SRX

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

It really depends on what "does not work" means in your case.  Please describe the symptoms you're observing.

If I had to guess blindly, I would point you to this note in the document:
NOTE: For an HTTPS connection, Web filtering is supported through SSL forward proxy.

With a major push to have all web traffic encrypted these days, pure HTTP web filtering is virtually useless. With an SSL forward proxy configured, the hostname portion of a URL is invisible to the firewall as it's encrypted. Sure, the firewall could resolve the hostname to an IP address and try to match it that way, but with load balancing these days, that's not very reliable at all.

So, if HTTPS is the issue you're having, you'll need to configure SSL forward proxy and I think you'll have to use the enhanced web filtering. Reference:
https://supportportal.juniper.net/s/article/SRX-Blocking-HTTPS-sites-using-EWF-Enhanced-Web-Filtering

------------------------------
Nikolay Semov

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

Hi Nikilay,

The does not work, which I mean, is  that after I configured the website which should be blocked, the website still can be accessed.

If I want to simply block websites which cannot be accessed, is it to follow the link?

https://www.juniper.net/documentation/us/en/software/jweb-srx22.3/jweb-srx/topics/topic-map/j-web-security-utm-web-filtering-example.html

Or could you kindly instruct the way of how to block website?

Thanks.
------------------------------
Tokumasa Sanada

Original Message:
Sent: 04-19-2024 19:26
From: Nikolay Semov
Subject: Allowing and blocking website on SRX300

It really depends on what "does not work" means in your case.  Please describe the symptoms you're observing.

If I had to guess blindly, I would point you to this note in the document:
NOTE: For an HTTPS connection, Web filtering is supported through SSL forward proxy.

With a major push to have all web traffic encrypted these days, pure HTTP web filtering is virtually useless. With an SSL forward proxy configured, the hostname portion of a URL is invisible to the firewall as it's encrypted. Sure, the firewall could resolve the hostname to an IP address and try to match it that way, but with load balancing these days, that's not very reliable at all.

So, if HTTPS is the issue you're having, you'll need to configure SSL forward proxy and I think you'll have to use the enhanced web filtering. Reference:
https://supportportal.juniper.net/s/article/SRX-Blocking-HTTPS-sites-using-EWF-Enhanced-Web-Filtering

------------------------------
Nikolay Semov

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

Is the website URL that you were still able to access http:// or https:// ?

The example is alright, but please see the notes on Step 5:
NOTE: For an HTTPS connection, Web filtering is supported through SSL forward proxy.

The example does not show how to set up an SSL Forward Proxy.

Please also see this article:
https://supportportal.juniper.net/s/article/SRX-Blocking-HTTPS-sites-using-EWF-Enhanced-Web-Filtering

Hi Nikilay,

The does not work, which I mean, is  that after I configured the website which should be blocked, the website still can be accessed.

If I want to simply block websites which cannot be accessed, is it to follow the link?

https://www.juniper.net/documentation/us/en/software/jweb-srx22.3/jweb-srx/topics/topic-map/j-web-security-utm-web-filtering-example.html

Or could you kindly instruct the way of how to block website?

Thanks.
------------------------------
Tokumasa Sanada

Original Message:
Sent: 04-19-2024 19:26
From: Nikolay Semov
Subject: Allowing and blocking website on SRX300

It really depends on what "does not work" means in your case.  Please describe the symptoms you're observing.

If I had to guess blindly, I would point you to this note in the document:
NOTE: For an HTTPS connection, Web filtering is supported through SSL forward proxy.

With a major push to have all web traffic encrypted these days, pure HTTP web filtering is virtually useless. With an SSL forward proxy configured, the hostname portion of a URL is invisible to the firewall as it's encrypted. Sure, the firewall could resolve the hostname to an IP address and try to match it that way, but with load balancing these days, that's not very reliable at all.

So, if HTTPS is the issue you're having, you'll need to configure SSL forward proxy and I think you'll have to use the enhanced web filtering. Reference:
https://supportportal.juniper.net/s/article/SRX-Blocking-HTTPS-sites-using-EWF-Enhanced-Web-Filtering

------------------------------
Nikolay Semov

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

It really depends on what "does not work" means in your case.  Please describe the symptoms you're observing.

If I had to guess blindly, I would point you to this note in the document:
NOTE: For an HTTPS connection, Web filtering is supported through SSL forward proxy.

With a major push to have all web traffic encrypted these days, pure HTTP web filtering is virtually useless. With an SSL forward proxy configured, the hostname portion of a URL is invisible to the firewall as it's encrypted. Sure, the firewall could resolve the hostname to an IP address and try to match it that way, but with load balancing these days, that's not very reliable at all.

So, if HTTPS is the issue you're having, you'll need to configure SSL forward proxy and I think you'll have to use the enhanced web filtering. Reference:
https://supportportal.juniper.net/s/article/SRX-Blocking-HTTPS-sites-using-EWF-Enhanced-Web-Filtering

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

Nik. Tokumasa

SSL proxy is funny in srx, yes it should

be configured but really, if you are

having to configure something means

it must modify the flow. Some older

srx do not let you install the statement

list into the gui code block. I assume

SSL proxy is already present in all srx

then.

On the other hand I had to get an srx

with this feature and configure it.

It really depends on what "does not work" means in your case.  Please describe the symptoms you're observing.

If I had to guess blindly, I would point you to this note in the document:
NOTE: For an HTTPS connection, Web filtering is supported through SSL forward proxy.

With a major push to have all web traffic encrypted these days, pure HTTP web filtering is virtually useless. With an SSL forward proxy configured, the hostname portion of a URL is invisible to the firewall as it's encrypted. Sure, the firewall could resolve the hostname to an IP address and try to match it that way, but with load balancing these days, that's not very reliable at all.

So, if HTTPS is the issue you're having, you'll need to configure SSL forward proxy and I think you'll have to use the enhanced web filtering. Reference:
https://supportportal.juniper.net/s/article/SRX-Blocking-HTTPS-sites-using-EWF-Enhanced-Web-Filtering

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

Trust me when I say that most nat

source ports should look like this.

0-22

24-65535

Your nat 0.0.0.0/0 statement is

one for sure.

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

Hi Adrian ,

So, if I want to use NAT to block www.facebook.com, could you instruct how to do it on NAT?

Thanks.

Trust me when I say that most nat

source ports should look like this.

0-22

24-65535

Your nat 0.0.0.0/0 statement is

one for sure.

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

I'm sorry that I thought you meant

Your own website.

Look at this to find what you are

doing.

https://supportportal.juniper.net/s/article/SRX-How-to-configure-a-custom-signature-to-block-specific-URLs-using-application-firewall-AppFW?language=en_US

Hi Adrian ,

So, if I want to use NAT to block www.facebook.com, could you instruct how to do it on NAT?

Thanks.

Trust me when I say that most nat

source ports should look like this.

0-22

24-65535

Your nat 0.0.0.0/0 statement is

one for sure.

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

Hi Adrian,

Well, I have a question. If my SRX300 lost the license, without the installation of license, can my SRX300 achieve the function of blocking all websites but allowing few websites?

Thanks.

I'm sorry that I thought you meant

Your own website.

Look at this to find what you are

doing.

https://supportportal.juniper.net/s/article/SRX-How-to-configure-a-custom-signature-to-block-specific-URLs-using-application-firewall-AppFW?language=en_US

Hi Adrian ,

So, if I want to use NAT to block www.facebook.com, could you instruct how to do it on NAT?

Thanks.

Trust me when I say that most nat

source ports should look like this.

0-22

24-65535

Your nat 0.0.0.0/0 statement is

one for sure.

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

Unfortunately the custom signature example Adrian pointed to is also for plain-text http://

That being said, the AppID can identify some pre-defined well-known websites, and I think Facebook is one of them. If your SRX is one of the older variants with a model SKU that includes JSE (not visible inside JunOS, as far as I know, but check the labels on the device), then AppID is included perpetually for free. If it's JSB or neither JSB or JSE, then AppID would require a separate license.

Aside from that, again, you'll need to configure SSL forward proxy in order to see encrypted web traffic and block individual websites. Even that may require the use of the Enhanced Web Filtering which too technically requires a license.

Hi Adrian,

Well, I have a question. If my SRX300 lost the license, without the installation of license, can my SRX300 achieve the function of blocking all websites but allowing few websites?

Thanks.

I'm sorry that I thought you meant

Your own website.

Look at this to find what you are

doing.

https://supportportal.juniper.net/s/article/SRX-How-to-configure-a-custom-signature-to-block-specific-URLs-using-application-firewall-AppFW?language=en_US

Hi Adrian ,

So, if I want to use NAT to block www.facebook.com, could you instruct how to do it on NAT?

Thanks.

Trust me when I say that most nat

source ports should look like this.

0-22

24-65535

Your nat 0.0.0.0/0 statement is

one for sure.

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

I must agree with Nik,

SSL proxy

and proxy forwarding are not

the same.

It would seem that performing

this would now have to be done

at various levels. Reminds me

of the Hynix building rules I

once encountered. But this

15 years ago. Limited success.

Unfortunately the custom signature example Adrian pointed to is also for plain-text http://

That being said, the AppID can identify some pre-defined well-known websites, and I think Facebook is one of them. If your SRX is one of the older variants with a model SKU that includes JSE (not visible inside JunOS, as far as I know, but check the labels on the device), then AppID is included perpetually for free. If it's JSB or neither JSB or JSE, then AppID would require a separate license.

Aside from that, again, you'll need to configure SSL forward proxy in order to see encrypted web traffic and block individual websites. Even that may require the use of the Enhanced Web Filtering which too technically requires a license.

Hi Adrian,

Well, I have a question. If my SRX300 lost the license, without the installation of license, can my SRX300 achieve the function of blocking all websites but allowing few websites?

Thanks.

I'm sorry that I thought you meant

Your own website.

Look at this to find what you are

doing.

https://supportportal.juniper.net/s/article/SRX-How-to-configure-a-custom-signature-to-block-specific-URLs-using-application-firewall-AppFW?language=en_US

Hi Adrian ,

So, if I want to use NAT to block www.facebook.com, could you instruct how to do it on NAT?

Thanks.

Trust me when I say that most nat

source ports should look like this.

0-22

24-65535

Your nat 0.0.0.0/0 statement is

one for sure.

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

I must agree with Nik,

SSL proxy

and proxy forwarding are not

the same.

It would seem that performing

this would now have to be done

at various levels. Reminds me

of the Hynix building rules I

once encountered. But this

15 years ago. Limited success.

Unfortunately the custom signature example Adrian pointed to is also for plain-text http://

That being said, the AppID can identify some pre-defined well-known websites, and I think Facebook is one of them. If your SRX is one of the older variants with a model SKU that includes JSE (not visible inside JunOS, as far as I know, but check the labels on the device), then AppID is included perpetually for free. If it's JSB or neither JSB or JSE, then AppID would require a separate license.

Aside from that, again, you'll need to configure SSL forward proxy in order to see encrypted web traffic and block individual websites. Even that may require the use of the Enhanced Web Filtering which too technically requires a license.

Hi Adrian,

Well, I have a question. If my SRX300 lost the license, without the installation of license, can my SRX300 achieve the function of blocking all websites but allowing few websites?

Thanks.

I'm sorry that I thought you meant

Your own website.

Look at this to find what you are

doing.

https://supportportal.juniper.net/s/article/SRX-How-to-configure-a-custom-signature-to-block-specific-URLs-using-application-firewall-AppFW?language=en_US

Hi Adrian ,

So, if I want to use NAT to block www.facebook.com, could you instruct how to do it on NAT?

Thanks.

Trust me when I say that most nat

source ports should look like this.

0-22

24-65535

Your nat 0.0.0.0/0 statement is

one for sure.

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

I must agree with Nik,

SSL proxy

and proxy forwarding are not

the same.

It would seem that performing

this would now have to be done

at various levels. Reminds me

of the Hynix building rules I

once encountered. But this

15 years ago. Limited success.

Unfortunately the custom signature example Adrian pointed to is also for plain-text http://

That being said, the AppID can identify some pre-defined well-known websites, and I think Facebook is one of them. If your SRX is one of the older variants with a model SKU that includes JSE (not visible inside JunOS, as far as I know, but check the labels on the device), then AppID is included perpetually for free. If it's JSB or neither JSB or JSE, then AppID would require a separate license.

