vSRX
vSRX

vSRX - Enhanced Web filtering logging status is no-config

‎06-26-2019 10:48 AM

Got vSRX 19.1 running with rather basic config, yet Web Filtering  is not working

EWF license is there, config is applied, category updates downloaded and installed

but if I ran

# run show security utm web-filtering status 
 UTM web-filtering status: 
    Server status: no-config

This is what I get.

Nothing with RT_UTM in traffic logs either.

 

config is below

system {
    root-authentication {
        encrypted-password "$6$wtwr2/1x$OlvHWP89e5/3wrAIcsEuy1EJk9eYb6g7XPVRQwiqWv6PReZq3gL/4.4JHA6HpExlhaWX6V9i2rVFY91H.0cRh/"; ## SECRET-DATA
    }
    services {
        ssh {
            root-login allow;
        }
        web-management {
            http {
                interface fxp0.0;
            }
            https {
                system-generated-certificate;
                interface [ fxp0.0 ge-0/0/0.0 ];
            }
        }
    }
    host-name Bishop;
    backup-router 10.193.60.1;
    time-zone Europe/Amsterdam;
    name-server {
        8.8.8.8;
    }
    scripts {
        commit {
            file templates.xsl;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;         
        }
        file interactive-commands {
            interactive-commands any;
        }
        file policy_session {
            user any;
            archive size 1000k world-readable;
            structured-data;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
services {
    application-identification {
        download {
            automatic {
                start-time 06-14.12:00;
                interval 6;
            }
        }
    }
}
security {
    log {
        utc-timestamp;
        mode stream;
        format sd-syslog;
        report;
    }
   
       
    application-tracking;
    utm {
        custom-objects {
            base-filter {
                ewf-default-filter {
                    value Predefined-filter-value;
                }
            }
            custom-url-enhanced-category {
                Enhanced_Social_Networking {
                    value Predefined-category-value;
                }
                Enhanced_Uncategorized {
                    value Predefined-category-value;
                }
                Enhanced_Custom_Encrypted_Uploads {
                    value Predefined-category-value;
                }                       
                Enhanced_Linkedin_Updates {
                    value Predefined-category-value;
                }
                Enhanced_Linkedin_Mail {
                    value Predefined-category-value;
                }
                Enhanced_Linkedin_Connections {
                    value Predefined-category-value;
                }
                Enhanced_Linkedin_Jobs {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Posting {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Commenting {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Friends {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Photo_Upload {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Mail {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Events {
                    value Predefined-category-value;
                }
                Enhanced_Youtube_Commenting {
                    value Predefined-category-value;
                }
                Enhanced_Youtube_Video_Upload {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Apps {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Chat {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Questions {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Video_Upload {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Groups {
                    value Predefined-category-value;
                }
                Enhanced_Twitter_Posting {
                    value Predefined-category-value;
                }
                Enhanced_Twitter_Mail {
                    value Predefined-category-value;
                }
                Enhanced_Twitter_Follow {
                    value Predefined-category-value;
                }
                Enhanced_Youtube_Sharing {
                    value Predefined-category-value;
                }
                Enhanced_Facebook_Games {
                    value Predefined-category-value;
                }
                Enhanced_Social_Web_Various {
                    value Predefined-category-value;
                }
            }
        }
        default-configuration {
            anti-spam {
                type sbl;
            }
        }                               
        feature-profile {
            web-filtering {
                juniper-enhanced {
                    profile WF {
                        default log-and-permit;
                        fallback-settings {
                            default log-and-permit;
                            server-connectivity log-and-permit;
                            timeout log-and-permit;
                            too-many-requests log-and-permit;
                        }
                    }
                }
            }
        }
        utm-policy UTM_basic {
            anti-virus {
                http-profile junos-sophos-av-defaults;
                ftp {
                    upload-profile junos-sophos-av-defaults;
                    download-profile junos-sophos-av-defaults;
                }
                smtp-profile junos-sophos-av-defaults;
                pop3-profile junos-sophos-av-defaults;
                imap-profile junos-sophos-av-defaults;
            }
            web-filtering {
                http-profile junos-wf-enhanced-log-only;
            }
            anti-spam {
                smtp-profile junos-as-defaults;
            }
        }
        utm-policy UTM_Base {
            anti-virus {
                http-profile junos-sophos-av-defaults;
                ftp {
                    upload-profile junos-sophos-av-defaults;
                    download-profile junos-sophos-av-defaults;
                }
                smtp-profile junos-sophos-av-defaults;
                pop3-profile junos-sophos-av-defaults;
                imap-profile junos-sophos-av-defaults;
            }
            web-filtering {
                http-profile WF;
            }
            anti-spam {
                smtp-profile junos-as-defaults;
            }
            traffic-options { ## Warning: 'traffic-options' is deprecated
                sessions-per-client {
                    over-limit log-and-permit;
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;                   
            }
        }
    }
    nat {
        source {
            rule-set NAT {
                from zone trust;
                to zone untrust;
                rule NAT {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy LAN-to-WAN {
                match {                 
                    source-address any;
                    destination-address any;
                    application junos-defaults;
                    dynamic-application any;
                    url-category Enhanced_News_and_Media;
                }
                then {
                    permit {
                        application-services {
                            utm-policy UTM_Base;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
            policy Deny_log {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    dynamic-application any;
                }
                then {
                    deny;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {           
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
            application-tracking;
            source-identity-log;
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            description WAN;
            family inet {
                address 10.193.60.40/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            description LAN;
            family inet {
                address 192.168.35.40/24;
            }
        }
    }
    fxp0 {
        disable;
        unit 0 {
            family inet {
                address 10.193.60.45/24;
            }
        }
    }
}
routing-options {                       
    static {
        route 0.0.0.0/0 next-hop 10.193.60.1;
    }
}
3 REPLIES 3
vSRX
Solution
Accepted by topic author Lochlain
‎06-26-2019 11:19 AM

Re: vSRX - Enhanced Web filtering logging status is no-config

[ Edited ]
‎06-26-2019 11:02 AM

Hi Lochlain,

 

You are the missing the web-filtering type in the configuration. 

 

Please run the following command to set the web-filtering type to 'juniper-enhanced' and that should fix this issue.

 

> edit
# set security utm feature-profile web-filtering type juniper-enhanced
# commit and-quit

 

Here is a KB for your reference on what is needed to setup for EWF: https://kb.juniper.net/InfoCenter/index?page=content&id=KB22483&cat=SRX_SERIES&actp=LIST

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

Regards,

HS

 

vSRX

Re: vSRX - Enhanced Web filtering logging status is no-config

‎06-26-2019 11:14 AM

Lochlain,

 

There is no configuration of server, you need to add this configuratin for UTM to work. 

This will fix the issue. 

 

web-filtering {
    type juniper-enhanced;
    juniper-enhanced {
        server {
            host rp.cloud.threatseeker.com;

 

vSRX

Re: vSRX - Enhanced Web filtering logging status is no-config

‎06-26-2019 11:20 AM

you're right.

Cheers.

So much for using only j-web to config stuff...