SRX Services Gateway
Highlighted
SRX Services Gateway

UR Filtering Query withour WF license

‎11-23-2010 11:50 PM

Hi,

 

We just want to add static entries as a white list of URL's which are allowed and dont need the categories of WF database provided by Websense.

 

SRX100 will be used at branches. Considering we will just to static entires of allow URL,do we still need the WF subcription license ?

 

Also considering we will do URL filter based on static white list entries do we need the high memory version ?

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: UR Filtering Query withour WF license

‎12-01-2010 07:35 AM

I'm trying to do the same exact thing. 

 

Any insight from people in the know would be of great help.  I've read the documentation, and it seems like we don't need the license, but I've been unable to get the feature to work in 10.2R3.10 . 

Highlighted
SRX Services Gateway

Re: UR Filtering Query withour WF license

‎12-01-2010 08:21 AM

Something like this?  Ill test tonight to see if lic is needed, but right now can't.  Oh, obviously you would need a policy to envoke utm config...  say trust to untrust like below...  ?

 

from-zone inside to-zone outside {
            policy default-permit-wf {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit {
                        application-services {
                            utm-policy wf-block-specific-categories;
                        }
                    }
                }
            } 

 

__________________________________________________________________________________________

 

utm {
    custom-objects {
        url-pattern {
            ip-white-list {
                value [ *juniper.net *specialized.com ];
            }
            ip-black-list {
                value cisco.com;
            }
        }
        custom-url-category {
            whitelist {
                value ip-white-list;
            }
            blacklist {                
                value ip-black-list;
            }
        }
    }
    feature-profile {
        web-filtering {
            url-whitelist whitelist;
            url-blacklist blacklist;
            surf-control-integrated {
                profile block-selected-sites {
                    default permit;
                }
            }
        }
    }
    utm-policy wf-block-specific-categories {
        web-filtering {
            http-profile block-selected-sites;
        }
    }
}

 

 

Highlighted
SRX Services Gateway

Re: UR Filtering Query withour WF license

‎12-01-2010 03:14 PM

I see increase and session builds based on my policy with application services for web-filtering...  No dice.  I don't know if it's supposed to work, but I can still hit blacklisted sites.

Highlighted
SRX Services Gateway

Re: UR Filtering Query withour WF license

‎12-01-2010 03:58 PM

I too can still hit sites on the blacklist. 

 

Can someone from Junos please chime in?  I was told that I would be able to blacklist sites with this device without the need to purchase additional licensing.  Thanks. 

Highlighted
SRX Services Gateway

Re: UR Filtering Query withour WF license

[ Edited ]
‎12-01-2010 03:58 PM

Needed a little more digging.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15385&actp=search&viewlocale=en_US&searchid...

 

My wildcard wasn't working, and I was using surf-control-integrated...

 

Works fine with blacklists.

 

Juniper Networks Firewall has blocked the URL: 192.168.11.10(50476)->72.163.4.161(80) www.cisco.com CATEGORY: blacklist REASON: by black list

 

utm {
    custom-objects {
        url-pattern {
            ip-white-list {
                value [ www.juniper.net www.specialized.com ];
            }
            ip-black-list {
                value www.cisco.com;
            }
        }
        custom-url-category {
            whitelist {
                value ip-white-list;
            }
            blacklist {
                value ip-black-list;
            }
        }
    }
    feature-profile {
        web-filtering {
            url-whitelist whitelist;
            url-blacklist blacklist;
            juniper-local {
                profile block-selected-sites {
                    default permit;
                }
            }
        }
    }
    utm-policy wf-block-specific-categories {
        web-filtering {
            http-profile block-selected-sites;
        }
    }
}

Highlighted
SRX Services Gateway

Re: UR Filtering Query withour WF license

‎12-02-2010 12:31 PM

You're the master at this. 

I clicked the link you provided and didn't get much info out of it at all.  Let alone enough to configure it. 

So I took some of the code you wrote up there and was able to get this working.  However, I could only get it to work at the global level, which is good enough for now.  I was unable to get a custom message to display for those who hit blacklisted sites.  I'm also wondering if there's a way to schedule when these black lists will occur.  It doesn't seem that way.  For example, I'd like to block some sites during work hours and other sites during evening hours.  The sites should be available at all other times. 

Highlighted
SRX Services Gateway

Re: UR Filtering Query withour WF license

‎12-03-2010 07:33 AM

Yeah I couldn't get a custom message either, could only set that up under the actual

 

profile block-selected-sites {
                               }

 

As far as scheduling goes, you can use a scheduler on the policy that envokes the application-services; just basic policy scheduling.

 

Here's a patch config

 

[edit security policies from-zone trust to-zone trust policy default-permit]
+     scheduler-name WF;
[edit]
+  schedulers {
+      scheduler WF {
+          daily {
+              start-time 09:00:00 stop-time 17:00:00;
+          }
+          sunday exclude;
+          saturday exclude;
+      }
+  }