Hi guys,
i'm currently testing webfiltering on an SRX 210. According to the documentation, local webfiltering doesn't require a license.However when i commit i get the following message :
[edit security policies from-zone lan to-zone internet policy pass then permit]
'application-services'
warning: license not installed for
commit complete
Despite the message, the local web filtering feature does seem to be fonctionnal as indicated by :
jad> show security utm web-filtering status
UTM web-filtering status:
Server status: Juniper local URL filtering
But when i run a test on a website that should be blocked according to my config, it doesn't get blocked at all, and the utm engine doesn't seem to be doing much :
jad> show security utm web-filtering statistics
UTM web-filtering statistics:
Total requests: 0
white list hit: 0
Black list hit: 0
Web-filtering sessions in total: 8000
Web-filtering sessions in use: 0
Fallback: log-and-permit block
Default 0 0
Timeout 0 0
Connectivity 0 0
Too-many-requests 0 0
Here's my security configuration:
jad> show configuration security
utm {
custom-objects {
url-pattern {
search {
value [ http://*.yahoo.com http://*.msn.com ];
}
big {
value [ "http://*.google.???" "http://*.bahoogle.???" ];
}
tech {
value http://*.juniper.net;
}
}
custom-url-category {
block {
value [ search big ];
}
pass {
value tech;
}
}
}
feature-profile {
web-filtering {
url-whitelist pass;
url-blacklist block;
type juniper-local;
juniper-local {
profile local-engine {
default permit;
custom-block-message "no can do amigo !";
fallback-settings {
default block;
too-many-requests block;
}
}
}
}
}
utm-policy utm-wf {
web-filtering {
http-profile local-engine;
}
}
}
policies {
from-zone lan to-zone internet {
policy pass {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy utm-wf;
}
}
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone lan {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone internet {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/1.0;
}
}
}
Anyone spots anything weird in this config ? Why do i get a message for a license for local web filtering when there shouldn't be any ?