Block websites on Juniper SSG 20


I'm looking for an effective way to block websites such as Facebook on the Juniper SSG 20.

For those who have succeeded in doing this, please contribute your steps/workaround.

What I've done:

Create a group list with the commonly used IP addresses of facebook. Next, created policy from Trust -> Untrust blocking these IP addresses. Applied policy above default any any.

I'm still getting issues with https requests such as which still seem to be getting through even though the dns lookup shows that I'm blocking that IP.
Who is Participating?
kurtholm2004Connect With a Mentor Commented:
You can do this adding in there address objects in to the address book with in the SSG.

Add these three to a group or add them as a multiple entry in the same rule. I like the idea of adding them to a group called "Blocked Websites" then sent the policy to action deny. When you add the address book entries I like to call them "Blocked site -". That way you can find the nice and easy when going through your address book. More notes the better if you are a company the gets IT audits done. Also they are good for you as well to jog your memory 3 years from now and you are wondering what you did and why.

Like I said about the group call "Blocked websites" and creating a rule that should be at the top of your rules. Turn logging on as well so you can see who is trying to access these sites still. What we would do is have the users sign a policy stating that these site were off limits and they were not allowed to go there. Basically it was part of the acceptable usage policy for them to get internet  access. Then you can randomly remind these people (how you do this will depend on your HR department and local laws and corperate policies). I never used these logs to try and jeperdize anyones job but rather make sure they know when they are trying to do something they should not be doing. This way it creates deterrence as well rather then them always looking for a way around it.

Make sure the DNS lookup table shows successful look ups for the entries. I agree with other comment about using a product that juniper supports to do filtering. I do understand that it can be a pricey concept depending on how many users you are talking about verus how much you want to be able to block verus report on.

The changing of the DNS internal can be gotten around with great ease and is not designed for that type of thing. Blocking IPs alone should be used only when dns lookups will not be able to apply to the situation. I think the idea solution is the most cost efficient mixed with user education and knowledge. That them know why facebook is blocked. Come up with some numbers to show them as well on bandwidth usage and so forth. If you have any other questions please let me know.
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
How can you see that you are blocking by using DNS lookup?
A public means to block sites is to hack your DNS server, or the SSG DNS entries, for the e.g. facebook domain, to point to
I see that there are two IP addresses for that host name, and  Are you blocking both?
Sanga CollinsSystems AdminCommented:
If you setup the dns settings on the juniper with a public dns server. You can then refrence sits by dns name in the policy and block those sites no matter what their target ip ends up being.

I often used this tchnique in a different way by giving the juniper my domain controller dns settings. And blocking workstations from getting to the Internet based on their fqdn in activive directory.

Ideally blocking you would need to use surf control or websense. The above method is about 60-80% effective.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.