Juniper Unified Threat Management User Manual

Junos® OS

nThreat Management User Guide

Published

2021-04-18

ii

Juniper Networks, Inc. 1133 nn v n Way Sunnyvale, California 94089 USA

408-745-2000 www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r s c v owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this b c n without n c

Junos® OS n	Threat Management User Guide
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The n rm	n in this document is current as of the date on the	page.

YEAR 2000 NOTICE

Juniper Networks hardware and s ftw r products are Year 2000 compliant. Junos OS has no known m r

m ns through the year 2038. However, the NTP c n is known to have some c y in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical						c m n	n consists of (or is intended for use
with) Juniper Networks s ftw r	Use of such s		ftw r	is subject to the terms and c n				ns of the End User License
Agreement ("EULA") posted at	s s	r	n r n	s	r	. By downloading, installing or using such
s ftw r you agree to the terms and c n		ns of that EULA.

iii

Table of Contents

About This Guide | xxiii

1Overview

UTM Overview | 2

nThreat Management Overview | 2

UTM Supported Features | 6

WELF Logging for UTM Features | 6

Understanding WELF Logging for UTM Features | 7

Example: C n r n WELF Logging for UTM Features | 8

Explicit Proxy for UTM | 12
	Understanding Explicit Proxy | 12
	C n	r n	the Explicit Proxy on Juniper Enhanced Server | 13
	Verifying the Explicit Proxy C n							r n on Juniper Enhanced Server | 15
	C n	r n	the	r	n	Category Upgrading and Base Filter C			n	r n Using Explicit
	Proxy | 15
	Verifying the r			n		Category Upgrading and Base Filter C n			r	n | 17
	C n	r n	the Sophos			n	v r s	rn Update | 18
	Verifying the Sophos				n	v r	s	rn Update | 19

nPolicies for UTM | 20

	Understanding		n	Policies	n		Threat Management (UTM)] | 20
UTM Support for Chassis Cluster | 22
	Understanding UTM Support for				c	v	c	v Chassis Cluster | 22
	Understanding UTM Support for				c	v	B c	Chassis Cluster | 23
Allowlist		| 24
	Understanding MIME Allowlist | 24
	Example: C n		r n	MIME Allowlist to Bypass n v r s Scanning | 25
	Understanding URL Allowlist | 27
	C n	r n URL Allowlist to Bypass				n	v r	s Scanning (CLI Procedure) | 27

2	n v r s r c n

iv

On-Device Avira

n v r

s | 29

Avira

n

v r

s Overview | 29

Example: C

n

r Avira

n

v r

s | 31

Requirements | 32

Overview | 32

C n

r

n | 33

V r

c

n | 44

Sophos

n

v r

s

r

c

n | 46

Sophos

n

v r s r

c

n Overview | 47

Sophos

n

v r

s Features | 48

Understanding Sophos

n

v r

s Data File Update | 49

Comparison of Sophos

n

v r

s to Kaspersky

n v r

s | 50

Sophos

n

v r s C n

r

n Overview | 51

Example: C n

r n

Sophos

n

v r s Custom Objects | 51

Requirements | 51

Overview | 52

C n

r

n | 52

V r

c

n | 55

Example: C

n

r n

Sophos

n

v r s Feature

r

| 55

Requirements | 56

Overview | 56

C n

r

n | 56

V r

c

n | 63

Example: C n

r n

Sophos

n

v r s UTM Policies | 64

Requirements | 64

Overview | 64

C n

r

n | 65

V r

c

n | 66

Example: C

n

r n

Sophos

n

v r s Firewall Security Policies | 67

Requirements | 67

Overview | 67

v

		C n		r	n | 67
		V r	c	n | 69
	Example: C n				r n	Sophos n v r s Scanner with SSL Forward Proxy | 70
		Requirements | 70
		Overview | 70
		C n		r	n | 71
		V r	c	n | 75
	Managing Sophos n					v r s Data Files | 80
Virus-Detected N					c	ns | 82
	Understanding Protocol-Only Virus-Detected N							c		ns | 83
	C n		r n	Protocol-Only Virus-Detected N				c	ns (CLI Procedure) | 83
	Understanding E-Mail Virus-Detected N						c	ns | 83
	C n		r n	E-Mail Virus-Detected N c			ns (CLI Procedure) | 84
	Understanding Custom Message Virus-Detected N								c	ns | 85
	C n		r n	Custom Message Virus-Detected N				c		ns (CLI Procedure) | 85
HTTP Trickling to Prevent Timeouts | 87
	Understanding HTTP Trickling | 87									n v r s Scanning (CLI Procedure) | 88
	C n		r n	HTTP Trickling to Prevent Timeouts During

