Solved

cann't block website in Juniper firewall Juniper-NS5GT

Posted on 2011-09-15
3
768 Views
Last Modified: 2012-05-12
I'm trying to setup firewall policy to block some websites like facebook.com and youtube.com.
My setting is the same as mentioned here http://kb.juniper.net/InfoCenter/index?page=content&id=KB4320 . But facebook and youtube are still not blocked. Please advise
0
Comment
Question by:bominthu
  • 2
3 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 36541318
Did you position the policy at the top of all Untrust policies? At least for test it is best to do so. As soon as it works, you can relocate it to a more appropriate position, but before any "Deny all" policy you might have defined.

Another possible failure reason is that Facebook and YouTube use more than one IP address, and the DNS resolution of Juniper does not take all IPs into account.
0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36543039
I dont think juniper firewall can do it ....
need websense device or some kind of proxy to do it ...

or else you should know all IP used by youtube & facebook and put rule accordingly..
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 36544705
Facebook, YouTube and the like use several different IP addresses, based on where you are located (and several other criteria). Blocking "www.facebook.com" in a policy is indeed not working for that reason. Common ways to perform reliable blocking:
creatie fake DNS entries in your main DNS server. That is, create a zone facebook.com with an entry named www, having 127.0.0.1 as IP. And bang!, www.facebook.com cannot be reached anymore.
use WebSense or SurfControl - both require a server you can connect to to decide which criteria are applied for blocking, and some licensing (IIRC).
Set up a Web Proxy at your LAN, and only allow HTTP connections from there. The Proxy server then can decide which traffic is allowed.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Enterasys QoS setup 2 56
Cisco ACS mixed versions 8 71
Open a port on Cisco Router 1941 23 35
Do you think below two ipv6 routes are the same thing? 4 30
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now