Block websites on Juniper SSG 20

Posted on 2009-12-27
Last Modified: 2012-05-08

I'm looking for an effective way to block websites such as Facebook on the Juniper SSG 20.

For those who have succeeded in doing this, please contribute your steps/workaround.

What I've done:

Create a group list with the commonly used IP addresses of facebook. Next, created policy from Trust -> Untrust blocking these IP addresses. Applied policy above default any any.

I'm still getting issues with https requests such as which still seem to be getting through even though the dns lookup shows that I'm blocking that IP.
Question by:rmcgregor
    LVL 68

    Expert Comment

    How can you see that you are blocking by using DNS lookup?
    A public means to block sites is to hack your DNS server, or the SSG DNS entries, for the e.g. facebook domain, to point to
    LVL 57

    Expert Comment

    I see that there are two IP addresses for that host name, and  Are you blocking both?
    LVL 18

    Expert Comment

    by:Sanga Collins
    If you setup the dns settings on the juniper with a public dns server. You can then refrence sits by dns name in the policy and block those sites no matter what their target ip ends up being.

    I often used this tchnique in a different way by giving the juniper my domain controller dns settings. And blocking workstations from getting to the Internet based on their fqdn in activive directory.

    Ideally blocking you would need to use surf control or websense. The above method is about 60-80% effective.
    LVL 1

    Accepted Solution

    You can do this adding in there address objects in to the address book with in the SSG.

    Add these three to a group or add them as a multiple entry in the same rule. I like the idea of adding them to a group called "Blocked Websites" then sent the policy to action deny. When you add the address book entries I like to call them "Blocked site -". That way you can find the nice and easy when going through your address book. More notes the better if you are a company the gets IT audits done. Also they are good for you as well to jog your memory 3 years from now and you are wondering what you did and why.

    Like I said about the group call "Blocked websites" and creating a rule that should be at the top of your rules. Turn logging on as well so you can see who is trying to access these sites still. What we would do is have the users sign a policy stating that these site were off limits and they were not allowed to go there. Basically it was part of the acceptable usage policy for them to get internet  access. Then you can randomly remind these people (how you do this will depend on your HR department and local laws and corperate policies). I never used these logs to try and jeperdize anyones job but rather make sure they know when they are trying to do something they should not be doing. This way it creates deterrence as well rather then them always looking for a way around it.

    Make sure the DNS lookup table shows successful look ups for the entries. I agree with other comment about using a product that juniper supports to do filtering. I do understand that it can be a pricey concept depending on how many users you are talking about verus how much you want to be able to block verus report on.

    The changing of the DNS internal can be gotten around with great ease and is not designed for that type of thing. Blocking IPs alone should be used only when dns lookups will not be able to apply to the situation. I think the idea solution is the most cost efficient mixed with user education and knowledge. That them know why facebook is blocked. Come up with some numbers to show them as well on bandwidth usage and so forth. If you have any other questions please let me know.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
    Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now