SRX

Good day.

I configure SRX650 to filter by URL traffic from internal LAN to the Internet. For host 192.168.140.101/32 I want to permit only WEB traffic to google.ru anf mail.ru sites and other WEB traffic discard for him. Do I need a license UTM for this goal ? I try to configure, but WEB filtering dont work. 

This is my configuration:

set security zones security-zone trust address book address 192.168.140.101/32 192.168.140.101/32
set security utm custom-objects url-pattern Black_Test value *
set security utm custom-objects url-pattern White_Test value [ http://*.mail.ru http://*.google.ru ]
set security utm custom-objects custom-url-category blocked-sites value Black_Test
set security utm custom-objects custom-url-category allowed-sites value White_Test
set security utm feature-profile web-filtering url-whitelist allowed-sites
set security utm feature-profile web-filtering url-blacklist blocked-sites
set security utm feature-profile web-filtering type juniper-local
set security utm feature-profile web-filtering juniper-local profile jun-local custom-block-message ***DENY***
set security utm feature-profile web-filtering juniper-local profile jun-local fallback-settings default block
set security utm feature-profile web-filtering juniper-local profile jun-local fallback-settings timeout block
set security utm feature-profile web-filtering juniper-local profile jun-local fallback-settings too-many-requests block
set security utm feature-profile web-filtering juniper-local profile jun-local timeout 1800
set security utm utm-policy web-filter web-filtering http-profile jun-local
set security policies from-zone trust to-zone untrust policy WEB_FILTER_TEST match source-address 192.168.140.101/32
set security policies from-zone trust to-zone untrust policy WEB_FILTER_TEST match destination-address any
set security policies from-zone trust to-zone untrust policy WEB_FILTER_TEST match application any
set security policies from-zone trust to-zone untrust policy WEB_FILTER_TEST then permit application-services utm-policy web-filter

Hi

It should be definitely working without license. Is it blocking or permitting all sites?

Your config looks good to me, but I think "Black_Test value *" is incorrect configuration as URL should include "http://". Can you try to replace it with  http://* , or just remove black list completely (as you have default deny)? Please tell me the result.

P.S. Actually AFAIK it checks black list first, so you should not use * in it, it will be blocking everything.

Thanks for the reply!

I changed it to "http://*" but still does not work. This is output command "show security utm web-filtering statistics":

root@ROUTER_TOP# run show security utm web-filtering statistics
UTM web-filtering statistics:
Total requests: 64
white list hit: 0
Black list hit: 0
Web-filtering sessions in total: 64000
Web-filtering sessions in use: 0
Fallback: log-and-permit block
Default 0 0
Timeout 0 0
Connectivity 0 0
Too-many-requests 0 0

I do not understand why the traffic does not meet the policy? I try to open any site from host 192.168.140.101 and any web pages open without problem. May be need to use an external address (NATed),  instead internal 192.168.140.101?

Hi

Tried it in my lab. Several problems here. If you want to block everything by default, do

set security utm feature-profile web-filtering juniper-local profile jun-local default block

 The pattern http://*.mail.ru does not actually block mail.ru, only something.mail.ru. So use

White_Test {
   value [ http://*.mail.ru http://mail.ru http://*.google.ru http://google.ru ];
}

(google seems to use https by default so it will not work for it now).

The sequence of URL checking is as follows

blacklist -> whitelist -> default action

so you do not want to have * in the black list. However, "*" and "http://*" will not work anyway. "*" only can be  before "." in the URL pattern. So for example "http://*.org" works.

My UTM config that works 

lab@J-test# show security utm 
custom-objects {
    url-pattern {
        Black_Test {
            value [ http://*.org ];
        }
        White_Test {
            value [ http://*.mail.ru http://mail.ru http://*.google.ru http://google.ru ];
        }
    }
    custom-url-category {
        blocked-sites {
            value Black_Test;
        }
        allowed-sites {
            value White_Test;
        }
    }
}
feature-profile {
    web-filtering {
        url-whitelist allowed-sites;
        url-blacklist blocked-sites;
        type juniper-local;
        juniper-local {
            profile jun-local {
                default block;
                custom-block-message ***DENY***;
                fallback-settings {
                    default block;
                    timeout block;
                    too-many-requests block;
                }
                timeout 1800;
            }
        }
    }
}
utm-policy web-filter {
    web-filtering {
        http-profile jun-local;
    }
}

Thank you!
Now it works.

I do not understand how to set to work only a few of my site, and the rest is blocked? How do I make first checked of white list, and then black list? Let's say I want that in the domain ru just allow the site mail.ru, and the rest did not work. I understand this can be done?

Not the actual question. Just do not read everything carefully. Thank you very much! Now work fine!