Got vSRX 19.1 running with rather basic config, yet Web Filtering is not working
EWF license is there, config is applied, category updates downloaded and installed
but if I ran
# run show security utm web-filtering status
UTM web-filtering status:
Server status: no-config
This is what I get.
Nothing with RT_UTM in traffic logs either.
config is below
system {
root-authentication {
encrypted-password "$6$wtwr2/1x$OlvHWP89e5/3wrAIcsEuy1EJk9eYb6g7XPVRQwiqWv6PReZq3gL/4.4JHA6HpExlhaWX6V9i2rVFY91H.0cRh/"; ## SECRET-DATA
}
services {
ssh {
root-login allow;
}
web-management {
http {
interface fxp0.0;
}
https {
system-generated-certificate;
interface [ fxp0.0 ge-0/0/0.0 ];
}
}
}
host-name Bishop;
backup-router 10.193.60.1;
time-zone Europe/Amsterdam;
name-server {
8.8.8.8;
}
scripts {
commit {
file templates.xsl;
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file policy_session {
user any;
archive size 1000k world-readable;
structured-data;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
services {
application-identification {
download {
automatic {
start-time 06-14.12:00;
interval 6;
}
}
}
}
security {
log {
utc-timestamp;
mode stream;
format sd-syslog;
report;
}
application-tracking;
utm {
custom-objects {
base-filter {
ewf-default-filter {
value Predefined-filter-value;
}
}
custom-url-enhanced-category {
Enhanced_Social_Networking {
value Predefined-category-value;
}
Enhanced_Uncategorized {
value Predefined-category-value;
}
Enhanced_Custom_Encrypted_Uploads {
value Predefined-category-value;
}
Enhanced_Linkedin_Updates {
value Predefined-category-value;
}
Enhanced_Linkedin_Mail {
value Predefined-category-value;
}
Enhanced_Linkedin_Connections {
value Predefined-category-value;
}
Enhanced_Linkedin_Jobs {
value Predefined-category-value;
}
Enhanced_Facebook_Posting {
value Predefined-category-value;
}
Enhanced_Facebook_Commenting {
value Predefined-category-value;
}
Enhanced_Facebook_Friends {
value Predefined-category-value;
}
Enhanced_Facebook_Photo_Upload {
value Predefined-category-value;
}
Enhanced_Facebook_Mail {
value Predefined-category-value;
}
Enhanced_Facebook_Events {
value Predefined-category-value;
}
Enhanced_Youtube_Commenting {
value Predefined-category-value;
}
Enhanced_Youtube_Video_Upload {
value Predefined-category-value;
}
Enhanced_Facebook_Apps {
value Predefined-category-value;
}
Enhanced_Facebook_Chat {
value Predefined-category-value;
}
Enhanced_Facebook_Questions {
value Predefined-category-value;
}
Enhanced_Facebook_Video_Upload {
value Predefined-category-value;
}
Enhanced_Facebook_Groups {
value Predefined-category-value;
}
Enhanced_Twitter_Posting {
value Predefined-category-value;
}
Enhanced_Twitter_Mail {
value Predefined-category-value;
}
Enhanced_Twitter_Follow {
value Predefined-category-value;
}
Enhanced_Youtube_Sharing {
value Predefined-category-value;
}
Enhanced_Facebook_Games {
value Predefined-category-value;
}
Enhanced_Social_Web_Various {
value Predefined-category-value;
}
}
}
default-configuration {
anti-spam {
type sbl;
}
}
feature-profile {
web-filtering {
juniper-enhanced {
profile WF {
default log-and-permit;
fallback-settings {
default log-and-permit;
server-connectivity log-and-permit;
timeout log-and-permit;
too-many-requests log-and-permit;
}
}
}
}
}
utm-policy UTM_basic {
anti-virus {
http-profile junos-sophos-av-defaults;
ftp {
upload-profile junos-sophos-av-defaults;
download-profile junos-sophos-av-defaults;
}
smtp-profile junos-sophos-av-defaults;
pop3-profile junos-sophos-av-defaults;
imap-profile junos-sophos-av-defaults;
}
web-filtering {
http-profile junos-wf-enhanced-log-only;
}
anti-spam {
smtp-profile junos-as-defaults;
}
}
utm-policy UTM_Base {
anti-virus {
http-profile junos-sophos-av-defaults;
ftp {
upload-profile junos-sophos-av-defaults;
download-profile junos-sophos-av-defaults;
}
smtp-profile junos-sophos-av-defaults;
pop3-profile junos-sophos-av-defaults;
imap-profile junos-sophos-av-defaults;
}
web-filtering {
http-profile WF;
}
anti-spam {
smtp-profile junos-as-defaults;
}
traffic-options { ## Warning: 'traffic-options' is deprecated
sessions-per-client {
over-limit log-and-permit;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set NAT {
from zone trust;
to zone untrust;
rule NAT {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy LAN-to-WAN {
match {
source-address any;
destination-address any;
application junos-defaults;
dynamic-application any;
url-category Enhanced_News_and_Media;
}
then {
permit {
application-services {
utm-policy UTM_Base;
}
}
log {
session-init;
session-close;
}
count;
}
}
policy Deny_log {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
deny;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
application-tracking;
source-identity-log;
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description WAN;
family inet {
address 10.193.60.40/24;
}
}
}
ge-0/0/1 {
unit 0 {
description LAN;
family inet {
address 192.168.35.40/24;
}
}
}
fxp0 {
disable;
unit 0 {
family inet {
address 10.193.60.45/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.193.60.1;
}
}