3n s m Filtering

ns m Filtering Overview | 90 n s m Filtering Overview | 90

Server-Based		n s		m Filtering | 92
Understanding Server-Based n s					m Filtering | 92
Server-Based			n s	m Filtering C	n	r	n Overview | 93
Example: C		n	r n	Server-Based	n	s	m Filtering | 94
	Requirements | 95
	Overview | 95
	C n	r	n | 95
	V r c		n | 101

vi

Local-List		n	s	m Filtering | 102
Understanding Local List n s					m Filtering | 103
Local List			n	s m Filtering C	n	r	n Overview | 103
Example: C			n	r n Local List	n	s	m Filtering | 104
	Requirements | 104
	Overview | 105
	C n		r	n | 105
	V r	c		n | 111

4Content Filtering

Content Filtering | 114

Content Filtering Overview | 114

Understanding Content Filtering Protocol Support | 116

Specifying Content Filtering Protocols (CLI Procedure) | 118

Content Filtering C n				r n Overview | 118
Example: C n			r n	Content Filtering Custom Objects | 119
	Requirements | 119
	Overview | 120
	C n	r	n | 120
	V r	c	n | 123
Example: C n			r n	Content Filtering UTM Policies | 123
	Requirements | 124
	Overview | 124
	C n	r	n | 124
	V r	c	n | 125
Example:			c n Content Filtering UTM Policies to Security Policies | 126
	Requirements | 126
	Overview | 126
	C n	r	n | 126
	V r	c	n | 128

Monitoring Content Filtering C n r ns | 129

vii

5Web Filtering

Web Filtering Overview | 132

Enhanced Web Filtering | 134

Enhanced Web Filtering Overview | 134

Understanding the Enhanced Web Filtering Process | 136

r		n	Category Upgrading and Base Filter C n r n Overview | 144
Example: C			n	r n Enhanced Web Filtering | 146
		Requirements | 147
		Overview | 147
		C n	r	n | 149
		V r c		n | 160

Understanding the Q				r n n	c n for Enhanced Web Filtering | 164
Example: C		n	r n	Site R	n c n for Enhanced Web Filtering | 167
	Requirements | 167
	Overview | 167
	C n	r	n | 168
	V r c		n | 172

TAP Mode Support Overview for UTM | 176

Local Web Filtering | 178

Understanding Local Web Filtering | 179

Example: C			n	r n Local Web Filtering | 182
	Requirements | 182
	Overview | 182
	C	n	r	n | 185
	V	r c		n | 194

Redirect Web Filtering | 196

Understanding Redirect Web Filtering | 196

Example: Enhancing Security by C n r n Redirect Web Filtering Using Custom Objects | 198

Requirements | 199

Overview | 199

viii

C	n	r	n | 200
V	r	c	n | 208

Safe Search Enhancement for Web Filtering | 212

Safe Search Enhancement for Web Filtering Overview | 213

C n		r	Web Filtering with Safe Search | 215
	Requirements | 216
	Overview | 216
	C n		r n | 217
	V r	c	n | 221
Monitoring Web Filtering C n r ns | 223

6	UTM Support for SRX100, SRX110, SRX210, SRX240, SRX550, SRX650,
	and SRX1400 Devices
	Express n		v r s		r	c	n | 226
	Express		n	v r	s r	c	n Overview | 226
	Express		n	v r s C n			r	n Overview | 229
	Example: C			n	r n	Express		n v r s Custom Objects | 230
		Requirements | 230
		Overview | 230
		C n		r	n | 231
		V r	c	n | 233

