To configure a security device for web filtering, perform the following steps:
1. “Set Up a Domain Name Server” on page 100 2. “Enable Web Filtering” on page 100
3. “Define URL Categories (Optional)” on page 101 4. “Define Web-Filtering Profiles (Optional)” on page 102 5. “Enable Web-Filtering Profile and Policy” on page 104 Each step is described in detail in the following sections.
1. Set Up a Domain Name Server
The Juniper Networks security device incorporates Domain Name System (DNS) support, allowing you to use domain names as well as IP addresses for identifying locations. You must configure at least one DNS server to enable the security device to resolve the CPA server name to an address. For more information about DNS, refer to “Domain Name System Support” on page 2-217.
2. Enable Web Filtering
You can use the Web UI or CLI commands to enable integrated web filtering on a security device. If you use the CLI, you must enter the web-filtering context before entering the commands specific to integrated web filtering.
WebUI
Security > Web Filtering > Protocol Selection: Select Integrated (SurfControl), then click Apply. Then select Enable Web Filtering via CPA Server, and click Apply again.
CLI
device-> set url protocol type sc-cpa device-> set url protocol sc-cpa
The device(url:sc-cpa)-> prompt indicates that you have entered the integrated web-filtering context and can now configure integrated web-filtering parameters.
3. Define URL Categories (Optional)
A category is a list of URLs grouped by content. There are two types of categories:
predefined and user-defined. SurfControl maintains about 40 predefined categories.
A partial list of the URL categories is shown in Table 4 on page 101. For a complete list and description of each URL category developed by SurfControl, visit the SurfControl website at http://www.surfcontrol.com.
To view the list of SurfControl predefined URL categories, do the following:
WebUI
Security > Web Filtering > Profiles > Predefined category CLI
device-> set url protocol type sc-cpa device-> set url protocol sc-cpa device(url:sc-cpa)-> get category pre
The URL category list displayed is similar to that shown in Table 4.
Table 4: Partial List of SurfControl URL Categories
The predefined categories list displays the categories and their SurfControl internal codes. Though you cannot list the URLs within a category, you can determine the category of a website by using the Test A Site feature on the SurfControl website at www.surfcontrol.com.
In addition to the SurfControl predefined URL categories, you can group URLs and create categories specific to your needs. Each category can have a maximum of 20 URLs. When you create a category, you can add either the URL or the IP address of a site. When you add a URL to a user-defined category, the device performs DNS lookup, resolves the host name into IP addresses, and caches this information.
When a user tries to access a site with the IP address of the site, the device checks the cached list of IP addresses and tries to resolve the hostname.
Many sites have dynamic IP addresses, meaning that their IP addresses change periodically. A user attempting to access a site can type an IP address that is not in the cached list on the device. Therefore, if you know the IP addresses of sites you are adding to a category, enter both the URL and the IP address(es) of the site.
Type Code Category Name
Predefine 76 Advertisements
Predefine 50 Arts & Entertainment
Predefine 3001 Chat
Predefine 75 Computing & Internet
NOTE: If a URL appears in both a user-defined category and a predefined category, the device matches the URL to the user-defined category.
In the following example, you create a category named Competitors and add the following URLs: www.games1.com and www.games2.com
WebUI
Security > Web Filtering > Profiles > Custom > New: Enter the following, then click Apply:
Category Name: Competitors URL: www.games1.com Enter the following, then click OK:
URL: www.games2.com CLI
device-> set url protocol sc-cpa
device(url:sc-cpa)-> set category competitors url www.games1.com device(url:sc-cpa)-> set category competitors url www.games2.com device(url:sc-cpa)-> exit
device-> save
4. Define Web-Filtering Profiles (Optional)
A web-filtering profile consists of a group of URL categories assigned with one of the following actions:
Permit - The security device always allows access to the websites in this category.
Block - The security device blocks access to the websites in this category. When the device blocks access to this category of websites, it displays a message in your browser indicating the URL category.
Black List - The security device always blocks access to the websites in this list.
You can create a user-defined category or use a predefined category.
White List - The security device always allows access to the websites in this list.
You can create a user-defined category or use a predefined category.
Juniper Networks security devices provide a default profile called ns-profile. This profile lists the SurfControl predefined URL categories and their actions. You cannot edit the default profile. To view the predefined profile, use the following command:
WebUI
Security > Web Filtering > Profiles > Predefined CLI
device-> set url protocol sc-cpa
device(url:sc-cpa)-> get profile ns-profile
The security device displays the predefined profile as illustrated below:
Profile Name: ns-profile Black-List category: None White-List category: None Default Action: Permit
Category Action
If the URL in an HTTP request is not in any of the categories listed in the default profile, the default action of the security device is to permit access to the site.
You can create a custom profile by cloning an existing profile, saving it with a new name, and then editing the profile. Perform the following step in the WebUI to clone ns-profile.
WebUI
Security > Web Filtering > Profiles > Custom: ns-profile: Select Clone.
You can also create your own web-filtering profile. When you create a web-filtering profile, you can:
Add both user-defined and SurfControl predefined URL categories
Specify a category for the black list and/or the white list
Change the default action
In the following example, you create a custom profile called my-profile with a default action of permit. Then, you take the category you created in the previous example and add it to my-profile with an action of block.
Advertisements block Arts & Entertainment permit
Chat permit
Computing & Internet permit .
. .
Violence block
Weapons block
Web-based Email permit
other permit
NOTE: You must use the WebUI to clone ns-profile.
WebUI
Security > Web Filtering > Profiles > Custom > New: Enter the following, then click Apply:
Profile Name: my-profile Default Action: Permit
Select the following, then click OK:
Subscribers Identified by:
Category Name: Competitors (select) Action: Block (select)
Configure: Add (select)
CLI
device-> set url protocol type sc-cpa device-> set url protocol sc-cpa
device(url:sc-cpa)-> set profile my-profile other permit device(url:sc-cpa)-> set profile my-profile competitors block device(url:sc-cpa)-> exit
device-> save
5. Enable Web-Filtering Profile and Policy
Firewall policies permit or deny specified types of unidirectional traffic between two points. (For information about firewall policies, refer to “Policies” on page 2-159.) You can enable both antivirus (AV) scanning and integrated web filtering in a policy.
(For information about AV scanning, see “Antivirus Scanning” on page 58.) Enable web filtering in the policy and bind the profile to the policy. When you enable integrated web filtering in a policy, the security device intercepts all HTTP requests. If there is a web-filtering profile bound to the policy, the device matches the URL in the incoming HTTP request to the categories in the profile in the following sequence:
1. Black list 2. White list
3. User-defined categories
4. SurfControl predefined URL categories
If the device is unable to determine the category of the requested URL, then it blocks or permits access based on the default configuration in the profile.
NOTE: To configure the default action using the CLI, specify the action for the Other category.
Figure 40: Web-Filtering Profiles and Policies Flowchart
If the device determines that the URL is in a permitted category, and if AV scanning is enabled for that policy, then the device scans the contents for viruses. If the device determines that the URL is in a blocked category, it closes the TCP
connection, sends a message alerting the user, and does not perform AV scanning.