vSRX

  • 1.  vSRX - Enhanced Web filtering logging status is no-config

    Posted 06-26-2019 10:49

    Got vSRX 19.1 running with rather basic config, yet Web Filtering  is not working

    EWF license is there, config is applied, category updates downloaded and installed

    but if I ran

    # run show security utm web-filtering status 
     UTM web-filtering status: 
        Server status: no-config

    This is what I get.

    Nothing with RT_UTM in traffic logs either.

     

    config is below

    system {
        root-authentication {
            encrypted-password "$6$wtwr2/1x$OlvHWP89e5/3wrAIcsEuy1EJk9eYb6g7XPVRQwiqWv6PReZq3gL/4.4JHA6HpExlhaWX6V9i2rVFY91H.0cRh/"; ## SECRET-DATA
        }
        services {
            ssh {
                root-login allow;
            }
            web-management {
                http {
                    interface fxp0.0;
                }
                https {
                    system-generated-certificate;
                    interface [ fxp0.0 ge-0/0/0.0 ];
                }
            }
        }
        host-name Bishop;
        backup-router 10.193.60.1;
        time-zone Europe/Amsterdam;
        name-server {
            8.8.8.8;
        }
        scripts {
            commit {
                file templates.xsl;
            }
        }
        syslog {
            user * {
                any emergency;
            }
            file messages {
                any any;
                authorization info;         
            }
            file interactive-commands {
                interactive-commands any;
            }
            file policy_session {
                user any;
                archive size 1000k world-readable;
                structured-data;
            }
        }
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    services {
        application-identification {
            download {
                automatic {
                    start-time 06-14.12:00;
                    interval 6;
                }
            }
        }
    }
    security {
        log {
            utc-timestamp;
            mode stream;
            format sd-syslog;
            report;
        }
       