C	n	r n	Express		n	v r	s Custom Objects (J-Web Procedure) | 233
Example: C			n	r n	Express			n v r	s Feature r		s | 236
	Requirements | 236
	Overview | 236
	C n		r	n | 237
	V r	c		n | 242
C	n	r n	Express		n	v r	s Feature		r	s (J-Web Procedure) | 243
Example: C			n	r n	Express			n v r	s UTM Policies | 245
	Requirements | 245
	Overview | 245

ix

C n

r

n | 246

V r

c

n | 246

C

n

r n

Express

n

v r

s UTM Policies (J-Web Procedure) | 247

Example:

c

n

Express

n v r

s UTM Policies to Security Policies | 247

Requirements | 248

Overview | 248

C n

r

n | 248

V r

c

n | 249

c

n

Express

n

v r s UTM Policies to Security Policies (J-Web Procedure) | 249

Express

n

v r s

rn Updates | 251

Understanding Express

n

v r s Scanner

rn Updates | 252

Example:

m

c

y

n

Express

n

v r

s

rns | 253

Requirements | 253

Overview | 253

C n

r

n | 253

V r

c

n | 254

Example:

m

c

y

n

Express

n

v r

s

rns (J-Web Procedure) | 255

Manually

n

Reloading, and

n

Express

n v r s

rns (CLI Procedure) | 255

Full

n

v r

s

r

c

n | 256

Full

n

v r

s r

c

n Overview | 257

Full

n

v r

s C

n

r

n Overview | 258

Example: C

n

r n

Full

n v r

s Custom Objects | 259

Requirements | 259

Overview | 260

C n

r

n | 260

V r

c

n | 263

C

n

r n

Full

n

v r

s Custom Objects (J-Web Procedure) | 263

Example: C

n

r n

Full

n v r

s Feature

r

s | 266

Requirements | 266

Overview | 267

x

	C n		r	n | 268
	V r	c	n | 273
C n		r n	Full	n	v r s Feature	r	s (J-Web Procedure) | 274
Example: C			n	r n	Full n v r	s UTM Policies | 277
	Requirements | 277
	Overview | 277
	C n		r	n | 277
	V r	c	n | 278

C

n

r n Full

n

v r

s UTM Policies (J-Web Procedure) | 279

Example:

c

n

Full

n v r

s UTM Policies to Security Policies | 279

Requirements | 280

Overview | 280

C n

r

n | 280

V r

c

n | 281

c

n

Full

n

v r s UTM Policies to Security Policies (J-Web Procedure) | 281

Full

n

v r

s

rn Updates | 283

Understanding Full

n

v r s

rn Updates | 284

Example: C n

r n

the Full

n

v r s

rn Update Server | 285

Requirements | 285

Overview | 285

C n

r

n | 285

V r

c

n | 286

Full

n v r s

rn Update C n

r

n Overview | 287

Example:

m

c

y

n

Full

n

v r

s

rns | 288

Requirements | 288

Overview | 288

C n

r

n | 288

V r

c

n | 289

Example:

m

c

y

n

Full

n

v r

s

rns (J-Web Procedure) | 290

Manually

n

Reloading, and

n Full n

v r s

rns (CLI Procedure) | 290

xi

Full	n v r s File Scanning | 292
Understanding the Full						n	v r s Scan Engine | 293
Understanding Full					n	v r	s Scan Mode Support | 294
C	n	r n	Full	n	v r	s File Extension Scanning (CLI Procedure) | 295
Example: C			n	r n	Full		n v r s File Extension Scanning | 295
	Requirements | 296
	Overview | 296
	C n		r	n | 296
	V r	c	n | 297
Understanding Full					n	v r	s Scan Level S	n s | 298
Example: C			n	r n	Full		n v r s Scan S	n s at		r n Levels | 298
	Requirements | 299
	Overview | 299
	C n		r	n | 299
	V r	c	n | 301
Understanding Full					n	v r	s Intelligent Prescreening | 301
Example: C			n	r n	Full		n v r s Intelligent Prescreening | 302
	Requirements | 302
	Overview | 302
	C n		r	n | 303
	V r	c	n | 304
Understanding Full					n	v r	s Content Size Limits | 304
C	n	r n	Full	n	v r	s Content Size Limits (CLI Procedure) | 305
Understanding Full					n	v r	s Decompression Layer Limits | 305
C	n	r n	Full	n	v r	s Decompression Layer Limits (CLI Procedure) | 306
Understanding Full					n	v r	s Scanning Timeouts | 306
C	n	r n	Full	n	v r	s Scanning Timeouts (CLI Procedure) | 307
Understanding Full					n	v r	s Scan Session	r	n	| 307
C	n	r n	Full	n	v r	s Scan Session r		n	(CLI Procedure) | 307

