拠点/支社向けSRXシリーズおよびJシリーズのWebフィルタリング

APPLICATION NOTE SRX J WEB SRX J Web Copyright 2014, Juniper Networks, Inc.

...3...3...3...3...3...3 SurfControl Web...3 Websense Web......................................................................................4...5...5...6...8 SurfControl...8...9...11...12 Websense...13...15...15...15...15 1 SurfControl...3 2 Websense...4 3 UTM...6 4...8 2 Copyright 2014, Juniper Networks, Inc.

Web /URL UTM Unified Threat Management Web 2.0 URL Web Web URL Junos OS 9.5 J SRX UTM Web UTM 1 URL URL SurfControl Websense 2 Web J SRX SRX SRX100 SRX210 SRX240 SRX650 J2320 J2350 J4350 J6350 J Junos OS 9.5 Web SurfControl Websense 2 SRX J Web SurfControl Web Web URL SurfControl SurfControl Web J SRX URL SurfControl Web SurfControlサーバー URLルックアップ カテゴリ インターネット クライアント HTTP 要 求 SRX210 1 SurfControl Webサーバー Copyright 2014, Juniper Networks, Inc. 3

SurfControl URL 2600 40 70 SurfControl 1 SurfControl Web SRX J STRM Security Threat Response Manager URL SurfControl IPS Websense Web 1 Websense Websense SurfControl URL Websense Websense Web Websense URL SRX J URL 2 Websense HTTP 要 求 SRX210 インターネット トラフィック リダイレクト Webサーバー Websenseサーバー 4 Copyright 2014, Juniper Networks, Inc.

Websense 95 100 Websense HTTPS URL URL URL URL URL URL URL URL URL URL URL URL SurfControl Websense SurfControl SurfControl Websense "show system license" pato@srx210-1# run show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed av_key_kaspersky_engine 1 1 0 2009-11-20 00:00:00 UTC anti_spam_key_symantec_sbl 0 1 0 2009-11-20 00:00:00 UTC wf_key_surfcontrol_cpa 0 1 0 2009-11-20 00:00:00 UTC idp-sig 0 1 0 2009-11-20 00:00:00 UTC Copyright 2014, Juniper Networks, Inc. 5

Web UTM 1 UTM UTM HTTP Web ポリシールックアップ 順 序 付 けされた ルックアップ ( 送 信 元 / 宛 先 ゾーン 毎 に インデックス 付 加 ) ポリシー1... ポリシーのマッチング UTMポリシー ポリシーN セキュリティポリシー UTMポリシーを 指 定 して トラフィックを アプリケーション サービスに 送 信 WFプロファイル 3 UTM UTM UTM Web UTM Web UTM UTM security { utm-policy <policy name> { anti-spam { anti-virus { content-filtering { http-profile <web-filtering profile name>; Web [security utm feature-profiles] security { feature-profile { url-blacklist <black-list user defined category>; url-whitelist <white-list user defined category>; type surf-control-integrated websense-redirect; surf-control-integrated { cache { size <max number of entries in the cache>; timeout <time, in seconds, after which an entry is declared invalid>; profile <profile name> { category <category name> { #One or more categories are allowed action block log-and-permit permit; custom-block-message <block-message>; default block log-and-permit permit; fallback-settings { ; timeout <request timeout in seconds>; 6 Copyright 2014, Juniper Networks, Inc.

traffic>; websense-redirect profile <profile-name>{ account <account-name>; custom-block-message <block-message>; fallback-settings { server { host <host-name or IP address>; port <server port>; sockets <number of open sockets used to redirect timeout <redirect timeout in seconds>; [security utm custom-objects] SurfControl security { custom-objects { utl-pattern <url pattern name> { value [<list of URLs>]; custom-url-category <category name> { value [<list of url-paterns>]; URL URL www.juniper.net URL www.juniper.net/ support www.juniper.net/products URL URL www.juniper. net/techpubs URL www.juniper.net/techpubs/software www.juniper.net Copyright 2014, Juniper Networks, Inc. 7

IP SurfControl 4 SurfControl Trust Zone Untrust Zone SRX210 インターネット 4 Web SurfControl security { policies { from-zone trust to-zone untrust { policy match { source-address any; destination-address any; application any; then { permit { application-services { utm-policy wf-block-specfic-categories; feature-profile { type surf-control-integrated; #This causes the device to use # the surfcontrol integrated solution surf-control-integrated { profile block-selected-sites { category { Criminal_Skills { 8 Copyright 2014, Juniper Networks, Inc.

