configuration is applied.

Additionally, during the initial policy lookup phase which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different Content Security profiles, the SRX Series Firewall applies the default Content Security profile until a more explicit match has occurred.

Understanding Default Content Security Policy

A new predefined default Content Security policy is available with the factory default configuration to provide a default Content Security configuration. This predefined global Content Security policy inherits the configuration from the default Content Security configuration profile.

If there is an existing Content Security policy defined, it will continue to be used to evaluate traffic based on the existing security policy configuration.

When a policy lookup is performed, existing Content Security policies are evaluated prior to global policies. The predefined Content Security default policy is leveraged if multiple Content Security policies exist in the potential policy list during the Content Security session creation process.

The predefined Content Security default policy parameters are included under [edit security utm default-configuration] hierarchy level. These parameters are available for Web filtering, content filtering, antivirus, and antispam profile. If no Content Security feature profile is configured (Web filtering, content filtering, antivirus, and antispam), the parameters in the predefined global Content Security configuration are applied.

The predefined Content Security default policy is available in [edit groups junos-defaults security utm]. You can modify certain parameters for Web filtering, content filtering, antivirus, and antispam. You can also modify default Content Security profile parameters for Web filtering, content filtering, antivirus, and antispam features profiles at [edit security utm default-configuration].

Content Security Support for Chassis Cluster

Content Security is supported for active/active chassis cluster and active/backup chassis cluster configuration. For more information, see the following topics:

Understanding Content Security Support for Active/Active Chassis Cluster

Content Security requires a license for each device in the chassis cluster setup. For information about how to purchase a software license, contact your Juniper Networks sales representative at https://www.juniper.net/in/en/contact-us/ and for more information refer Licensing guide.

All the following Content Security features are supported in active/active chassis cluster:

  • Antispam Filtering

  • Content Filtering

  • Sophos Antivirus Scanning

  • Enhanced Web Filtering

  • Local Web Filtering

  • Websense Redirect Web Filtering

  • On-box/Avira AV

Content Security supports active/active chassis cluster configuration from Junos OS Release 19.4R1 onwards. Active/Active cluster is a cluster where interfaces can be active on both cluster nodes simultaneously. This is the case when there are more than one data-plane redundancy-groups, that is redundancy-groups 1 and higher or when local (non-reth) interfaces are used on the cluster nodes.

Enhanced Web Filtering cloud connection does not support failover, it will create new connection automatically after the old connection is retired.

Understanding Content Security Support for Active/Backup Chassis Cluster

Content Security requires a license for each device in the chassis cluster setup. For information about how to purchase a software license, contact your Juniper Networks sales representative at https://www.juniper.net/in/en/contact-us/.

The following Content Security features are supported in chassis cluster:

  • Content filtering

  • URL (Web) filtering

  • Antispam filtering

  • Full file-based antivirus scanning

  • Sophos antivirus scanning

Active/Active cluster is a cluster where interfaces can be active on both cluster nodes at the same time. This is the case when there are more than one data-plane redundancy-groups, i.e. redundancy-groups 1 and higher or when local (non-reth) interfaces are used on the cluster nodes.

If multiple data-plane redundancy-groups are configured, Content Security works only if all the redundancy groups are active in the single node. In case one of the redundancy-group failed over automatically to another node, Content Security won't work.

Allowlist

A URL allowlist defines all the URLs listed for a specific category to always bypass the scanning process. The allowlist include hostnames that you want to exempt from undergoing SSL proxy processing. For more information, see the following topics:

Understanding MIME Allowlist

The gateway device uses MIME (Multipurpose Internet Mail Extension) types to decide which traffic may bypass antivirus scanning. The MIME allowlist defines a list of MIME types and can contain one or many MIME entries.

A MIME entry is case-insensitive. An empty MIME is an invalid entry and should never appear in the MIME list. If the MIME entry ends with a / character, prefix matching takes place. Otherwise, exact matching occurs.

There are two types of MIME lists used to configure MIME type antivirus scan bypassing:

  • mime-allowlist list—This is the comprehensive list for those MIME types that can bypass antivirus scanning.

  • exception list—The exception list is a list for excluding some MIME types from the mime-allowlist list. This list is a subset of MIME types found in the mime-allowlist.

    For example, if the mime-allowlist includes the entry,video/ and the exception list includes the entry video/x-shockwave-flash, by using these two lists, you can bypass objects with “video/” MIME type but not bypass “video/x-shockwave-flash” MIME type.

    You should note that there are limits for mime-allowlist entries as follows:

    • The maximum number of MIME items in a MIME list is 50.

    • The maximum length of each MIME entry is restricted to 40 bytes.

    • The maximum length of a MIME list name string is restricted to 40 bytes.

Example: Configuring MIME Allowlist to Bypass Antivirus Scanning

This example shows how to configure MIME allowlists to bypass antivirus scanning.

Requirements

Before you begin, decide the type of MIME lists used to configure MIME type antivirus scan bypassing. See Understanding MIME Allowlist.

Overview

In this example, you create MIME lists called avmime2 and ex-avmime2 and add patterns to them.

Configuration

Procedure
Step-by-Step Procedure

To configure MIME allowlists to bypass antivirus scanning:

  1. Create MIME lists and add patterns to the lists.

  2. If you are done configuring the device, commit the configuration.

Verification

Verify the MIME Allowlist Configuration
Purpose

To verify the MIME allowlist configuration is working properly.

Action

From operational mode, enter the show security utm command.

Understanding URL Allowlist

A URL allowlist defines all the URLs listed for a specific category to always bypass the scanning process. The allowlist includes hostnames that you want to exempt from undergoing SSL proxy processing. There are also legal requirements to exempt financial and banking sites; such exemptions are achieved by configuring URL categories corresponding to those hostnames under the URL allowlists. If any URLs do not require scanning, corresponding categories can be added to this allowlisting.

Starting with Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the allowlisting feature is extended to include URL categories supported by Content Security in the allowlist configuration of SSL forward proxy. For more information, see Application Security User Guide for Security Devices.

Starting with Junos OS Release 17.4R1, the allowlisting feature is extended to support custom URL categories supported by Content Security in the allowlist configuration of SSL forward proxy.

Configuring URL Allowlist to Bypass Antivirus Scanning (CLI Procedure)

To configure URL allowlists, use the following CLI configuration statements:

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.4R1
Starting with Junos OS Release 17.4R1, the allowlisting feature is extended to support custom URL categories supported by Content Security in the allowlist configuration of SSL forward proxy.
15.1X49-D80
Starting with Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the allowlisting feature is extended to include URL categories supported by Content Security in the allowlist configuration of SSL forward proxy. For more information, see Application Security User Guide for Security Devices.