xii

Full			n v r	s Scan Results and Fallback						ns | 309
		Understanding Full					n	v r s Scan Result Handling | 310
		Monitoring			n	v r	s Scan Engine Status | 310
		Monitoring			n	v r	s Session Status | 312
		Monitoring			n	v r	s Scan Results | 313
		Understanding				n	v r	s Scanning Fallback		ns | 316
		Example: C			n	r n		n v r	s Scanning Fallback		ns | 317
			Requirements | 317
			Overview | 317
			C n		r	n | 318
			V r	c	n | 320
Full			n v r	s		c		n Protocol Scanning | 322
		Understanding Full					n	v r s	c n Protocol Scanning | 322
		Understanding HTTP Scanning | 324
		Enabling HTTP Scanning (CLI Procedure) | 325
		Understanding FTP					n	v r s Scanning | 325
		Enabling FTP				n v r s Scanning (CLI Procedure) | 326
		Understanding SMTP						n v r s Scanning | 326
		Enabling SMTP				n	v r	s Scanning (CLI Procedure) | 329
		Understanding POP3						n v r s Scanning | 329
		Enabling POP3				n	v r	s Scanning (CLI Procedure) | 331
		Understanding IMAP						n v r s Scanning | 331
		Enabling IMAP				n	v r	s Scanning (CLI Procedure) | 334

Integrated Web Filtering | 335

Understanding Integrated Web Filtering | 335

Example: C n r n Integrated Web Filtering | 339

Requirements | 339

Overview | 339

xiii

		C n	r n | 340
		V r c	n | 349
	Displaying Global SurfControl URL Categories | 351
7	C n	r	n Statements
	c	n (Security UTM Web Filtering) | 360
	address-blacklist | 361
	address-whitelist | 363
	admin-email | 364
	administrator-email (Security Fallback Block) | 365
	administrator-email (Security Virus				c n) | 367
	allow-email (Security Fallback Block) | 368
	allow-email (Security Virus			c	n) | 370

cn (Security Policies) | 371

c	n	r xy (Security UTM) | 373
n s	m	| 375

ns m (Security UTM Policy) | 377

n	v r	s | 379
n	v r	s (Security UTM Policy) | 383

avira-engine | 385 block-command | 387 block-content-type | 388 block-extension | 390

block-message (Security UTM) | 391 block-mime | 393

cache | 394

xiv

category (Security Logging) | 396
category (Security Web Filtering) | 398
c	n	n	r n	(Security Feature r	) | 409
c	n	n	r n	(Security UTM Policy) | 412
content-size | 414

content-size (Security n v r s Sophos Engine) | 416

content-size-limit | 418
c rr	| 419
custom-block-message | 421
custom-message (Security Content Filtering) | 422
custom-message (Security Email N		y) | 424
custom-message (Security Fallback Block) | 425
custom-message (Security Fallback Non-Block) | 427
custom-message (Security Virus		c n) | 428

custom-message (Security Web Filtering) | 430 custom-message-subject (Security Email N y) | 432 custom-message-subject (Security Fallback Block) | 433

custom-message-subject (Security Fallback Non-Block) | 435

custom-message-subject (Security Virus		c n) | 436
custom-objects | 438
custom-page | 440
c s m	| 442

custom-tag-string | 444 custom-url-category | 445 decompress-layer | 447

xv

decompress-layer-limit | 449
default (Security		n	v r	s) | 452
default (Security		n	v r	s Sophos Engine) | 453
default (Security UTM) | 455
default (Security Web Filtering) | 456
display-host (Security Fallback Block) | 458
display-host (Security Virus							c	n) | 460
wn	r	(Security			n		v r	s FTP) | 461
wn	r	(Security Content Filtering FTP) | 463
m n	y | 464
engine-not-ready | 466
engine-not-ready (Security					n		v r	s Sophos Engine) | 467
xc	n | 469
xc	n (Security Content Filtering) | 470
fallback-block (Security				n	v r		s) | 472
fallback-non-block (Security						n	v r s) | 474
b c	ns (Security				n	v r		s Juniper Express Engine) | 476
b c	ns (Security				n	v r		s Kaspersky Lab Engine) | 478
b c	ns (Security				n	v r		s Sophos Engine) | 480

b c		s	n	s (Security	Web Filtering) | 481
b	c	s	n	s (Security	Web Filtering Juniper Local) | 483
b	c	s	n s (Security Web Filtering Websense Redirect) | 485
	r	r		| 487
n m			x ns n | 498

