Security

 View Only
last person joined: 3 days ago 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  Could SRX block http/https file upload

    Posted 02-23-2023 02:10

    Hi! Experts

    Sorry for disturbing, Is there any method to configure SRX block http/https file upload, Thanks for your help
    --
    BR!


  • 2.  RE: Could SRX block http/https file upload

    Posted 08-12-2023 04:08

    Hello Chenjiang,

    You may look at IDP's custom attack definition to create an attack vector like HTTP/HTTPS file download.

    Take a look at the following link:

    https://www.juniper.net/documentation/us/en/software/junos/idp-policy/topics/topic-map/security-custom-attack-web-protocols.html

    Hope this helps.

    Thanks!




  • 3.  RE: Could SRX block http/https file upload

    Posted 08-16-2023 13:52

    Hi Chenjiang,

        There is a couple of ways to configure the SRX to do the necessary blocking file uploads.  

    NOTE: For HTTPS you will need to use SSL proxy to offload the traffic to analyze the traffic for any files being uploaded and block them.

    Here are your options.

    1. Content Security - There is no license requirement for using this feature on SRX and you can block the files being downloaded or uploaded.

             https://www.juniper.net/documentation/us/en/software/junos/utm/topics/topic-map/security-utm-content-filtering.html

            2. Use IDP to create a custom attack signature to identify and block specific file type downloads, "TheDisciple" user provided the link to create custom signatures.

    Here is an example for custom IDP signature to block exe files.

    set security idp custom-attack BLOCK-EXE recommended-action ignore
    set security idp custom-attack BLOCK-EXE severity major
    set security idp custom-attack BLOCK-EXE time-binding count 1
    set security idp custom-attack BLOCK-EXE attack-type signature protocol-binding application HTTP
    set security idp custom-attack BLOCK-EXE attack-type signature context http-url-parsed
    set security idp custom-attack BLOCK-EXE attack-type signature pattern ".*\.\[exe\]"
    set security idp custom-attack BLOCK-EXE attack-type signature direction client-to-server

    In the above signature, change the direction to check for files being downloaded or uploaded for taking necessary action. 

    NOTE: Reterating again, SSL proxy is required to offload HTTPS traffic to analyze and block files either uploads or downloads.  Also, the above is just a signature, you will need to ensure this signature is included on a IDP rule and inturn called on a firewall policy for this to be effective.



    ------------------------------
    Pradeep Hattiangadi
    ------------------------------