To enable Web filtering, you first bind a Web-filtering profile to a firewall policy. With integrated Web filtering, the Juniper Networks security device intercepts each HTTP request, determines whether to permit or block access to a requested site by categorizing its URL, then matches the URL category to a Web-filtering profile. A Web-filtering profile defines the action the security device takes (permit or block) when it receives a request to access a URL.
A URL category is a list of URLs organized by content. Security devices use the SurfControl predefined URL categories to determine the category of the requested URL. SurfControl Content Portal Authority (CPA) servers maintain the largest database of all types of Web content classified into about 40 categories. A partial list of the URL categories is shown in“Define URL Categories (Optional)” on page 107.
For a complete list of SurfControl URL categories, visit the Websense website at http://www.websense.com/global/en/scwelcome.
In addition to the SurfControl predefined URL categories, you can also group URLs and create categories based on your needs. For information about creating user-defined categories, see“Define URL Categories (Optional)” on page 107.
Following is the basic sequence of events when a host in the Trust zone tries an HTTP connection to a server in the Untrust zone:
1. The security device checks for a firewall policy that applies to the traffic:
• If there is no firewall policy for the traffic, the device drops the traffic.
• If there is a firewall policy and if Web filtering is enabled on that policy, the device intercepts all HTTP requests.
2. The device checks for a user-defined profile bound to the firewall policy. If there is none, the device then uses the default profile, ns-profile.
3. The device determines if the category of the requested URL is already cached. If it is not, the device sends the URL to the SurfControl CPA server for categorization and caches the result.
4. Once the device determines the category of the URL, it checks for the category in the Web-filtering profile bound to the firewall policy.
• If the category is in the profile, the device blocks or permits access to the URL as defined in the profile.
• If the category is not in the profile, the device performs the configured default action.
This section addresses the following integrated Web-filtering topics:
• “SurfControl Servers” on page 106
• “Redirect Web Filtering” on page 114
• “Web-Filtering Cache” on page 106
Chapter 4: Content Monitoring and Filtering
• “Configuring Integrated Web Filtering” on page 107
• “Example: Integrated Web Filtering” on page 112
SurfControl Servers
SurfControl has three server locations, each of which serves a specific geographic area:
the Americas, Asia Pacific, and Europe/MiddleEast/Africa. The default primary server is the Americas, and the default backup server is Asia Pacific. You can change the primary server, and the security device automatically selects a backup server, based on the primary server. (The Asia Pacific server is the backup for the Americas server, and the Americas server is the backup for the other two servers.)
The SurfControl CPA server periodically updates its list of categories. Since the CPA server does not notify its clients when the list is updated, the security device must periodically poll the CPA server. By default, the device queries the CPA server for category updates every two weeks. You can change this default to support your networking environment. You can also manually update the category list by entering the Web-filtering context and executing the exec cate-list-update command. To manually update the category list, do the following:
device-> set url protocol sc-cpa
device(url:sc-cpa)-> exec cate-list-update Web-Filtering Cache
By default, the security device caches the URL categories. This action reduces the overhead of accessing the SurfControl CPA server each time the device receives a new request for previously requested URLs. You can configure the size and duration of the cache, according to the performance and memory requirements of your networking environment. The default cache size is platform-dependent, and the default timeout is 24 hours.
In the following example, you change the cache size to 500 kilobytes (KB) and the timeout value to 18 hours.
WebUI
Security > Web Filtering > Protocol Selection > Select Integrated (SurfControl), then click Apply.
Enable Cache: (select) Cache Size: 500 (K) Cache Timeout: 18 (Hours) CLI
device-> set url protocol sc-cpa device(url:sc-cpa)-> set cache size 500 device(url:sc-cpa)-> set cache timeout 18
Configuring Integrated Web Filtering
To configure a security device for Web filtering, perform the following steps:
1. “Set Up a Domain Name Server” on page 107 2. “Enable Web Filtering” on page 107
3. “Define URL Categories (Optional)” on page 107 4. “Define Web-Filtering Profiles (Optional)” on page 109 5. Prioritize User Groups on page 111
6. “Enable Web-Filtering Profile and Policy” on page 111
Each step is described in detail in the following sections.
Set Up a Domain Name Server
The Juniper Networks security device incorporates Domain Name System (DNS) support, allowing you to use domain names as well as IP addresses for identifying locations. You must configure at least one DNS server to enable the security device to resolve the CPA server name to an address. For more information about DNS, seeDomain Name System Support.
Enable Web Filtering
You can use the Web UI or CLI commands to enable integrated Web filtering on a security device. If you use the CLI, you must enter the Web-filtering context before entering the commands specific to integrated Web filtering.
WebUI
Security > Web Filtering > Protocol Selection: Select Integrated (SurfControl), then click Apply. Then select Enable Web Filtering via CPA Server, and click Apply again.
CLI
device-> set url protocol type sc-cpa device-> set url protocol sc-cpa device(url:sc-cpa)-> set enable device(url:sc-cpa)-> exit device-> save
The device (url:sc-cpa)-> prompt indicates that you have entered the integrated Web-filtering context and can now configure integrated Web-filtering parameters.
Define URL Categories (Optional)
A category is a list of URLs grouped by content. There are two types of categories:
predefined and user-defined. SurfControl maintains about 40 predefined categories. A partial list of the URL categories is shown inTable 5 on page 108. For a complete list and description of each URL category developed by SurfControl, visit the Websense website athttp://www.websense.com/global/en/scwelcome.
To view the list of SurfControl predefined URL categories:
Chapter 4: Content Monitoring and Filtering
WebUI
Security > Web Filtering > Profiles > Predefined category CLI
device-> set url protocol type sc-cpa device-> set url protocol sc-cpa device(url:sc-cpa)-> get category pre
The URL category list displayed is similar to that shown inTable 5 on page 108.