Junos : How to configure Integrated Web Filtering

Step-by-Step Procedure

To configure integrated Web filtering:

1. Create custom objects and create the URL pattern list.
   [edit security utm]user@host# set custom-objects url-pattern urllist3 value [http://www.juniper.net 1.2.3.4]
2. Configure the custom URL category list custom object using the URL pattern list.
   [edit security utm]user@host# set custom-objects custom-url-category custurl3 value urllist3
3. Create a list of untrusted sites
   [edit security utm]user@host# set custom-objects url-pattern urllistblack value [http://www.untrusted.com 13.13.13.13]
4. Configure the custom URL category list custom object using the URL pattern list of untrusted sites.
   [edit security utm]user@host# set custom-objects custom-url-category custblacklist value urllistblack
5. Create a list of trusted sites.
   [edit security utm]user@host# set custom-objects url-pattern urllistwhite value [http://www.trusted.com 7.7.7.7]
6. Configure the custom URL category list custom object using the URL pattern list of trusted sites.
   [edit security utm]user@host# set custom-objects custom-url-category custwhitelist value urllistwhite 

   Configuring Integrated Web Filtering UTM Policies

   CLI Quick Configuration

   To quickly configure this section of the example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the command into the CLI at the [edit] hierarchy level.

   set security utm utm-policy utmp5 web-filtering http-profile surfprofile1

   Step-by-Step Procedure

   To configure a UTM policy:

   1. Create the UTM policy referencing a profile.
      [edit]user@host# set security utm utm-policy utmp5 web-filtering http-profile surfprofile1

   Results

   From configuration mode, confirm your configuration by entering the show security utm utm-policy command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

   [edit]userhost#show security utm utm-policy

   ...utm-policy utmp5 {content-filtering {http-profile contentfilter1;}web-filtering {http-profile surfprofile1;}}

   If you are done configuring the device, enter commit from configuration mode. 

   
   

   
   

    

JUNOS : Class-of-Service Overview

When a network experiences congestion and delay, some packets must be dropped. JUNOS software class-of-service (CoS) allows you to divide traffic into classes and offer various levels of throughput and packet loss when congestion occurs.

This allows packet loss to happen according to the rules you configure.

For interfaces that carry IPv4 and MPLS traffic, you can configure the JUNOS software CoS features to provide multiple classes of service for different applications. 

On the device, you can configure multiple forwarding classes for transmitting packets, define which packets are placed into each output queue, schedule the transmission service level for each queue, and manage congestion using a random early detection (RED) algorithm.

Traffic shaping is the allocation of the appropriate amount of network bandwidth to every user and application on an interface. The appropriate amount of bandwidth is defined as cost-effective carrying capacity at a guaranteed CoS. 

You can use a J-series Services Router or an SRX-series services gateway to control traffic rate by applying classifiers and shapers.

The CoS features provide a set of mechanisms that you can use to provide differentiated services when best-effort delivery is insufficient.

Junos : How to view current date and uptime

 View current date/time and system uptime 
 
show system uptime
user@host> show system uptime

Current time:      1998-10-13 19:45:47 UTC 
System booted:     1998-10-12 20:51:41 UTC (22:54:06 ago)
Protocols started: 1998-10-13 19:33:45 UTC (00:12:02 ago)
Last configured:   1998-10-13 19:33:45 UTC (00:12:02 ago) by abc
12:45PM  up 22:54, 2 users, load averages: 0.07, 0.02, 0.01

Junos : Configuring Management Access

SRX Series device is configured to allow secure management access and apply NAT to all outbound traffic.    

• Set the root user password.
          set system root-authentication plain-text-password(will prompt for password)
     
• Set the system host name.
          set system host-namesrx-1
     
• Assign interface fe-0/0/7 to the untrust zone (zone names are case sensitive).
          set security zone security-zone untrust interface fe-0/0/7
     
• Set name server parameter.
          set system name-server <ip address>
     
• fe-0/0/7 IP address and default route configuration.
            a) To assign the IP address and gateway statically:
            set interfaces fe-0/0/7 unit 0 family inet address 1.1.1.1/30
            set routing-options static route 0.0.0.0/0 next-hop < ip address of the upstream router>
            b) To configure interfaces fe-0/0/7 to obtain an IP address and default gateway from a DHCP server:
            set interfaces fe-0/0/7 unit 0 family inet dhcp
            set security zones security-zone untrust interfaces fe-0/0/7.0 host-inbound-traffic system-services dhcp
             
• Create a NAT rule for source translation of all Internet-bound traffic.
            set security nat source rule-set interface-nat from zone trust
            set security nat source rule-set interface-nat to zone untrust
            set security nat source rule-set interface-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0
            set security nat source rule-set interface-nat rule rule1 then source-nat interface
             
• Use the “commit” command at the CLI prompt to activate the configuration.
            commit

Junos : CLI/Shell Logic

When you log in as root, your in the bsd shell (denoted by the % symbol).

