前言
本实验通过本地web filter,防火墙会拦截 TCP 连接中的每个 HTTP 和 HTTPS 请求,并提取 URL。设备在查找 URL 后做出决策,根据用户定义的类别确定 URL 是属于允许列表还是屏蔽列表中。若URL不在任意列表则执行自定义的默认操作。本地web filter不需要额外的License。
实验环境
Juniper防火墙SRX345,版本:20.4R3-S2.6
一、配置
set security utm custom-objects url-pattern Deny-URL value nba.cn
set security utm custom-objects url-pattern Deny-URL value juniper.net
set security utm custom-objects url-pattern Deny-URL value *.jd.com
set security utm custom-objects url-pattern Deny-URL value *.taobao.com
set security utm custom-objects url-pattern Deny-URL value gov.cn
set security utm custom-objects url-pattern Deny-URL value *.gov.cn
set security utm custom-objects custom-url-category BAD-Web value Deny-URL
set security utm custom-objects custom-message BAD-Web type user-message
set security utm custom-objects custom-message BAD-Web content "DONT TOUCH FISH"
set security utm default-configuration web-filtering url-blacklist BAD-Web
set security utm default-configuration web-filtering type juniper-local
set security utm feature-profile web-filtering juniper-local profile local-deny category BAD-Web action block
set security utm feature-profile web-filtering juniper-local profile local-deny custom-message BAD-Web
set security utm utm-policy local-policy web-filtering http-profile local-deny
set security policies from-zone trust to-zone untrust policy TEST-All match source-address any
set security policies from-zone trust to-zone untrust policy TEST-All match destination-address any
set security policies from-zone trust to-zone untrust policy TEST-All match application any
set security policies from-zone trust to-zone untrust policy TEST-All then permit application-services utm-policy local-policy
二、测试
1.访问jd.com
提示消息:DONT TOUCH FISH,与预期结果相符。
2.访问taobao.com
提示消息:DONT TOUCH FISH,与预期结果相符。
3.访问jd子域名
注:从 Junos OS 15.1X49-D110 版开始,通配符语法中的“ * ”(用于 URL 模式 Web 过滤配置文件)匹配所有子域。
提示消息:DONT TOUCH FISH,与预期结果相符。
三、在设备上验证
1.查看web filter 规则命中统计
>show security utm web-filtering statistics
黑名单命中数:3021;匹配会话数:68,与预期结果相符。