SRX Services Gateway
Reply
Regular Visitor
jadkarout
Posts: 6
Registered: ‎11-03-2010
0
Accepted Solution

UTM - Local Web filtering requires a license ?

Hi guys,

 

i'm currently testing webfiltering on an SRX 210. According to the documentation, local webfiltering doesn't require a license.However when i commit i get the following message :

 

[edit security policies from-zone lan to-zone internet policy pass then permit]
'application-services'
warning: license not installed for
commit complete

 

 

Despite the message, the local web filtering feature does seem to be fonctionnal as indicated by :

 

jad> show security utm web-filtering status 
UTM web-filtering status:
Server status: Juniper local URL filtering

 

But when i run a test on a website that should be blocked according to my config, it doesn't get blocked at all, and the utm engine doesn't seem to be doing much :

 

jad> show security utm web-filtering statistics    
UTM web-filtering statistics:
Total requests: 0
white list hit: 0
Black list hit: 0
Web-filtering sessions in total: 8000
Web-filtering sessions in use: 0
Fallback: log-and-permit block
Default 0 0
Timeout 0 0
Connectivity 0 0
Too-many-requests 0 0

 

Here's my security configuration:

 

jad> show configuration security             
utm {
custom-objects {
url-pattern {
search {
value [ http://*.yahoo.com http://*.msn.com ];
}
big {
value [ "http://*.google.???" "http://*.bahoogle.???" ];
}
tech {
value http://*.juniper.net;
}
}
custom-url-category {
block {
value [ search big ];
}
pass {
value tech;
}
}
}
feature-profile {
web-filtering {
url-whitelist pass;
url-blacklist block;
type juniper-local;
juniper-local {
profile local-engine {
default permit;
custom-block-message "no can do amigo !";
fallback-settings {
default block;
too-many-requests block;
}
}
}
}
}
utm-policy utm-wf {
web-filtering {
http-profile local-engine;
}
}
}
policies {
from-zone lan to-zone internet {
policy pass {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy utm-wf;
}
}
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone lan {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone internet {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/1.0;
}
}
}

 

Anyone spots anything weird in this config ? Why do i get a message for a license for local web filtering when there shouldn't be any ?

Distinguished Expert
Distinguished Expert
pk
Posts: 812
Registered: ‎10-09-2008
0

Re: UTM - Local Web filtering requires a license ?

Hi

Your config looks good and should be working. But ist's suspicious that "Total
requests" do not increase. Did you try to reboot the box?

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Super Contributor
johnrbaker
Posts: 210
Registered: ‎02-17-2011
0

Re: UTM - Local Web filtering requires a license ?

There are some known issues license error messages.  I have a ticket open with JTAC and they are expecting it to be fixed soon.

 

I have not tested it but it may have been fixed in 10.4R5.5,11.1.R3 (due in the next few weeks) and 11.2.R1 (End of month)

Regular Visitor
jadkarout
Posts: 6
Registered: ‎11-03-2010
0

Re: UTM - Local Web filtering requires a license ?

Well the reboot doesn't change much...

 

what is puzzling is that on top of the warning message, web filtering seems to not be working as the counters of a show security utm web-filtering statistics  command don't increase at all !

Regular Visitor
jadkarout
Posts: 6
Registered: ‎11-03-2010
0

Re: UTM - Local Web filtering requires a license ?

[ Edited ]

Some updates :

 

Originally, the SRX box was running 11.1R2.3.

 

I downgraded to the recommended version for branch SRX ie 10.4R4.5. It still gave an error message but slightly different :

 

[edit security policies from-zone lan to-zone internet policy pass then permit]
'application-services'
warning: license not installed for Karsperky anti-virus
commit complete

 

Then i proceeded to upgrade to 10.4R5.5 and it just worked ! No more error message and web filtering just works !

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.