Solved

cann't block website in Juniper firewall Juniper-NS5GT

Posted on 2011-09-15
3
771 Views
Last Modified: 2012-05-12
I'm trying to setup firewall policy to block some websites like facebook.com and youtube.com.
My setting is the same as mentioned here http://kb.juniper.net/InfoCenter/index?page=content&id=KB4320 . But facebook and youtube are still not blocked. Please advise
0
Comment
Question by:bominthu
  • 2
3 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 36541318
Did you position the policy at the top of all Untrust policies? At least for test it is best to do so. As soon as it works, you can relocate it to a more appropriate position, but before any "Deny all" policy you might have defined.

Another possible failure reason is that Facebook and YouTube use more than one IP address, and the DNS resolution of Juniper does not take all IPs into account.
0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36543039
I dont think juniper firewall can do it ....
need websense device or some kind of proxy to do it ...

or else you should know all IP used by youtube & facebook and put rule accordingly..
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 36544705
Facebook, YouTube and the like use several different IP addresses, based on where you are located (and several other criteria). Blocking "www.facebook.com" in a policy is indeed not working for that reason. Common ways to perform reliable blocking:
creatie fake DNS entries in your main DNS server. That is, create a zone facebook.com with an entry named www, having 127.0.0.1 as IP. And bang!, www.facebook.com cannot be reached anymore.
use WebSense or SurfControl - both require a server you can connect to to decide which criteria are applied for blocking, and some licensing (IIRC).
Set up a Web Proxy at your LAN, and only allow HTTP connections from there. The Proxy server then can decide which traffic is allowed.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question