SRX

Hi Experts,

We´ve been trying to do a simple local web-filtering whithout success. When troubleshooting it, we see that all URL shown in the logs are IP addresses (destination addresses of the visited sites). As an example:

root@SRX# run show log WEB    
Sep 9 00:31:47 SRX clear-log[7955]: logfile cleared
Sep  9 01:06:05  SRX RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.70.2(51435)->157.55.235.147(443) CATEGORY="N/A" REASON="BY_OTHER" PROFILE="WF-PROFILE" URL=157.55.235.147 OBJ=/ USERNAME=N/A ROLES=N/A
Sep  9 01:06:15  SRX RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.70.2(51461)->91.190.216.23(443) CATEGORY="N/A" REASON="BY_OTHER" PROFILE="WF-PROFILE" URL=91.190.216.23 OBJ=/ USERNAME=N/A ROLES=N/A
Sep  9 01:06:16  SRX RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.70.2(51470)->181.24.14.145(443) CATEGORY="N/A" REASON="BY_OTHER" PROFILE="WF-PROFILE" URL=181.24.14.145 OBJ=/ USERNAME=N/A ROLES=N/A
Sep  9 01:06:16  SRX RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.70.2(51478)->66.219.218.77(443) CATEGORY="N/A" REASON="BY_OTHER" PROFILE="WF-PROFILE" URL=66.219.218.77 OBJ=/ USERNAME=N/A ROLES=N/A

As a side note of this testing, the "internet" zone has an interface (outside) connected to our LAN which has a proxy.. I don´t think this would interfere, but just in case.   

The relevant security config is as follows:

root@SRX# show security utm

utm {
    custom-objects {
        url-pattern {
            SITE-BLOCK {
                value http://*.cisco.com;
            }
        }
        custom-url-category {
            BLOQUEO-URLS {
                value SITE-BLOCK;
            }
        }
    }
    feature-profile {
        web-filtering {                 
            url-blacklist BLOQUEO-URLS;
            type juniper-local;
            juniper-local {
                profile WF-PROFILE {
                    default permit;
                    custom-block-message " - Site blocked -";
                    fallback-settings {
                        default block;
                        too-many-requests block;
                    }
                }
            }
        }
    }
    utm-policy FILTRO-UTM {
        web-filtering {
            http-profile WF-PROFILE;
        }
    }                                   
}

root@SRX# show security policies
from-zone invitados to-zone internet {
    policy invitados-to-internet {
        match {
            source-address SOURCE-INVITADOS;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {
                    utm-policy FILTRO-UTM;
                }
            }
        }
    }
}

Any feedback is highly appretiated!!

Thanks,

Lucas.-

Your SRX is definitely doing name resolution it seems. Your UTM config looks fine but it's pretty weird that the destination url is being resolved to IPs. I can't say the proxy has anything to do with it but if I were you, I'll try to eliminate the proxy and compare the result.

Hi Lucas,

You have configured local type of web filtering on SRX>

It will block only configured local backlist of websites only.

It will block only port 80 based http blacklisted website configured in the blacklist.

But in your case , you are testing https connections port 443.

Sep  9 01:06:05  SRX RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.70.2(51435)->157.55.235.147(443) CATEGORY="N/A" REASON="BY_OTHER" PROFILE="WF-PROFILE" URL=157.55.235.147 OBJ=/ USERNAME=N/A ROLES=N/A

Try adding port80 based websites in the blacklist and verify it.

Regards,
rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi Guys,

The issue was definitelly the Proxy, we finally tested it with an IP allowed to go out without passing through the proxy and worked just fine! (of course, taking care of whether it´s http or https).

Thanks!