Type CLI to enable CLI mode (denoted by the > symbol).

From CLI mode, the start shell command takes you back to bsd. And type exit to go back to CLI.

To enter configuration mode, type con(# denotes config mode)

• To run operational commands via config mode, type run followed by the command. (Operational mode is before config mode)

Junos : UTM

Unified Threat Management (UTM) is a term used to describe the consolidation of several security features into one device, protecting against multiple threat types. The advantage of UTM is streamlined installation and management of these multiple security capabilities.

The security features provided as part of the UTM solution are:

• Antispam — E-mail spam consists of unwanted e-mail messages, usually sent by commercial, malicious, or fraudulent entities. The antispam feature examines transmitted e-mail messages to identify e-mail spam. When the device detects an e-mail message deemed to be spam, it either drops the message or tags the message header or subject field with a preprogrammed string. The antispam feature uses a constantly updated spam block list (SBL). Sophos updates and maintains the IP-based SBL. The antispam feature is a separately licensed subscription service.
• Full File-Based Antivirus — A virus is executable code that infects or attaches itself to other executable code to reproduce itself. Some malicious viruses erase files or lock up systems. Other viruses merely infect files and overwhelm the target host or network with bogus data. The full file-based antivirus feature provides file-based scanning on specific Application Layer traffic checking for viruses against a virus signature database. It collects the received data packets until it has reconstructed the original application content, such as an e-mail file attachment, and then scans this content. Kaspersky Lab provides the internal scan engine. The full file-based antivirus scanning feature is a separately licensed subscription service.
• Express Antivirus — Express antivirus scanning is offered as a less CPU intensive alternative to the full file-based antivirus feature. The express antivirus feature, like the full antivirus feature, scans specific Application Layer traffic for viruses against a virus signature database. However, unlike full antivirus, express antivirus does not reconstruct the original application content. Rather, it just sends (streams) the received data packets, as is, to the scan engine. With express antivirus, the virus scanning is executed by a hardware pattern matching engine. This improves performance while scanning is occurring, but the level of security provided is lessened. Juniper Networks provides the scan engine. The express antivirus scanning feature is a separately licensed subscription service.
• Content Filtering — Content filtering blocks or permits certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type. Content filtering does not require a separate license.
• Web Filtering — Web filtering lets you manage Internet usage by preventing access to inappropriate Web content. There are three types of Web filtering solutions. In the case of the integrated Web filtering solution, the decision-making for blocking or permitting Web access is done on the device after it identifies the category for a URL either from user-defined categories or from a category server (Websense provides the CPA Server). The integrated Web filtering feature is a separately licensed subscription service. The redirect Web filtering solution intercepts HTTP requests and forwards the server URL to an external URL filtering server provided by Websense to determine whether to block or permit the requested Web access. Redirect Web filtering does not require a separate license. With Juniper Local Web Filtering, the decision-making for blocking or permitting Web access is done on the device after it identifies the category for a URL from user-defined categories stored on the device. With Local filtering, there is no additional Juniper license or remote category server required.

JUNOS : class of service (CoS)

The Juniper Networks® Junos® operating system (Junos OS) class of service (CoS) enables you to divide traffic into classes and offer various levels of throughput and packet loss when congestion occurs. This allows packet loss to happen according to rules that you configure.

For interfaces that carry IPv4, IPv6, and MPLS traffic, you can configure the Junos OS CoS features to provide multiple classes of service for different applications. On the router, you can configure multiple forwarding classes for transmitting packets, define which packets are placed into each output queue, schedule the transmission service level for each queue, and manage congestion using a random early detection (RED) algorithm.

The Junos OS CoS features provide a set of mechanisms that you can use to provide differentiated services when best-effort traffic delivery is insufficient. In designing CoS applications, you must give careful consideration to your service needs, and you must thoroughly plan and design your CoS configuration to ensure consistency across all routers in a CoS domain. You must also consider all the routers and other networking equipment in the CoS domain to ensure interoperability among all equipment.

Because Juniper Networks routers implement CoS in hardware rather than in software, you can experiment with and deploy CoS features without adversely affecting packet forwarding and routing performance.