Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

cann't block website in Juniper firewall Juniper-NS5GT

Posted on 2011-09-15
3
Medium Priority
?
777 Views
Last Modified: 2012-05-12
I'm trying to setup firewall policy to block some websites like facebook.com and youtube.com.
My setting is the same as mentioned here http://kb.juniper.net/InfoCenter/index?page=content&id=KB4320 . But facebook and youtube are still not blocked. Please advise
0
Comment
Question by:bominthu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 71

Expert Comment

by:Qlemo
ID: 36541318
Did you position the policy at the top of all Untrust policies? At least for test it is best to do so. As soon as it works, you can relocate it to a more appropriate position, but before any "Deny all" policy you might have defined.

Another possible failure reason is that Facebook and YouTube use more than one IP address, and the DNS resolution of Juniper does not take all IPs into account.
0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36543039
I dont think juniper firewall can do it ....
need websense device or some kind of proxy to do it ...

or else you should know all IP used by youtube & facebook and put rule accordingly..
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 36544705
Facebook, YouTube and the like use several different IP addresses, based on where you are located (and several other criteria). Blocking "www.facebook.com" in a policy is indeed not working for that reason. Common ways to perform reliable blocking:
creatie fake DNS entries in your main DNS server. That is, create a zone facebook.com with an entry named www, having 127.0.0.1 as IP. And bang!, www.facebook.com cannot be reached anymore.
use WebSense or SurfControl - both require a server you can connect to to decide which criteria are applied for blocking, and some licensing (IIRC).
Set up a Web Proxy at your LAN, and only allow HTTP connections from there. The Proxy server then can decide which traffic is allowed.
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question