fl (SMTP) | 499

xvi

format (Security Log Stream) | 501 forwarding-mode (Security UTM Policy) | 503 from-zone (Security Policies) | 505

ft	(UTM Policy n		V r s) | 509
ft	(UTM Policy Content Filtering) | 511
hold-interval | 513
host (Security Web Filtering) | 514
	r	(Security	n v r s) | 516
	r	(Security Content Filtering) | 517

r(Security Web Filtering) | 518

m r (Security UTM Policy n v r s) | 520

mr (Security UTM Policy Content Filtering) | 521 rs s | 522

r ss mb	| 524
intelligent-prescreening | 525
interval (Security	n v r s) | 527
ipc | 529

juniper-enhanced | 531 juniper-express-engine | 533 juniper-local | 536 kaspersky-lab-engine | 538 limit (UTM Policy) | 541

list | 542

list (Security Content Filtering Block Mime) | 544 log (Security) | 545

xvii

m m		rn | 551
mime-whitelist | 552
no-autoupdate | 554
no-intelligent-prescreening | 556
n	n	y m	r c		n | 557
n	n	y m	s	n	r (Security Content Filtering N		c n	ns) | 559
n	n	y m	s	n	r (Security Fallback Block) | 560
n	n	y m	s	n	r (Security Virus	c n) | 562

no-sbl-default-server | 563
n	c	n		ns (Security	n	v r s) | 565
n	c	n		ns (Security Content Filtering) | 567
n	y m	r c		n | 569
n	y m	s	n	r (Security Content Filtering N			c n	ns) | 570
n	y m	s	n	r (Security Fallback Block) | 572
n	y m	s	n	r (Security Virus		c n) | 573
no-uri-check | 575
out-of-resources | 576
out-of-resources (Security n					v r	s Sophos Engine) | 578
over-limit | 579

cr | 581

password (Security		n v r	s) | 583
ssw r	| 585
rn	(Security		n v r s) | 586
permit-command |		588
policies | 590

xviii

3	r	(Security UTM Policy				n v r s) | 600
3	r	(Security UTM Policy Content Filtering) | 601
port (Security n			v r s) | 603
port (Security Web Filtering Server) | 604
primary-server | 605
r	(Security		n	s	m SBL) | 607
r	(Security		n	v r	s Juniper Express Engine) | 609
r	(Security		n	v r	s Kaspersky Lab Engine) | 611
r	(Security Content Filtering) | 614
r	(Security Sophos Engine n					v r s) | 616

r| 618

r(Security Web Filtering Juniper Enhanced) | 621

r(Security Web Filtering Juniper Local) | 623

r(Security Web Filtering Surf Control Integrated) | 625

r(Security Web Filtering Websense Redirect) | 627 protocol-command | 629

proxy (Security				n v r	s) | 630
r	xy	r	| 632
q	r n	n	m ss	(Security UTM) | 633
r	n	ns	nc	(Security UTM) | 635
sbl | 637
sbl-default-server | 639
scan-extension | 640
scan-mode | 641
sc n		ns (Security			n v r s Juniper Express Engine) | 643

xix

sc n		ns (Security	n	v r	s Kaspersky Lab Engine) | 645
sc	n	ns (Security	n	v r	s Sophos Engine) | 647
sc	n	ns (Security	n	v r	s Avira Engine) | 648

secondary-server | 650
server (Security				n	v r s) | 652
server (Security Sophos Engine n								v r	s) | 653
server (Security Web Filtering) | 655
s rv r c			nn c v y | 657
session-scan | 659
s	r		n	c	n | 660
size (Security Web Filtering Cache) | 662
sm		r	(Security UTM Policy					n	s	m) | 664
sm		r	(Security UTM Policy					n	v r	s) | 665
sm		r	(Security UTM Policy Content Filtering) | 666
sockets | 668
sophos-engine | 669
source-address | 672
s	m	c	n | 673
s	r	m | 675
surf-control-integrated | 676
sxl-retry | 679
sx	m		| 680
m			(Security		n	v r	s Fallback			ns) | 682
m			(Security		n	v r	s Fallback			ns Sophos Engine) | 684
m			(Security		n	v r	s Scan		ns) | 685