Remote_Proxies { Violence { Weapons { default permit; utm-policy wf-block-specfic-categories { http-profile block-selected-sites; IT www.badsite.com www. addictivesite.com URL bad-sites URL custom-objects { url-pattern { badsite { value www.badsite.com; addictivesite { value www.addictivesite.com; custom-url-category { bad-sites { value [ addictivesite badsite ]; Copyright 2014, Juniper Networks, Inc. 9

Web policies { from-zone trust to-zone untrust { policy match { source-address any; destination-address any; application any; then { permit { application-services { utm-policy wf-block-specfic-categories; feature-profile { url-blacklist bad-sites; #This causes sites in the bad-sites category type surf-control-integrated; surf-control-integrated { profile block-selected-sites { category { Criminal_Skills { Remote_Proxies { Violence { Weapons { default permit; utm-policy wf-block-specfic-categories { http-profile block-selected-sites; #to be blocked 10 Copyright 2014, Juniper Networks, Inc.

Web "The site requested is not a work-related site.go back to work! " policies { from-zone trust to-zone untrust { policy match { source-address any; destination-address any; application any; then { permit { application-services { utm-policy wf-block-specfic-categories; feature-profile { url-blacklist bad-sites; type surf-control-integrated; surf-control-integrated { profile block-selected-sites { category { Criminal_Skills { Remote_Proxies { Violence { Weapons { default permit; custom-block-message The site requested is not a workrelated site!go back to work! ; utm-policy wf-block-specfic-categories { http-profile block-selected-sites; Copyright 2014, Juniper Networks, Inc. 11

2 Web security { policies { from-zone trust to-zone management { policy webfilter-on-business-hours { match { source-address any; destination-address any; application any; then { permit { application-services { utm-policy wf-block-specfic-categories; scheduler-name Business-hours; policy accept-all { match { source-address any; destination-address any; application any; then { permit; feature-profile { url-blacklist bad-sites; type surf-control-integrated; surf-control-integrated { profile block-selected-sites { category { Criminal_Skills { Remote_Proxies { Violence { Weapons { default permit; custom-block-message The site requested is not a workrelated site!go back to work! ; 12 Copyright 2014, Juniper Networks, Inc.

utm-policy wf-block-specfic-categories { http-profile block-selected-sites; schedulers { scheduler Business-hours { daily { start-time 09:00:00 stop-time 17:00:00; sunday exclude; saturday exclude; Websense Websense Web SRX J Websense policies { from-zone trust to-zone management { policy webfilter-websense { match { source-address any; destination-address any; application any; then { permit { application-services { utm-policy wf-redirect; feature-profile { type websense-redirect; websense-redirect { profile server1-redirect { server { host 10.1.1.100; port 15868; custom-block-message Websense says... you are not allowed! ; sockets 3; Copyright 2014, Juniper Networks, Inc. 13

utm-policy wf-redirect { http-profile server1-redirect; sockets Junos OS Websense Websense SurfControl policies { from-zone trust to-zone management { policy webfilter-websense { match { source-address any; destination-address any; application any; then { permit { application-services { utm-policy wf-redirect; feature-profile { type websense-redirect; websense-redirect { profile server1-redirect { server { host 10.1.1.100; port 15868; custom-block-message Websense says... you are not allowed! ; fallback-settings { default block; too-many-requests log-and-permit; sockets 8; utm-policy wf-redirect { http-profile server1-redirect; 14 Copyright 2014, Juniper Networks, Inc.

>show security utm web-filtering statistics UTM web-filtering statistics: Total requests: 0 white list hit: 0 Black list hit: 0 Server reply permit: 0 Server reply block: 0 Web-filtering sessions in total:4000 Web-filtering sessions in use: 0 Fall back: log-and-permit block Default 0 0 Timeout 12 0 Connectivity 0 0 Too-many-requests 0 0 2 30 40 50 URL 15 20 30 URL URL 500 1000 1500 / URL 8192 8192 8192 URL 29 29 29 URL 512 512 512 29 29 29 Junos OS 9.5 SRX J Web URL http://www.juniper.net/jp/ Twitter Facebook Copyright 2014, Juniper Networks, Inc. 15

Juniper Networks, Inc. Juniper Networks International B.V. 163-1445 3-20-2 45F 03-5333-7400 FAX 03-5333-7401 541-0041 1-1-27 URL http://www.juniper.net/jp/ 1194 North Mathilda Ave Sunnyvale, CA 94089 USA 888-JUNIPER (888-586-4737) 408-745-2000 FAX 408-745-2100 URL http://www.juniper.net Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands 31-0-207-125-700 FAX 31-0-207-125-701 Copyright 2014, Juniper Networks, Inc. All rights reserved. Juniper Networks Junos QFabric Juniper Networks Juniper Networks, Inc. 3500156-002 JP Apr 2014 16 Copyright 2014, Juniper Networks, Inc.