sites were blocked too. Perhaps erroneously.
FQDN is vital yet, it must be set properly.
B.S.C.M. I.T.T. Tech
A.A.S. I.T.T. Tech
Original Message:
Sent: 04-22-2024 11:40
From: eugene1973
Subject: Allowing and blocking website on SRX300
At present my ISP is not fqdn at the srx.
I do have devices behind my srx's that
will do this.
I don't know exactly if Hynix had a full
fqdn, but I assume they did. The rules
we're different back then and it took
a team to block websites in order
to mitigate malicious traffic.
A license is much desired, but to
mitigate malicious traffic nowadays
you should look to completeness, and
us a PC to actively eliminate viruses
and malware.
------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)
Original Message:
Sent: 04-22-2024 11:26
From: eugene1973
Subject: Allowing and blocking website on SRX300
I must agree with Nik,
SSL proxy
and proxy forwarding are not
the same.
It would seem that performing
this would now have to be done
at various levels. Reminds me
of the Hynix building rules I
once encountered. But this
15 years ago. Limited success.
------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)
Original Message:
Sent: 04-22-2024 07:01
From: Nikolay Semov
Subject: Allowing and blocking website on SRX300
Unfortunately the custom signature example Adrian pointed to is also for plain-text http://
That being said, the AppID can identify some pre-defined well-known websites, and I think Facebook is one of them. If your SRX is one of the older variants with a model SKU that includes JSE (not visible inside JunOS, as far as I know, but check the labels on the device), then AppID is included perpetually for free. If it's JSB or neither JSB or JSE, then AppID would require a separate license.
Aside from that, again, you'll need to configure SSL forward proxy in order to see encrypted web traffic and block individual websites. Even that may require the use of the Enhanced Web Filtering which too technically requires a license.
------------------------------
Nikolay Semov
Original Message:
Sent: 04-22-2024 05:48
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300
Hi Adrian,
Well, I have a question. If my SRX300 lost the license, without the installation of license, can my SRX300 achieve the function of blocking all websites but allowing few websites?
Thanks.
------------------------------
Tokumasa Sanada
Original Message:
Sent: 04-22-2024 05:27
From: eugene1973
Subject: Allowing and blocking website on SRX300
I'm sorry that I thought you meant
Your own website.
Look at this to find what you are
doing.
https://supportportal.juniper.net/s/article/SRX-How-to-configure-a-custom-signature-to-block-specific-URLs-using-application-firewall-AppFW?language=en_US
------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)
Original Message:
Sent: 04-22-2024 04:42
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300
Hi Adrian ,
So, if I want to use NAT to block www.facebook.com, could you instruct how to do it on NAT?
Thanks.
------------------------------
Tokumasa Sanada
Original Message:
Sent: 04-22-2024 04:33
From: eugene1973
Subject: Allowing and blocking website on SRX300
Trust me when I say that most nat
source ports should look like this.
0-22
24-65535
Your nat 0.0.0.0/0 statement is
one for sure.
------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)
Original Message:
Sent: 04-22-2024 03:54
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300
Hi Adrian,
Not really understand. Do you mean use NAT to block websites?
------------------------------
Tokumasa Sanada
Original Message:
Sent: 04-21-2024 21:05
From: eugene1973
Subject: Allowing and blocking website on SRX300
One thing i have learned about the srx series
is that the nat modules are very complicated
but scaling is questionable.
I have never varied in my configuration
from setting each(ALL) port mapping.
Source
1-22
24-65535
MOST LIKELY, also destination,
but set source for sure.
Dont know if dest is in new os.
Start with basic configuration first.
All of them(nat statements set this
port mapping, now you can configure.
Then start opening them(somehow).
Keep in mind, completeness is they key.
When I say all, I mean, as many as possible.
MOST. some, weighted?
Watch your ipv6, no pun intended.
FExx
Need I say?
0-22
24-65535
------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)
Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300
Hi all,
I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.
The official document is below.
Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering
Juniper | remove preview |
| Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering | SUMMARY Learn about Web filtering and how to filter URLs on Content Security-enabled SRX Series Firewalls by using J-Web. Web filtering helps you to allow or block access to the Web and to monitor your network traffic. | View this on Juniper > |
|
|
Is there anyone who knows why it does not work?
Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.
------------------------------
Tokumasa Sanada
------------------------------