xx

m(Security Web Filtering) | 687

m(Security Web Filtering Cache) | 688

m		(Security Web Filtering Fallback S								n	s) | 690
too-many-requests (Security							n	v r	s Fallback		ns) | 692
too-many-requests (Security							n	v r	s Fallback		ns Sophos Engine) | 694
too-many-requests (Security Web Filtering Fallback S n s) | 696
to-zone (Security Policies) | 698
r c			ns (Security		n	s	m) | 701
r	c		ns (Security		n	v r	s) | 703
r c			ns (Security			c		n Proxy) | 705
r	c		ns (Security Content Filtering) | 708
r c			ns (Security UTM) | 709
r c			ns (Security Web Filtering) | 711
r c			ns (SMTP) | 713
r	c		ns | 715
trickling		|	716
type (Security				n v r s Feature				r	) | 718
type (Security Content Filtering N									c	n	ns) | 720
type (Security Fallback Block) | 722
type (Security Virus					c	n) | 724
type (Security Web Filtering) | 726
		r		(Security	n v r			s FTP) | 728
		r		(Security Content Filtering FTP) | 729
uri-check | 730
url (Security				n v r s) |	732

xxi

url-blacklist | 733
r	rn | 735
url-whitelist		|	739
url-whitelist		|	740
username (Security				n v r	s) | 741
utm | 743
utm		c n r		n | 754
utm-policy | 762
utm-policy (			c	n Services) | 764
v r s	c	n (Security			n v r s) | 766
w b	r n	| 768
w b	r n	(Security UTM Policy) | 774
websense-redirect | 775

8	r	n Commands
	clear security utm		n	s	m s		s	cs | 780
	clear security utm		n	v r	s s		s	cs | 783
	clear security utm c		n	n			r n	s	s cs | 786
	clear security utm session | 790
	clear security utm w b				r n		s	s	cs | 791
	request security utm			n	v r	s juniper-express-engine | 794
	request security utm			n	v r	s kaspersky-lab-engine | 796
	request security utm			n	v r	s sophos-engine | 798
	request security utm			n	v r	s avira-engine | 800
	request security utm w b						r n	category install | 803
	request security utm w b						r n	category uninstall | 805

xxii

request security utm w		b	r n	category download-install [version] | 806
request security utm w b			r n	category download [version] | 808
request security utm w b			r n	custom-page reload | 809
show c n r n smtp			| 811
show groups junos-defaults | 813
show security log | 815
show security policies | 819
show security utm	n	s	m s	s cs | 841
show security utm	n	s	m status | 847
show security utm	n	v r	s s	s cs | 849
show security utm	n	v r	s status | 856

show security utm c		n n		r n	s	s cs | 859
show security utm session | 864
show security utm status | 866
show security utm w b			r n	category b s			r | 867
show security utm w b			r n	category category | 870
show security utm w b			r n	category status | 872
show security utm w b			r n	s	s	cs | 874
show security utm w b			r n	status | 881
test security utm	n	s	m | 884
test security utm	n	nc	w b		r n url-check | 888
test security utm w b			r n	r		| 892

xxiii

About This Guide

Use this guide to c n r monitor, and manage the n Threat Management (UTM) features in Junos OS NFX Series and SRX Series devices to secure the network from viruses, malware, or malicious

c m n s and protect the users from security threats.

1

CHAPTER

Overview

UTM Overview | 2

UTM Supported Features | 6

2

UTM Overview

IN THIS SECTION

n Threat Management Overview | 2

nThreat Management (UTM) provides m security features and services in a single device or

service on the network, r	c	n	users from security threats in a s m			way. UTM includes
nc ns such as n v r s	n	s	m content	r n and web	r n	UTM secures the network from
viruses, malware, or malicious			c m n s by scanning the incoming data using Deep Packet ns				c n
and prevents access to unwanted websites by installing Enhanced Web						r n For more n rm	n
see the following topics:

nThreat Management Overview

IN THIS SECTION

Understanding UTM Custom Objects | 4

n	Threat Management (UTM) is a term used to describe the c ns				n of several security
features into one device, r c n against m			threat types. The advantage of UTM is streamlined
ns	n and management of these m	security c b		s
The security features provided as part of the UTM s			n are:

•n s m Filtering— E-mail spam consists of unwanted e-mail messages, usually sent by commercial,

malicious, or fraudulent n s The n s m feature examines r nsm e-mail messages to

n y e-mail spam. When the device detects an e-mail message deemed to be spam, it either drops the message or tags the message header or subject with a preprogrammed string. The n s m feature uses a constantly updated spam block list (SBL). Sophos updates and maintains the IP-based SBL. The n s m feature is a separately licensed s bscr n service.

