SRX Services Gateway
Highlighted
SRX Services Gateway

Juniper SRX web filtering issue with additional proxy server

‎10-15-2019 04:12 PM

Problem:

 

Currently we are using UTM web filtering feature to allow only while list web sites through juniper SRX firewall using “juniper-local”, and it is working fine normally.

 

If the device is configured to use a proxy server, Juniper UTM does not gets used, i.e. even the sites not allowed through Juniper UTM get accessed.

 

The expected behaviour that we want: The internal device should use Juniper whitelist feature and if allowed, the request passed to external proxy server to check if requested site is allowed or not, if allowed then web request is successful, and content showed to user. This is kind of double proxy server feature, i.e. if allowed from both then only web content is allowed, else blocked.

 

Example:

If suppose external proxy server in untrust zone with IP 10.123.113.116 and port 3128, then after applying this proxy into a device inside trust zone Internet explorer -> Internet option -> Connections -> LAN Settings -> Proxy server, (given proxy port is allowed through the security policy), all internet gets allowed, i.e. Juniper white list is not checked. According to the “show security flow session” the internet traffic is passed through port 3128 and not by HTTP/HTTPS.

 

Even though the relevant security policy includes the proxy port (3128) and the action is permit with application-services -> utm-policy <utm-policy-name>

My expectation was, this should apply the utm policy, but it doesn’t.

 

Please see the configuration file “Juniper-SRX-Local.conf” section Security -> UTM and Security -> policies -> from-zone Treatment_zone to-zone Hospital_zone -> policy Allow-Mosaiq-Internet, where “Hospital_zone” is only untrust zone and rest all are trust zone.

 

 

Next, we tried websense-redirect, where we configured the external proxy server as websense-redirect server host. (Configuration file attached )

If we not including this proxy server in web-browser Internet connection LAN setting, we can see that Juniper web filtering works but then it does not check the external proxy server (i.e. sites allowed at UTM but blocked in external proxy server gets allowed). If we include this proxy server in internet option – connection LAN setting, then Juniper web filtering does not get used.

 

Is this can be done using Enhanced-web filtering (we haven’t tested it as this is a licensed feature) ?

1 REPLY 1
SRX Services Gateway

Re: Juniper SRX web filtering issue with additional proxy server

‎10-15-2019 04:19 PM

Juniper-local

version 15.1X49-D130.6;
system {
    host-name ABC01;
    auto-snapshot;
    domain-name int.ABC.com;
    time-zone GMT;
    name-server {
        10.123.103.250;
        10.124.134.253;
    }
    services {
        ssh {
            protocol-version v2;
        }
        dns {
            dns-proxy {
                interface {
                    ge-0/0/1.0;
                    ge-0/0/2.0;
                    ge-0/0/3.0;
                }
                default-domain * {
                    forwarders {
                        10.123.103.250;
                        10.124.134.253;
                    }
                }
            }
        }
        web-management {
            https {
                system-generated-certificate;
                interface [ ge-0/0/3.0 ge-0/0/2.0 ];
            }
            session {
                idle-timeout 5;
            }
        }
    }
} security { address-book { Treatment_Network { address CCPManagementPC 192.168.30.200/32; address-set CCPRVPC { address CCPManagementPC; } attach { zone Treatment_zone; } } } utm { custom-objects { url-pattern { Whitelist-Allowed-urls { value [ https://www.webex.com https://www.juniper.net https://*.juniper.net ]; } } custom-url-category { Whitelist-good-sites { value Whitelist-Allowed-urls; } } } feature-profile { web-filtering { url-whitelist Whitelist-good-sites; type juniper-local; juniper-local { profile Whitelist-web-profile { default block; custom-block-message "Juniper UTM firewall has blocked this request"; fallback-settings { default block; server-connectivity block; timeout block; too-many-requests block; } } } } } utm-policy Whitelist-sites-local-policy { web-filtering { http-profile Whitelist-web-profile; } } } policies { from-zone Treatment_zone to-zone Hospital_zone { policy Allow-Mosaiq-Internet { match { source-address CCPRVPC; destination-address any; application [ Local-HTTP Local-HTTPS ProxyServer ]; } then { permit { application-services { utm-policy Whitelist-sites-local-policy; } } } } } } zones { security-zone Hospital_zone { host-inbound-traffic { system-services { all; ssh { except; } reverse-ssh { except; } telnet { except; } reverse-telnet { except; } } protocols { all; } } interfaces { ge-0/0/0.0; } } security-zone Treatment_zone { host-inbound-traffic { system-services { all; telnet { except; } reverse-telnet { except; } } protocols { all; } } interfaces { ge-0/0/1.0; } } security-zone RemoteMonitoring_zone { host-inbound-traffic { system-services { all; telnet { except; } reverse-telnet { except; } } protocols { all; } } interfaces { ge-0/0/2.0; } } security-zone Management_zone { host-inbound-traffic { system-services { all; telnet { except; } reverse-telnet { except; } } protocols { all; } } interfaces { ge-0/0/3.0; } } } } interfaces { ge-0/0/0 { description "Hospital Network"; gigether-options { auto-negotiation; } unit 0 { family inet { dhcp; } } } ge-0/0/1 { description "Treatment Network"; unit 0 { family inet { address 192.168.30.1/24; } } } ge-0/0/2 { description "RemoteMonitoring Network"; unit 0 { family inet { address 192.168.81.1/24; } } } ge-0/0/3 { description "Management Network"; unit 0 { family inet { address 192.168.240.1/24; } } } ge-0/0/4 { description --unused--; disable; } ge-0/0/5 { description --unused--; disable; } } applications { application Local-HTTPS { protocol tcp; destination-port 443; } application Local-HTTP { protocol tcp; destination-port 80; } application ProxyServer { protocol tcp; destination-port 3128; } }

websense-redirect

feature-profile {
            web-filtering {
                url-whitelist Whitelist-good-sites;
                type websense-redirect;
                traceoptions {
                    flag all;
                }
                websense-redirect {
                    profile websense-profile1 {
                        server {
                            host 10.123.113.116;
                            port 3128;
                        }
                        custom-block-message *******DENIED**********;
                        fallback-settings {
                            default block;
                            server-connectivity block;
                            timeout block;
                            too-many-requests block;
                        }
                        timeout 1800;
                        sockets 4;
                    }
                }
            }
        }
        utm-policy Whitelist-sites-local-policy {
            web-filtering {
                http-profile websense-profile1;
            }
        }
    }