SRX

I need to setup the SRX UTM to allow only white listed urls.  My problem is that the white list is not working.  The black list does work so I know UTM is working.  Can anyone see what's wrong in my config.  This is a simple config in the lab for now.

## Last changed: 2017-03-01 17:42:52 GMT-6
version 15.1X49-D75.5;
system {
    host-name JUNIPER;
    time-zone GMT-6;
    root-authentication {
        encrypted-password
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    name-resolution {
        no-resolve-on-input;
    }
    login {
        user nadmin {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password
            }
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface [ ge-0/0/1.0 ge-0/0/0.0 ];
            }
            https {
                system-generated-certificate;
                interface [ ge-0/0/1.0 ge-0/0/0.0 ];
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            pool 192.168.0.0/24 {
                address-range low 192.168.0.190 high 192.168.0.200;
                router {
                    192.168.0.1;
                }
            }
            pool 172.16.1.0/24 {
                address-range low 172.16.1.50 high 172.16.1.199;
                router {
                    172.16.1.1;
                }
            }
            propagate-settings ge-0/0/0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
security {
    utm {
        custom-objects {
            url-pattern {
                allowed-urls {
                    value www.yahoo.com;
                }
                blocked-urls {
                    value http://www.msn.com;
                }
            }
            custom-url-category {
                good-sites {
                    value allowed-urls;
                }
                bad-sites {
                    value blocked-urls;
                }
            }
        }
        feature-profile {
            web-filtering {
                url-whitelist good-sites;
                url-blacklist bad-sites;
                type juniper-local;
                juniper-local {
                    profile local-engine {
                        default permit;
                    }
                }
            }
        }
        utm-policy utm-wf-local {
            web-filtering {
                http-profile local-engine;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                spoofing;
                source-route-option;
                tear-drop;
            }
            tcp {
                port-scan;
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set Guest-Nat {
                from zone Guest;
                to zone Internet;
                rule Guest-Nat {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool webmgt {
                routing-instance {
                    default;
                }
                address 192.168.0.1/32 port 80;
            }
            pool webmgt443 {
                routing-instance {
                    default;
                }
                address 192.168.0.1/32 port 443;
            }
            pool RDP11 {
                routing-instance {
                    default;
                }
                address 192.168.0.11/32 port 3389;
            }
            pool RDP29 {
                routing-instance {
                    default;
                }
                address 192.168.0.29/32 port 3389;
            }
            pool RDP22 {
                routing-instance {
                    default;
                }
                address 192.168.0.22/32 port 3389;
            }
            pool RDP12 {
                routing-instance {
                    default;
                }
                address 192.168.0.12/32 port 3389;
            }
            pool RDP33 {
                routing-instance {
                    default;
                }
                address 192.168.0.33/32 port 3389;
            }
            pool RDP32 {
                routing-instance {
                    default;
                }
                address 192.168.0.32/32 port 3389;
            }
            pool RDP30 {
                routing-instance {
                    default;
                }
                address 192.168.0.30/32 port 3389;
            }
            pool RDP13 {
                routing-instance {
                    default;
                }
                address 192.168.0.13/32 port 3389;
            }
            pool RDP04 {
                routing-instance {
                    default;
                }
                address 192.168.0.4/32 port 3389;
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy utm-wf-policy {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit {
                        application-services {
                            utm-policy utm-wf-local;
                        }
                    }
                }
            }
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy RDPpolicy {
                match {
                    source-address any;
                    destination-address any;
                    application RDP;
                }
                then {
                    permit;
                }
            }
            policy webmgr {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-http junos-https ];
                }
                then {
                    permit;
                }
            }
        }
        from-zone Guest to-zone Internet {
            policy All_Guest_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            tftp;
                            dhcp;
                            ssh;
                            https;
                        }
                    }
                }
            }
        }
        security-zone Guest {
            interfaces {
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                            telnet;
                            http;
                            ssh;
                            https;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 172.16.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.168.1.254;
    }
}
applications {
    application RDP {
        protocol tcp;
        source-port 1024-65535;
        destination-port 3389;
    }
}

Hello ,

Try to clear the web filtering statistics :

>clear security utm web-filtering statistics

Then try to run the  whitelist site and collect the following output 5-6 times :

>  show security utm web-filtering statistics

Also make sure your traffic stays as "http" and it does not get redirected to "https"

As per my understanding you are testing traffic from " from-zone Internal to-zone Internet ".

When you open www.yahoo.com, it hits the security policy "utm-wf-policy" and then hits UTM policy "utm-wf-local"

Security policy permits this as its HTTP and UTM policy permits it as its white listed.

But bydefault yahoo sends a redirect message requesting the user to connect on HTTPS/443

Now when the browser tries to connect to https://yahoo.com , this will be blocked by the security policy as it only allows HTTPS.

You can do the same testing with www.bbc.com , they use http only and confirm if whitelist is working or same issue is seen

You are correct, that was the problem.  I had already figured that out by following joses advice but I did give a a Kudos for nailing it.