SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Editing predefined UTM profiles

    Posted 09-25-2012 05:15

    Hi All

     

    It looks like we have several nice predefined UTM profiles and policies which make life easier, such as

     

    lab@jsrxB-2# show groups junos-defaults security utm utm-policy junos-av-wf-policy 
anti-virus {
    http-profile junos-av-defaults;
    ftp {
        upload-profile junos-av-defaults;
        download-profile junos-av-defaults;
    }
    smtp-profile junos-av-defaults;
    pop3-profile junos-av-defaults;
    imap-profile junos-av-defaults;
}
web-filtering {
    http-profile junos-wf-cpa-default;
}

     

    But if we start to use them and then want to modify something, can we just edit the predefined profile? For example, I want to turn off antivirus's intelligent prescreening while keeping all other settings as default. Then my config will be just

     

    set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options no-intelligent-prescreening

     

    And

     

    lab@jsrxB-2# show security policies                  
from-zone z1 to-zone z0 {
    policy z1-z0 {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {
                    utm-policy junos-av-wf-policy;
                }
            }
        }
    }
}

     Looks like it works. But is it totally ok and supported to edit those predefined profiles and policies? Or is it a better approach to create my own every time?



  • 2.  RE: Editing predefined UTM profiles
    Best Answer

     
    Posted 09-25-2012 05:37

    I can't see why it wouldn't be fine, as the junos-defaults configuration is just added on top of the rest of the policy.

    After adding your command:

     

    scan-options {
    no-intelligent-prescreening;
    ##
    ## 'all' was inherited from group 'junos-defaults'
    ##
    scan-mode all;
    ##
    ## '10000' was inherited from group 'junos-defaults'
    ##
    content-size-limit 10000;
    ##
    ## '180' was inherited from group 'junos-defaults'
    ##
    timeout 180;
    ##
    ## '2' was inherited from group 'junos-defaults'
    ##
    decompress-layer-limit 2;
}

     

    And before: 

     

    scan-options {
    ##
    ## 'intelligent-prescreening' was inherited from group 'junos-defaults'
    ##
    intelligent-prescreening;
    ##
    ## 'all' was inherited from group 'junos-defaults'
    ##
    scan-mode all;
    ##
    ## '10000' was inherited from group 'junos-defaults'
    ##
    content-size-limit 10000;
    ##
    ## '180' was inherited from group 'junos-defaults'
    ##
    timeout 180;
    ##
    ## '2' was inherited from group 'junos-defaults'
    ##
    decompress-layer-limit 2;
}