Question
How to whitelist wildcard URL in Juniper SRX firewall for Wave Gateway connectivity.
Answer
Some juniper legacy firewalls didn't support the allow/block wildcard URL, the URLs has to be complete.
Now Juniper SRX firewall supports the implementation of wildcard URL(allow or block).
e-g
Refer to following CLI configuration guide from Juniper.
CLI Configuration
The following example activates integrated Web filtering.
- Configure the device to use the integrated Web filtering feature.
user@host#set security utm feature-profile web-filtering type surf-control-integrated
- Create a UTM policy and associate the "JUNOS-wf-cpa-default" profile to the policy.
user@host#set security utm utm-policy custom-utm-policy web-filtering http-profile JUNOS-wf-cpa-default
- Apply the UTM policy to the existing trust-to-untrust security policy.
user@host#set security policies from-zone trust to-zone untrust policy default-permit then permit application-services utm-policy custom-utm-policy
To configure integrated Web filtering, create the UTM custom objects first. Custom objects are global parameters for UTM features and apply to all UTM policies where applicable, rather than only to individual policies. In this example, custom URLblock and allow lists are put into two separate categories.
- Define the custom URL pattern lists--block-list and allow-list.
user@host# set security utm custom-objects url-pattern black-list value http://*.sex.com
user@host# set security utm custom-objects url-pattern black-list value http://*.guns.com
user@host# set security utm custom-objects url-pattern black-list value http://*.hacking.com
user@host# set security utm custom-objects url-pattern white-list value http://*.juniper.net
user@host# set security utm custom-objects url-pattern white-list value http://*.cnn.net
user@host#set security utm custom-objects url-pattern white-list value http://*.msn.net - Define the custom URL categories allowed-sites and blocked-sites), by putting the allow-list in one category and the block-list in the other category.
user@host# set security utm custom-objects custom-url-category allowed-sites value white-list
user@host# set security utm custom-objects custom-url-category blocked-sites value black-list
After creating custom objects, configure the Web filtering feature parameters.
- Set the type of web-filtering to surf-control-integrated.
user@host#set security utm feature-profile web-filtering type surf-control-integrated - Define the global URL allow and block lists.
user@host# set security utm feature-profile web-filtering url-whitelist allowed-sites
user@host#set security utm feature-profile web-filtering url-blacklist blocked-sites - Define the SurfControl server settings.
user@host# set security utm feature-profile web-filtering surf-control-integrated cache timeout 1800
user@host# set security utm feature-profile web-filtering surf-control-integrated cache size 500
user@host# set security utm feature-profile web-filtering surf-control-integrated server host cpa.surfcpa.com
user@host#set security utm feature-profile web-filtering surf-control-integrated server port 9020 - Create the Web filtering profile and specify the actions to be taken for each category (user-defined and custom).
user@host# set security utm feature-profile web-filtering surf-control-integrated profile surfcontrol-profile1 category Adult_Sexually_Explicit action block
user@host# set security utm feature-profile web-filtering surf-control-integrated profile surfcontrol-profile1 category Hacking action block
user@host# set security utm feature-profile web-filtering surf-control-integrated profile surfcontrol-profile1 category Weapons action block
user@host# set security utm feature-profile web-filtering surf-control-integrated profile surfcontrol-profile1 category Web_based_Email action permit
user@host# set security utm feature-profile web-filtering surf-control-integrated profile surfcontrol-profile1 default block
user@host# set security utm feature-profile web-filtering surf-control-integrated profile surfcontrol-profile1 custom-block-message ***DENIED*** - Define the fallback settings for the Web filtering profile. The fallback options define the actions to be taken for traffic when errors in each configured category occur.
user@host# set security utm feature-profile web-filtering surf-control-integrated profile surfcontrol-profile1 fallback-settings default block
user@host# set security utm feature-profile web-filtering surf-control-integrated profile surfcontrol-profile1 fallback-settings server-connectivity block
user@host# set security utm feature-profile web-filtering surf-control-integrated profile surfcontrol-profile1 fallback-settings timeout block
user@host#set security utm feature-profile web-filtering surf-control-integrated profile surfcontrol-profile1 fallback-settings too-many-requests block
Define the UTM policy for the protocol and attach this policy to a profile. Then apply the UTM policy to a firewall security policy as an application service.
- Define the UTM policy for HTTP (web-filter) and attach this policy to a profile (surfcontrol-profile1).
user@host#set security utm utm-policy web-filter web-filtering http-profilesurfcontrol-profile1 - Apply the UTM policy to a policy from the Trust zone to the Untrust zone, and set the application services to be allowed:
user@host# set security policies from-zone trust to-zone untrust policy web-filter match source-address any
user@host# set security policies from-zone trust to-zone untrust policy web-filter match destination-address any
user@host# set security policies from-zone trust to-zone untrust policy web-filter match application any
user@host#set security policies from-zone trust to-zone untrust policy web-filter then permit application-services utm-policyweb-filter
Refer to following KB article from Juniper for more details,