I need to setup the SRX UTM to allow only white listed urls. My problem is that the white list is not working. The black list does work so I know UTM is working. Can anyone see what's wrong in my config. This is a simple config in the lab for now.
## Last changed: 2017-03-01 17:42:52 GMT-6
version 15.1X49-D75.5;
system {
host-name JUNIPER;
time-zone GMT-6;
root-authentication {
encrypted-password
}
name-server {
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
login {
user nadmin {
uid 2000;
class super-user;
authentication {
encrypted-password
}
}
}
services {
ssh;
telnet;
web-management {
http {
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
session {
idle-timeout 60;
}
}
dhcp {
pool 192.168.0.0/24 {
address-range low 192.168.0.190 high 192.168.0.200;
router {
192.168.0.1;
}
}
pool 172.16.1.0/24 {
address-range low 172.16.1.50 high 172.16.1.199;
router {
172.16.1.1;
}
}
propagate-settings ge-0/0/0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
security {
utm {
custom-objects {
url-pattern {
allowed-urls {
value www.yahoo.com;
}
blocked-urls {
value http://www.msn.com;
}
}
custom-url-category {
good-sites {
value allowed-urls;
}
bad-sites {
value blocked-urls;
}
}
}
feature-profile {
web-filtering {
url-whitelist good-sites;
url-blacklist bad-sites;
type juniper-local;
juniper-local {
profile local-engine {
default permit;
}
}
}
}
utm-policy utm-wf-local {
web-filtering {
http-profile local-engine;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
spoofing;
source-route-option;
tear-drop;
}
tcp {
port-scan;
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set Guest-Nat {
from zone Guest;
to zone Internet;
rule Guest-Nat {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool webmgt {
routing-instance {
default;
}
address 192.168.0.1/32 port 80;
}
pool webmgt443 {
routing-instance {
default;
}
address 192.168.0.1/32 port 443;
}
pool RDP11 {
routing-instance {
default;
}
address 192.168.0.11/32 port 3389;
}
pool RDP29 {
routing-instance {
default;
}
address 192.168.0.29/32 port 3389;
}
pool RDP22 {
routing-instance {
default;
}
address 192.168.0.22/32 port 3389;
}
pool RDP12 {
routing-instance {
default;
}
address 192.168.0.12/32 port 3389;
}
pool RDP33 {
routing-instance {
default;
}
address 192.168.0.33/32 port 3389;
}
pool RDP32 {
routing-instance {
default;
}
address 192.168.0.32/32 port 3389;
}
pool RDP30 {
routing-instance {
default;
}
address 192.168.0.30/32 port 3389;
}
pool RDP13 {
routing-instance {
default;
}
address 192.168.0.13/32 port 3389;
}
pool RDP04 {
routing-instance {
default;
}
address 192.168.0.4/32 port 3389;
}
}
}
policies {
from-zone Internal to-zone Internet {
policy utm-wf-policy {
match {
source-address any;
destination-address any;
application junos-http;
}
then {
permit {
application-services {
utm-policy utm-wf-local;
}
}
}
}
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone Internet to-zone Internal {
policy RDPpolicy {
match {
source-address any;
destination-address any;
application RDP;
}
then {
permit;
}
}
policy webmgr {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit;
}
}
}
from-zone Guest to-zone Internet {
policy All_Guest_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
http;
https;
ssh;
telnet;
}
protocols {
all;
}
}
}
}
}
security-zone Internet {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
ssh;
https;
}
}
}
}
}
security-zone Guest {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
telnet;
http;
ssh;
https;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.254;
}
}
applications {
application RDP {
protocol tcp;
source-port 1024-65535;
destination-port 3389;
}
}