3

•

Content Filtering— Content

r n

blocks or permits certain types of

r

c based on the MIME

type,

extension, protocol command, and embedded object type. Content

r n

does not

require a separate license.

•

Web Filtering— Web

r n lets you manage Internet usage by

r v n

n access to inappropriate

Web content. There are three types of Web

r n s

ns The integrated Web

r n

s

n

the decision-making for blocking or

rm

n

Web access is done on the device

ft

r it

n

s

the category for a URL either from

s r

n

categories or from a category server (Websense

provides the CPA Server). The integrated Web

r n

feature is a separately licensed s bscr

n

service which is supported only on SRX Series devices. The redirect Web

r n

s

n intercepts

HTTP requests and forwards the server URL to an external URL

r n server provided by

Websense to determine whether to block or permit the requested Web access. Redirect Web

r n does not require a separate license. With Juniper Local Web Filtering, the decision-making

for blocking or

rm n

Web access is done on the device

ft r it

n

s the category for a URL

from s

r

n

categories stored on the device. With Local

r n there is no

n

Juniper

license or remote category server required.

•

S r n

with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, on SRX1500 Services

Gateways and vSRX instances, UTM policies,

r

s MIME

rns

n m extensions, and

protocol-command numbers are increased to 500; custom URL

rns and custom URL categories

are increased to 1000.

S r n

with Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, SRX4100 and SRX4200

devices support up to 500 UTM policies,

r

s MIME

rns

n m extensions, and protocol

commands, and up to 1000 custom URL

rns and custom URL categories.

S r n

with Junos OS Release 18.2R1, NFX150 devices support up to 500 UTM policies,

r

s

MIME

rns

n m

extensions, and protocol commands, and up to 1000 custom URL

rns

and custom URL categories.

S r n

with Junos OS Release 18.2R1, the following commands under the [edit security utm

rr hierarchy level are deprecated:

•	set w b		r n	type
•	set w	b	r n	url-blacklist
•	set w	b	r n	url-whitelist
•	set w b		r n		rs s
•	set w b		r n	r	ss mb
•	set w b		r n	r c	ns
•	set w b		r n	juniper-enhanced cache

4

•	set w b			r n	juniper-enhanced r			n
•	set w b			r n	juniper-enhanced query-type
•	set	n	v r	s mime-whitelist
•	set	n	v r	s url-whitelist
•	set	n	v r	s type
•	set	n	v r	s r c		ns
•	set	n	v r	s sophos-engine
•	set	n	s	m address-blacklist
•	set	n	s	m address-whitelist
•	set	n	s	m r c		ns
•	set c	n	n		r n	r c	ns
S	r n	with Junos OS Release 18.4R3, on SRX1500, SRX4100, SRX4200, SRX4600, SRX4800,
SRX5400, SRX5600, and SRX5800 devices, UTM policies, r									s MIME	rns	n m

extensions, protocol commands, and custom messages, are increased up to 1500. Custom URL rns and custom URL categories are increased up to 3000.

This feature requires a license. To understand more about UTM Licensing, see, Understanding UTM Licensing. Please refer to the Juniper Licensing Guide for general n rm n about License Management. Please refer to the product Data Sheets at SRX Series Services Gateways for details, or contact your Juniper Account Team or Juniper Partner.

• n v r	s	The Avira n v r	s module in the n		threat management (UTM) s					n consists of a
virus		rn database, an	c	n proxy, a scan manager, and a c n				r b	scan engine. The
n v r	s module on the SRX Series device scans s				c c	c	n layer	r	c to protect the user
from virus		c s and to prevent viruses from spreading.

Understanding UTM Custom Objects

Before you can c	n r most UTM features, you must rs c n r the custom objects for the
feature in q s	n Custom objects are global parameters for UTM features. This means that c n r

custom objects can be applied to all UTM policies where applicable, rather than only to individual policies.