           
        application-tracking;
        utm {
            custom-objects {
                base-filter {
                    ewf-default-filter {
                        value Predefined-filter-value;
                    }
                }
                custom-url-enhanced-category {
                    Enhanced_Social_Networking {
                        value Predefined-category-value;
                    }
                    Enhanced_Uncategorized {
                        value Predefined-category-value;
                    }
                    Enhanced_Custom_Encrypted_Uploads {
                        value Predefined-category-value;
                    }                       
                    Enhanced_Linkedin_Updates {
                        value Predefined-category-value;
                    }
                    Enhanced_Linkedin_Mail {
                        value Predefined-category-value;
                    }
                    Enhanced_Linkedin_Connections {
                        value Predefined-category-value;
                    }
                    Enhanced_Linkedin_Jobs {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Posting {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Commenting {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Friends {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Photo_Upload {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Mail {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Events {
                        value Predefined-category-value;
                    }
                    Enhanced_Youtube_Commenting {
                        value Predefined-category-value;
                    }
                    Enhanced_Youtube_Video_Upload {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Apps {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Chat {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Questions {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Video_Upload {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Groups {
                        value Predefined-category-value;
                    }
                    Enhanced_Twitter_Posting {
                        value Predefined-category-value;
                    }
                    Enhanced_Twitter_Mail {
                        value Predefined-category-value;
                    }
                    Enhanced_Twitter_Follow {
                        value Predefined-category-value;
                    }
                    Enhanced_Youtube_Sharing {
                        value Predefined-category-value;
                    }
                    Enhanced_Facebook_Games {
                        value Predefined-category-value;
                    }
                    Enhanced_Social_Web_Various {
                        value Predefined-category-value;
                    }
                }
            }
            default-configuration {
                anti-spam {
                    type sbl;
                }
            }                               
            feature-profile {
                web-filtering {
                    juniper-enhanced {
                        profile WF {
                            default log-and-permit;
                            fallback-settings {
                                default log-and-permit;
                                server-connectivity log-and-permit;
                                timeout log-and-permit;
                                too-many-requests log-and-permit;
                            }
                        }
                    }
                }
            }
            utm-policy UTM_basic {
                anti-virus {
                    http-profile junos-sophos-av-defaults;
                    ftp {
                        upload-profile junos-sophos-av-defaults;
                        download-profile junos-sophos-av-defaults;
                    }
                    smtp-profile junos-sophos-av-defaults;
                    pop3-profile junos-sophos-av-defaults;
                    imap-profile junos-sophos-av-defaults;
                }
                web-filtering {
                    http-profile junos-wf-enhanced-log-only;
                }
                anti-spam {
                    smtp-profile junos-as-defaults;
                }
            }
            utm-policy UTM_Base {
                anti-virus {
                    http-profile junos-sophos-av-defaults;
                    ftp {
                        upload-profile junos-sophos-av-defaults;
                        download-profile junos-sophos-av-defaults;
                    }
                    smtp-profile junos-sophos-av-defaults;
                    pop3-profile junos-sophos-av-defaults;
                    imap-profile junos-sophos-av-defaults;
                }
                web-filtering {
                    http-profile WF;
                }
                anti-spam {
                    smtp-profile junos-as-defaults;
                }
                traffic-options { ## Warning: 'traffic-options' is deprecated
                    sessions-per-client {
                        over-limit log-and-permit;
                    }
                }
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        queue-size 2000; ## Warning: 'queue-size' is deprecated
                        timeout 20;
                    }
                    land;                   
                }
            }
        }
        nat {
            source {
                rule-set NAT {
                    from zone trust;
                    to zone untrust;
                    rule NAT {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy LAN-to-WAN {
                    match {                 
                        source-address any;
                        destination-address any;
                        application junos-defaults;
                        dynamic-application any;
                        url-category Enhanced_News_and_Media;
                    }
                    then {
                        permit {
                            application-services {
                                utm-policy UTM_Base;
                            }
                        }
                        log {
                            session-init;
                            session-close;
                        }
                        count;
                    }
                }
                policy Deny_log {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                        dynamic-application any;
                    }
                    then {
                        deny;
                        log {
                            session-init;
                            session-close;
                        }
                    }
                }
            }
        }
        zones {
            security-zone trust {           
                tcp-rst;
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
                application-tracking;
                source-identity-log;
            }
            security-zone untrust {
                screen untrust-screen;
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                description WAN;
                family inet {
                    address 10.193.60.40/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                description LAN;
                family inet {
                    address 192.168.35.40/24;
                }
            }
        }
        fxp0 {
            disable;
            unit 0 {
                family inet {
                    address 10.193.60.45/24;
                }
            }
        }
    }
    routing-options {                       
        static {
            route 0.0.0.0/0 next-hop 10.193.60.1;
        }
    }


  • 2.  RE: vSRX - Enhanced Web filtering logging status is no-config
    Best Answer

    Posted 06-26-2019 11:02

    Hi Lochlain,

     

    You are the missing the web-filtering type in the configuration. 

     

    Please run the following command to set the web-filtering type to 'juniper-enhanced' and that should fix this issue.

     

    > edit
    # set security utm feature-profile web-filtering type juniper-enhanced
    # commit and-quit

     

    Here is a KB for your reference on what is needed to setup for EWF: https://kb.juniper.net/InfoCenter/index?page=content&id=KB22483&cat=SRX_SERIES&actp=LIST

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

     

    Regards,

    HS

     



  • 3.  RE: vSRX - Enhanced Web filtering logging status is no-config

    Posted 06-26-2019 11:14

    Lochlain,

     

    There is no configuration of server, you need to add this configuratin for UTM to work. 

    This will fix the issue. 

     

    web-filtering {
        type juniper-enhanced;
        juniper-enhanced {
            server {
                host rp.cloud.threatseeker.com;

     



  • 4.  RE: vSRX - Enhanced Web filtering logging status is no-config

    Posted 06-26-2019 11:20

    you're right.

    Cheers.

    So much for using only j-web to config stuff...