Block websites on Juniper SSG 20

Posted on 2009-12-27
Medium Priority
Last Modified: 2012-05-08

I'm looking for an effective way to block websites such as Facebook on the Juniper SSG 20.

For those who have succeeded in doing this, please contribute your steps/workaround.

What I've done:

Create a group list with the commonly used IP addresses of facebook. Next, created policy from Trust -> Untrust blocking these IP addresses. Applied policy above default any any.

I'm still getting issues with https requests such as login.facebook.com which still seem to be getting through even though the dns lookup shows that I'm blocking that IP.
Question by:rmcgregor
LVL 71

Expert Comment

ID: 26131227
How can you see that you are blocking by using DNS lookup?
A public means to block sites is to hack your DNS server, or the SSG DNS entries, for the e.g. facebook domain, to point to
LVL 57

Expert Comment

ID: 26131374
I see that there are two IP addresses for that host name, and  Are you blocking both?
LVL 18

Expert Comment

by:Sanga Collins
ID: 26158457
If you setup the dns settings on the juniper with a public dns server. You can then refrence sits by dns name in the policy and block those sites no matter what their target ip ends up being.

I often used this tchnique in a different way by giving the juniper my domain controller dns settings. And blocking workstations from getting to the Internet based on their fqdn in activive directory.

Ideally blocking you would need to use surf control or websense. The above method is about 60-80% effective.

Accepted Solution

kurtholm2004 earned 2000 total points
ID: 26158974
You can do this adding in there address objects in to the address book with in the SSG.


Add these three to a group or add them as a multiple entry in the same rule. I like the idea of adding them to a group called "Blocked Websites" then sent the policy to action deny. When you add the address book entries I like to call them "Blocked site - facebook.com". That way you can find the nice and easy when going through your address book. More notes the better if you are a company the gets IT audits done. Also they are good for you as well to jog your memory 3 years from now and you are wondering what you did and why.

Like I said about the group call "Blocked websites" and creating a rule that should be at the top of your rules. Turn logging on as well so you can see who is trying to access these sites still. What we would do is have the users sign a policy stating that these site were off limits and they were not allowed to go there. Basically it was part of the acceptable usage policy for them to get internet  access. Then you can randomly remind these people (how you do this will depend on your HR department and local laws and corperate policies). I never used these logs to try and jeperdize anyones job but rather make sure they know when they are trying to do something they should not be doing. This way it creates deterrence as well rather then them always looking for a way around it.

Make sure the DNS lookup table shows successful look ups for the entries. I agree with other comment about using a product that juniper supports to do filtering. I do understand that it can be a pricey concept depending on how many users you are talking about verus how much you want to be able to block verus report on.

The changing of the DNS internal can be gotten around with great ease and is not designed for that type of thing. Blocking IPs alone should be used only when dns lookups will not be able to apply to the situation. I think the idea solution is the most cost efficient mixed with user education and knowledge. That them know why facebook is blocked. Come up with some numbers to show them as well on bandwidth usage and so forth. If you have any other questions please let me know.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question