Solved

cann't block website in Juniper firewall Juniper-NS5GT

Posted on 2011-09-15
3
773 Views
Last Modified: 2012-05-12
I'm trying to setup firewall policy to block some websites like facebook.com and youtube.com.
My setting is the same as mentioned here http://kb.juniper.net/InfoCenter/index?page=content&id=KB4320 . But facebook and youtube are still not blocked. Please advise
0
Comment
Question by:bominthu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 36541318
Did you position the policy at the top of all Untrust policies? At least for test it is best to do so. As soon as it works, you can relocate it to a more appropriate position, but before any "Deny all" policy you might have defined.

Another possible failure reason is that Facebook and YouTube use more than one IP address, and the DNS resolution of Juniper does not take all IPs into account.
0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36543039
I dont think juniper firewall can do it ....
need websense device or some kind of proxy to do it ...

or else you should know all IP used by youtube & facebook and put rule accordingly..
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 36544705
Facebook, YouTube and the like use several different IP addresses, based on where you are located (and several other criteria). Blocking "www.facebook.com" in a policy is indeed not working for that reason. Common ways to perform reliable blocking:
creatie fake DNS entries in your main DNS server. That is, create a zone facebook.com with an entry named www, having 127.0.0.1 as IP. And bang!, www.facebook.com cannot be reached anymore.
use WebSense or SurfControl - both require a server you can connect to to decide which criteria are applied for blocking, and some licensing (IIRC).
Set up a Web Proxy at your LAN, and only allow HTTP connections from there. The Proxy server then can decide which traffic is allowed.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question