Preview
Rate this lesson

Juniper SRX Content Filtering is another UTM feature used to filter traffic based on file type (MIME type), file extension and also protocol commands.

It is also possible to filter cookie, ActiveX, java applet and some other content types.

In previous sections, we have discussed configured UTM antivirus and antispam features. This section is dedicated to content filtering feature.

Juniper SRX Content Filtering

As we have mentioned several times, with content filtering it is possible to inspect web, FTP and email traffic to control or filter them based on the content type.

Juniper SRX UTM Content Filtering Fundamental
Juniper SRX UTM Content Filtering Fundamental

MIME type, file extension, and protocol commands are the main content that we can inspect and control.

By MIME type, it means mostly the type of the media. For example an MP4 video or MP3 audio or an image with jpeg type are some MIME type examples.

The meaning of the file extension is clear. .exe, .zip and .doc are some examples from file extension.

But by protocol command you can control the traffic based on the commands used in the application header.

For example in HTTP, get command is the most important command to browse or download the web content. Or in FTP, delete command is used to delete a file in a FTP server.

Juniper SRX Content Filtering Configuration

Juniper SRX Content Filtering Configuration Steps

The configuration of Content Filtering is very similar to antivirus and antispam.

Juniper SRX UTM Content Filtering Configuration Steps
Juniper SRX UTM Content Filtering Configuration Steps

In the first step, we have to enable UTM content filtering feature.

In the second step, we configure content filtering profile. In the profile we configure the type of contents to be inspected.

For each content type, MIME type, protocol commands and file extension, a separate list of content types can be configured.

In the third step, we configure content filtering policy. In the policy we configure which protocols to be inspected. HTTP, Email and FTP protocols are supported.

For each protocol, we have to specify, the content filtering profile, configured earlier or the default content filtering profile.

In the last step, content filtering policy must be activated in a security policy.

Juniper SRX Content Filtering Configuration

Enable Content Filtering

To start the configuration, we enable UTM content filtering feature.

This feature unlike antivirus and antispam does not require any license.

With the command “set security utm default-configuration content-filtering type ?”, you have the option to enable or disable the content filtering.

With “local” keyword, you activate content filtering based on local policies.

[edit]
[email protected]# set security utm default-configuration content-filtering type ?
Possible completions:
  local                Content-filtering local
  content-filtering-none  

set security utm default-configuration content-filtering type local 

Configure Content Filtering Profile

In the second step, we configure a content filtering profile.

In the profile, we specify which content to be inspected.

For each content type, MIME type, file extension and protocol commands, you can configure separate lists.

As an example, here we create four custom objects.

set security utm custom-objects filename-extension EXE_ZIP value [exe zip]
set security utm custom-objects protocol-command FTP_DEL value DELE 
set security utm custom-objects mime-pattern QUICK_JPEG value [ video/quicktime image/jpeg ]
set security utm custom-objects mime-pattern MP4 value video/mp4

[edit]
[email protected]# set security utm feature-profile content-filtering profile CF_PROFILE ?  
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  block-command        Block command list
> block-content-type   Content-filtering feature block content type
  block-extension      Block extension list
> block-mime           Content-filtering feature block MIME
> notification-options  Notification options
  permit-command       Permit command list
  |                    Pipe through a command
  
set security utm feature-profile content-filtering profile CF_PROFILE block-extension EXE_ZIP
set security utm feature-profile content-filtering profile CF_PROFILE block-command FTP_DEL
set security utm feature-profile content-filtering profile CF_PROFILE block-mime list QUICK_JPEG

set security utm feature-profile content-filtering profile CF_PROFILE block-mime exception MP4 

The first is based on file extension. .exe and .zip extensions are in the list.

The second is based on protocol commands. FTP delete command is the only protocol command in the list.

The third list is based on MIME type, includes video QuickTime and image jpeg files.

The last list is also based on MIME type, include video MP4 file.

Then we create a profile with the name of “CF_PROFILE”, which inspect and block the first three list but permit the file type including in the fourth list.

In the content filtering, whitelist is created using “exception” keyword.

Configure Content Filtering Policy

In the third step, we configure content filtering policy.

In content filtering we specify which protocols to be inspected. In each protocol, we have to specify which profile should be used for the inspection.

 Here I create a content filtering policy with the name of “CF_POLICY”, which inspect FTP download and upload traffic to check contents configured in the “CF_PROFILE” profile.

set security utm utm-policy CF_POLICY content-filtering ftp download-profile CF_PROFILE 
set security utm utm-policy CF_POLICY content-filtering ftp upload-profile CF_PROFILE

Apply Content Filtering Policy in Security Policy

In the last step, we have to apply the content filtering policy in one security policy.

From untrust zone to trust zone, there is a default default-permit rule that we configured in the previous sections.

At the end of “then” command, we add content filtering policy “CF_POLICY” in default-permit security policy.

set security policies from-zone untrust to-zone trust policy default-permit match source-address any
set security policies from-zone untrust to-zone trust policy default-permit match destination-address any
set security policies from-zone untrust to-zone trust policy default-permit match application any
set security policies from-zone untrust to-zone trust policy default-permit then permit

set security policies from-zone untrust to-zone trust policy default-permit then permit application-services utm-policy CF_POLICY

After committing, we can check it with the command, “show configuration security policies from-zone untrust to-zone trust policy default-permit | display set

[edit]
[email protected]# run show configuration security policies from-zone untrust to-zone trust | display set
set security policies from-zone untrust to-zone trust policy default-permit match source-address any
set security policies from-zone untrust to-zone trust policy default-permit match destination-address any
set security policies from-zone untrust to-zone trust policy default-permit match application any
set security policies from-zone untrust to-zone trust policy default-permit then permit application-services utm-policy CF_POLICY

These are all the configuration that we need to configure to start using content filtering feature in juniper SRX device.

Content Filtering Monitoring and Troubleshooting

To make sure that content filtering feature is correctly configured and it is inspecting the configured contents, there is one main monitoring commands.

With the command “show security utm content-filtering statistics”, you can make sure that content filtering feature is activated and how many contents of each type are filtered.

[edit]
[email protected]# run show security utm content-filtering statistics 
 
 Content-filtering-statistic:         Blocked
     Base on command list:                     0
     Base on mime list:                        0
     Base on extension list:                   0
     ActiveX plugin:                           0
     Java applet:                              0
     EXE files:                                0
     ZIP files:                                0
     HTTP cookie:                              0
Back to: Juniper Security Associate (JNCIA-SEC) based on vSRX version 22.1R1.10 > Unified Threat Management (UTM)

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment