SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Allowing and blocking website on SRX300

  • 1.  Allowing and blocking website on SRX300

    Posted 04-18-2024 22:52

    Hi all,

    I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

    The official document is below.

    Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

    Juniper remove preview
    Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering
    SUMMARY Learn about Web filtering and how to filter URLs on Content Security-enabled SRX Series Firewalls by using J-Web. Web filtering helps you to allow or block access to the Web and to monitor your network traffic.
    View this on Juniper >

     

    Is there anyone who knows why it does not work?

    Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.



    ------------------------------
    Tokumasa Sanada
    ------------------------------


  • 2.  RE: Allowing and blocking website on SRX300

    Posted 04-19-2024 19:26

    It really depends on what "does not work" means in your case.  Please describe the symptoms you're observing.

    If I had to guess blindly, I would point you to this note in the document:
    NOTE: For an HTTPS connection, Web filtering is supported through SSL forward proxy.

    With a major push to have all web traffic encrypted these days, pure HTTP web filtering is virtually useless. With an SSL forward proxy configured, the hostname portion of a URL is invisible to the firewall as it's encrypted. Sure, the firewall could resolve the hostname to an IP address and try to match it that way, but with load balancing these days, that's not very reliable at all.

    So, if HTTPS is the issue you're having, you'll need to configure SSL forward proxy and I think you'll have to use the enhanced web filtering. Reference:
    https://supportportal.juniper.net/s/article/SRX-Blocking-HTTPS-sites-using-EWF-Enhanced-Web-Filtering



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 3.  RE: Allowing and blocking website on SRX300

    Posted 04-21-2024 20:45
    Edited by Tokumasa Sanada 04-21-2024 23:16

    Hi Nikilay,

    The does not work, which I mean, is  that after I configured the website which should be blocked, the website still can be accessed.

    If I want to simply block websites which cannot be accessed, is it to follow the link?

    https://www.juniper.net/documentation/us/en/software/jweb-srx22.3/jweb-srx/topics/topic-map/j-web-security-utm-web-filtering-example.html

    Or could you kindly instruct the way of how to block website?

    Thanks.
    ------------------------------
    Tokumasa Sanada
    ------------------------------



  • 4.  RE: Allowing and blocking website on SRX300

    Posted 04-21-2024 23:25

    Is the website URL that you were still able to access http:// or https:// ?

    The example is alright, but please see the notes on Step 5:
    NOTE: For an HTTPS connection, Web filtering is supported through SSL forward proxy.

    The example does not show how to set up an SSL Forward Proxy.

    Please also see this article:
    https://supportportal.juniper.net/s/article/SRX-Blocking-HTTPS-sites-using-EWF-Enhanced-Web-Filtering



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 5.  RE: Allowing and blocking website on SRX300

    Posted 04-22-2024 03:23

    Hi Nikolay

    The URL is https://



    ------------------------------
    Tokumasa Sanada
    ------------------------------



  • 6.  RE: Allowing and blocking website on SRX300

    Posted 04-22-2024 04:42

    Nik. Tokumasa

    SSL proxy is funny in srx, yes it should

    be configured but really, if you are

    having to configure something means

    it must modify the flow. Some older

    srx do not let you install the statement

    list into the gui code block. I assume

    SSL proxy is already present in all srx

    then.

    On the other hand I had to get an srx

    with this feature and configure it.



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------



  • 7.  RE: Allowing and blocking website on SRX300

    Posted 04-22-2024 04:46

    The request statement is how this is done.

    https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-ssl-proxy-forward-reverse-proxy.html

    But honestly to block a port read the

    other part of the posts.



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------



  • 8.  RE: Allowing and blocking website on SRX300

    Posted 04-21-2024 21:06

    One thing i have learned about the srx series

    is that the nat modules are very complicated

    but scaling is questionable.

    I have never varied in my configuration

    from setting each(ALL) port mapping.

    Source

    1-22

    24-65535

    MOST LIKELY, also destination,

    but set source for sure.

    Dont know if dest is in new os.

    Start with basic configuration first.

    All of them(nat statements set this

    port mapping, now you can configure.

    Then start opening them(somehow).

    Keep in mind, completeness is they key.

    When I say all, I mean, as many as possible.

    MOST. some, weighted?

    Watch your ipv6, no pun intended.

    FExx

    Need I say?

    0-22

    24-65535



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------