The following UTM features make use of certain custom objects:

• Web Filtering (see "Example: C n r n Integrated Web Filtering" on page 339)

5

•

n

S

m (see "Server-Based n

s

m Filtering C

n r

n Overview" on page 93)

• Content Filtering (see "Content Filtering C

n

r

n Overview" on page 118)

S

r n

in Junos OS Release 18.2R1, a new dynamic

c

n policy match c n

n is added to SRX

Series devices, allowing an administrator to more

c

v y control the behavior of Layer 7

c

ns To accommodate Layer 7

c

n b s

policies in UTM, the [edit security utm

c

n

r

n hierarchy level is introduced. If any parameter in a s

c c UTM feature r

c

n

r

n is not c

n r then the corresponding parameter from the UTM default c n

r

n

is applied.

n

y during the n

policy lookup phase which occurs prior to a dynamic

c

n

being

n

if there are m

policies present in the

n policy list which contains

r

n

UTM

r

s the SRX Series device applies the default UTM

r

n a more explicit match has

occurred.

SEE ALSO
	UTM Supported Features |			6
Release History Table
Release		scr	n
18.4R3		S r n	with Junos OS Release 18.4R3, on SRX1500, SRX4100, SRX4200, SRX4600, SRX4800,
		SRX5400, SRX5600, and SRX5800 devices, UTM policies, r			s MIME	rns	n m
		extensions, protocol commands, and custom messages, are increased up to 1500. Custom URL
		rns and custom URL categories are increased up to 3000
18.2R1		S r n	with Junos OS Release 18.2R1, NFX150 devices support up to 500 UTM policies, r					s
		MIME	rns	n m extensions, and protocol commands, and up to 1000 custom URL				rns
		and custom URL categories.
18.2R1		S r n	with Junos OS Release 18.2R1, the following commands under the [edit security utm

rr hierarchy level are deprecated:

18.2R1

S r

n in Junos OS Release 18.2R1, a new dynamic

c

n policy match c

n

n is added to

SRX Series devices, allowing an administrator to more

c v

y control the behavior of Layer 7

c

ns To accommodate Layer 7

c

n b s

policies in UTM, the [edit security utm

c

n

r

n hierarchy level is introduced. If any parameter in a s c c UTM feature

r

c

n

r

n is not c

n

r then the corresponding parameter from the UTM default

c n

r

n is applied.

n

y during the n

policy lookup phase which occurs prior to a

dynamic

c

n being

n

if there are m

policies present in the

n

policy list

which contains

r n UTM r

s the SRX Series device applies the default UTM

r

n a

more explicit match has occurred.

6

15.1X49-	S r n with Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, SRX4100 and
D70	SRX4200 devices support up to 500 UTM policies,	r	s MIME	rns	n m extensions,
	and protocol commands, and up to 1000 custom URL		rns and custom URL categories.
15.1X49-	S r n with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, on SRX1500 Services
D60	Gateways and vSRX instances, UTM policies, r	s MIME		rns n m	extensions, and
	protocol-command numbers are increased to 500; custom URL			rns and custom URL
	categories are increased to 1000.

RELATED DOCUMENTATION

Web Filtering Overview | 132

n s m Filtering Overview | 90

Express n v r s r c n | 226

UTM Supported Features

IN THIS SECTION

WELF Logging for UTM Features | 6

Explicit Proxy for UTM | 12

n Policies for UTM | 20

UTM Support for Chassis Cluster | 22

Allowlist | 24

WELF Logging for UTM Features

IN THIS SECTION

Understanding WELF Logging for UTM Features | 7

7

Example: C n r n WELF Logging for UTM Features | 8

Understanding WELF Logging for UTM Features

UTM features support the WELF standard. The WELF Reference					n s the WebTrends industry
standard log	exchange format. Any system logging to this format is c					m	b with Firewall Suite
2.0 and later, Firewall R r n		Center 1.0 and later, and Security R			r	n	Center 2.0 and later.
A WELF log	is composed of records. Each record is a single line in the						Records are always in
chronological order. The earliest record is the			rs record in the	the most recent record is the last
record in the	WELF places no r s r c ns on log n m s or log					r	n policies.
NOTE: Each WELF record is composed of			s The record	n	r		(id=) must be the rs
in a record. All other		s can appear in any order.

The following is a sample WELF record:

id=firewall time="2000-2-4 12:01:01" fw=192.168.0.238 pri=6 rule=3 proto=http

src=192.168.0.23 dst=6.1.0.36 rg=www.example.com/index.html op=GET

result=0

rcvd=1426

The		s from the example WELF record include the following required elements (all other			s are
	n	)
•	id (Record		n	r)
•	m (		m	)

•fw (Firewall IP address or name)

•pri (Priority of the record)