Solved

cann't block website in Juniper firewall Juniper-NS5GT

Posted on 2011-09-15
3
775 Views
Last Modified: 2012-05-12
I'm trying to setup firewall policy to block some websites like facebook.com and youtube.com.
My setting is the same as mentioned here http://kb.juniper.net/InfoCenter/index?page=content&id=KB4320 . But facebook and youtube are still not blocked. Please advise
0
Comment
Question by:bominthu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 36541318
Did you position the policy at the top of all Untrust policies? At least for test it is best to do so. As soon as it works, you can relocate it to a more appropriate position, but before any "Deny all" policy you might have defined.

Another possible failure reason is that Facebook and YouTube use more than one IP address, and the DNS resolution of Juniper does not take all IPs into account.
0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36543039
I dont think juniper firewall can do it ....
need websense device or some kind of proxy to do it ...

or else you should know all IP used by youtube & facebook and put rule accordingly..
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 36544705
Facebook, YouTube and the like use several different IP addresses, based on where you are located (and several other criteria). Blocking "www.facebook.com" in a policy is indeed not working for that reason. Common ways to perform reliable blocking:
creatie fake DNS entries in your main DNS server. That is, create a zone facebook.com with an entry named www, having 127.0.0.1 as IP. And bang!, www.facebook.com cannot be reached anymore.
use WebSense or SurfControl - both require a server you can connect to to decide which criteria are applied for blocking, and some licensing (IIRC).
Set up a Web Proxy at your LAN, and only allow HTTP connections from there. The Proxy server then can decide which traffic is allowed.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month8 days, 21 hours left to enroll

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question