i have a good and bad news for UTM- Enhanced Webfiltering !!
i am using the EWF from a while and i have a problem in blocking the https traffic (especially facebook and youtube), at the end i blocking the facebook using AppSecure Signatures "facebook-Access & facebook-Access-SSL", from few days i install the new recommended version of Junos 12.1X44-D35.5, and i find that the EWF-categories is updated with new " Enhanced_Social_Web_Youtube, Enhanced_Social_Web_Twitter, Enhanced_Social_Web_Linkedin , Enhanced_Social_Web_Facebook , ..."
immediatly i use the new categories to block the facebook & youtube, the good news here that the facebook in http/https is blocked :), but the bad 😞 that the Youtube just blocking in http not https.
here i would like to mention that the Youtube is sub-domain for google so to block the youtube we can blocking google site or "Enhanced_Search_Engines_and_Portals" but this is not a good solution.
So, are there any new suggestions on this issue, are Juniper going ahead in blocking the youtube in future or that is difficult to do??
I would like to inform you that earlier the behaviour of UTM with HTTPS traffic/websites was not consistent becasue we used to send IP address for resolution and since the DNS IP of the HTTPS site might be different than that of the the Websense Server Database. If the IP resolves to something else, it may not match the DB and web filtering may not match it and cannot return correct category for it and hence it got allowed thorugh the SRX. For more information on why IP addresses were sent for HTTPS sites please refer the below KB article:
The ideal way to solve this was to not send IP addresses but send the URL instead directly to the Websense server so that it always resolves to correct category and send that category to SRX and then SRX decides on how to treat with the traffic.
Now the good news is that from the latest versions this is happening as the EWF now sends the URL for the HTTPS websites instead of the IP addresses and hence the UTM for HTTPS websites should be more consistent now. This behaviour change has happened from version 12.3X48-D25. For more information please refer the following document:-