Aside from that, again, you'll need to configure SSL forward proxy in order to see encrypted web traffic and block individual websites. Even that may require the use of the Enhanced Web Filtering which too technically requires a license.

Hi Adrian,

Well, I have a question. If my SRX300 lost the license, without the installation of license, can my SRX300 achieve the function of blocking all websites but allowing few websites?

Thanks.

I'm sorry that I thought you meant

Your own website.

Look at this to find what you are

doing.

https://supportportal.juniper.net/s/article/SRX-How-to-configure-a-custom-signature-to-block-specific-URLs-using-application-firewall-AppFW?language=en_US

Hi Adrian ,

So, if I want to use NAT to block www.facebook.com, could you instruct how to do it on NAT?

Thanks.

Trust me when I say that most nat

source ports should look like this.

0-22

24-65535

Your nat 0.0.0.0/0 statement is

one for sure.

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------

At present my ISP is not fqdn at the srx.

I do have devices behind my srx's that

will do this.

I don't know exactly if Hynix had a full

fqdn, but I assume they did. The rules

we're different back then and it took

a team to block websites in order

to mitigate malicious traffic.

A license is much desired, but to

mitigate malicious traffic nowadays

you should look to completeness, and

us a PC to actively eliminate viruses

and malware.

I must agree with Nik,

SSL proxy

and proxy forwarding are not

the same.

It would seem that performing

this would now have to be done

at various levels. Reminds me

of the Hynix building rules I

once encountered. But this

15 years ago. Limited success.

Unfortunately the custom signature example Adrian pointed to is also for plain-text http://

That being said, the AppID can identify some pre-defined well-known websites, and I think Facebook is one of them. If your SRX is one of the older variants with a model SKU that includes JSE (not visible inside JunOS, as far as I know, but check the labels on the device), then AppID is included perpetually for free. If it's JSB or neither JSB or JSE, then AppID would require a separate license.

Aside from that, again, you'll need to configure SSL forward proxy in order to see encrypted web traffic and block individual websites. Even that may require the use of the Enhanced Web Filtering which too technically requires a license.

Hi Adrian,

Well, I have a question. If my SRX300 lost the license, without the installation of license, can my SRX300 achieve the function of blocking all websites but allowing few websites?

Thanks.

I'm sorry that I thought you meant

Your own website.

Look at this to find what you are

doing.

https://supportportal.juniper.net/s/article/SRX-How-to-configure-a-custom-signature-to-block-specific-URLs-using-application-firewall-AppFW?language=en_US

Hi Adrian ,

So, if I want to use NAT to block www.facebook.com, could you instruct how to do it on NAT?

Thanks.

Trust me when I say that most nat

source ports should look like this.

0-22

24-65535

Your nat 0.0.0.0/0 statement is

one for sure.

Hi Adrian,

Not really understand. Do you mean use NAT to block websites?

One thing i have learned about the srx series

is that the nat modules are very complicated

but scaling is questionable.

I have never varied in my configuration

from setting each(ALL) port mapping.

Source

1-22

24-65535

MOST LIKELY, also destination,

but set source for sure.

Dont know if dest is in new os.

Start with basic configuration first.

All of them(nat statements set this

port mapping, now you can configure.

Then start opening them(somehow).

Keep in mind, completeness is they key.

When I say all, I mean, as many as possible.

MOST. some, weighted?

Watch your ipv6, no pun intended.

FExx

Need I say?

0-22

24-65535

------------------------------
Adrian Aguinaga
B.S.C.M. I.T.T. Tech
(Construction Management)
A.A.S. I.T.T. Tech
(Drafting & Design)

Original Message:
Sent: 04-18-2024 22:51
From: Tokumasa Sanada
Subject: Allowing and blocking website on SRX300

Hi all,

I have a SRX300 which followed the instruction of an official document to configure which websites are allowed or not allowed to be accessed but the configuration does not work after I completed the configuration.

The official document is below.

Allow or Block Websites by Using J-Web Integrated Content Security Web Filtering

Is there anyone who knows why it does not work?

Much appreciative if there is someone who knows how to configure SRX300 to block and allow websites.

------------------------------
Tokumasa Sanada
------------------------------