UTM - Local Web filtering requires a license ?

jadkarout · ‎11-03-2010

Hi guys,

i'm currently testing webfiltering on an SRX 210. According to the documentation, local webfiltering doesn't require a license.However when i commit i get the following message :

[edit security policies from-zone lan to-zone internet policy pass then permit]
  'application-services'
    warning: license not installed for
commit complete

Despite the message, the local web filtering feature does seem to be fonctionnal as indicated by :

jad> show security utm web-filtering status 
 UTM web-filtering status: 
    Server status: Juniper local URL filtering

But when i run a test on a website that should be blocked according to my config, it doesn't get blocked at all, and the utm engine doesn't seem to be doing much :

jad> show security utm web-filtering statistics    
 UTM web-filtering statistics: 
    Total requests:                  0
    white list hit:                  0
    Black list hit:                  0
    Web-filtering sessions in total: 8000
    Web-filtering sessions in use:   0
    Fallback:                       log-and-permit           block 
          Default                                 0               0
          Timeout                                 0               0
     Connectivity                                 0               0
Too-many-requests                                 0               0

Here's my security configuration:

jad> show configuration security             
utm {
    custom-objects {
        url-pattern {
            search {
                value [ http://*.yahoo.com http://*.msn.com ];
            }
            big {
                value [ "http://*.google.???" "http://*.bahoogle.???" ];
            }
            tech {
                value http://*.juniper.net;
            }
        }
        custom-url-category {
            block {
                value [ search big ];
            }
            pass {
                value tech;
            }
        }
    }
    feature-profile {
        web-filtering {                 
            url-whitelist pass;
            url-blacklist block;
            type juniper-local;
            juniper-local {
                profile local-engine {
                    default permit;
                    custom-block-message "no can do amigo !";
                    fallback-settings {
                        default block;
                        too-many-requests block;
                    }
                }
            }
        }
    }
    utm-policy utm-wf {
        web-filtering {
            http-profile local-engine;
        }
    }
}
policies {
    from-zone lan to-zone internet {    
        policy pass {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit {
                    application-services {
                        utm-policy utm-wf;
                    }
                }
            }
        }
    }
    default-policy {
        deny-all;
    }
}
zones {
    security-zone lan {
        host-inbound-traffic {
            system-services {           
                ping;
            }
        }
        interfaces {
            ge-0/0/0.0;
        }
    }
    security-zone internet {
        host-inbound-traffic {
            system-services {
                ping;
            }
        }
        interfaces {
            ge-0/0/1.0;                 
        }
    }
}

Anyone spots anything weird in this config ? Why do i get a message for a license for local web filtering when there shouldn't be any ?

pk · ‎10-09-2008

Hi

Your config looks good and should be working. But ist's suspicious that "Total
requests" do not increase. Did you try to reboot the box?

Best Regards,
Peter (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC, JNCIP-(M,ENT) JNCIS-(SA,AC,FWV) JNCIA-(IDP,WX)
[Juniper Authorized Education & Support in Russia]

johnrbaker · ‎02-17-2011

There are some known issues license error messages. I have a ticket open with JTAC and they are expecting it to be fixed soon.

I have not tested it but it may have been fixed in 10.4R5.5,11.1.R3 (due in the next few weeks) and 11.2.R1 (End of month)

jadkarout · ‎11-03-2010

Well the reboot doesn't change much...

what is puzzling is that on top of the warning message, web filtering seems to not be working as the counters of a show security utm web-filtering statistics command don't increase at all !

jadkarout · ‎11-03-2010

Some updates :

Originally, the SRX box was running 11.1R2.3.

I downgraded to the recommended version for branch SRX ie 10.4R4.5. It still gave an error message but slightly different :

[edit security policies from-zone lan to-zone internet policy pass then permit]
  'application-services'
    warning: license not installed for Karsperky anti-virus
commit complete

Then i proceeded to upgrade to 10.4R5.5 and it just worked ! No more error message and web filtering just works !

UTM - Local Web filtering requires a license ?

Re: UTM - Local Web filtering requires a license ?

Re: UTM - Local Web filtering requires a license ?

Re: UTM - Local Web filtering requires a license ?

Re: UTM - Local Web filtering requires a license ?