SRX

last person joined: 7 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  UTM - Local Web filtering requires a license ?

    Posted 06-19-2011 13:42

    Hi guys,

     

    i'm currently testing webfiltering on an SRX 210. According to the documentation, local webfiltering doesn't require a license.However when i commit i get the following message :

     

    [edit security policies from-zone lan to-zone internet policy pass then permit]
      'application-services'
        warning: license not installed for
    commit complete

     

     

    Despite the message, the local web filtering feature does seem to be fonctionnal as indicated by :

     

    jad> show security utm web-filtering status
     UTM web-filtering status:
        Server status: Juniper local URL filtering

     

    But when i run a test on a website that should be blocked according to my config, it doesn't get blocked at all, and the utm engine doesn't seem to be doing much :

     

    jad> show security utm web-filtering statistics
     UTM web-filtering statistics:
        Total requests:                  0
        white list hit:                  0
        Black list hit:                  0
        Web-filtering sessions in total: 8000
        Web-filtering sessions in use:   0
        Fallback:                       log-and-permit           block
              Default                                 0               0
              Timeout                                 0               0
         Connectivity                                 0               0
    Too-many-requests                                 0               0

     

    Here's my security configuration:

     

    jad> show configuration security
    utm {
        custom-objects {
            url-pattern {
                search {
                    value [ http://*.yahoo.com http://*.msn.com ];
                }
                big {
                    value [ "http://*.google.???" "http://*.bahoogle.???" ];
                }
                tech {
                    value http://*.juniper.net;
                }
            }
            custom-url-category {
                block {
                    value [ search big ];
                }
                pass {
                    value tech;
                }
            }
        }
        feature-profile {
            web-filtering {
                url-whitelist pass;
                url-blacklist block;
                type juniper-local;
                juniper-local {
                    profile local-engine {
                        default permit;
                        custom-block-message "no can do amigo !";
                        fallback-settings {
                            default block;
                            too-many-requests block;
                        }
                    }
                }
            }
        }
        utm-policy utm-wf {
            web-filtering {
                http-profile local-engine;
            }
        }
    }
    policies {
        from-zone lan to-zone internet {
            policy pass {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            utm-policy utm-wf;
                        }
                    }
                }
            }
        }
        default-policy {
            deny-all;
        }
    }
    zones {
        security-zone lan {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone internet {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
    }

     

    Anyone spots anything weird in this config ? Why do i get a message for a license for local web filtering when there shouldn't be any ?



  • 2.  RE: UTM - Local Web filtering requires a license ?

    Posted 06-19-2011 23:31

    Hi

    Your config looks good and should be working. But ist's suspicious that "Total
    requests" do not increase. Did you try to reboot the box?



  • 3.  RE: UTM - Local Web filtering requires a license ?
    Best Answer

    Posted 06-20-2011 01:19

    There are some known issues license error messages.  I have a ticket open with JTAC and they are expecting it to be fixed soon.

     

    I have not tested it but it may have been fixed in 10.4R5.5,11.1.R3 (due in the next few weeks) and 11.2.R1 (End of month)



  • 4.  RE: UTM - Local Web filtering requires a license ?

    Posted 06-20-2011 08:36

    Well the reboot doesn't change much...

     

    what is puzzling is that on top of the warning message, web filtering seems to not be working as the counters of a show security utm web-filtering statistics command don't increase at all !



  • 5.  RE: UTM - Local Web filtering requires a license ?

    Posted 06-21-2011 07:58

    Some updates :

     

    Originally, the SRX box was running 11.1R2.3.

     

    I downgraded to the recommended version for branch SRX ie 10.4R4.5. It still gave an error message but slightly different :

     

    [edit security policies from-zone lan to-zone internet policy pass then permit]
      'application-services'
        warning: license not installed for Karsperky anti-virus
    commit complete

     

    Then i proceeded to upgrade to 10.4R5.5 and it just worked ! No more error message and web filtering just works !