SRX

Hi all,

Referring to this url https://supportportal.juniper.net/s/article/SRX-DNS-address-book-entries-with-wildcard-is-not-accepted?language=en_US SRX still dont have this feature even it already 2024 like other firewall that support it such as Fortiget and Sophos. So currently i'm migrating sophos to srx and facing issue to convert  *.azurewebsites.net and *.cloudapp.net to SRX. I'm try google and not found the list url or services for that two wildcard. Appreciate if someone here has experience how to solve this issue?

Thanks

The address-book is strictly for matching the IP addresses in the packet headers. A wildcard domain matching would require you to examine the packet payload. On the SRX you can do that with Web Filtering (https://www.juniper.net/documentation/us/en/software/junos/utm/topics/concept/utm-web-filtering-overview.html) and, to a certain extent, with Application Identification (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-identification-overview.html).

Hi all,

Referring to this url https://supportportal.juniper.net/s/article/SRX-DNS-address-book-entries-with-wildcard-is-not-accepted?language=en_US SRX still dont have this feature even it already 2024 like other firewall that support it such as Fortiget and Sophos. So currently i'm migrating sophos to srx and facing issue to convert  *.azurewebsites.net and *.cloudapp.net to SRX. I'm try google and not found the list url or services for that two wildcard. Appreciate if someone here has experience how to solve this issue?

Thanks

Hi Nikolay,

Let's say i dont have web filtering license. Is there any alternative i can get the list of that "*"?

Thanks

The address-book is strictly for matching the IP addresses in the packet headers. A wildcard domain matching would require you to examine the packet payload. On the SRX you can do that with Web Filtering (https://www.juniper.net/documentation/us/en/software/junos/utm/topics/concept/utm-web-filtering-overview.html) and, to a certain extent, with Application Identification (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-identification-overview.html).

Hi all,

Referring to this url https://supportportal.juniper.net/s/article/SRX-DNS-address-book-entries-with-wildcard-is-not-accepted?language=en_US SRX still dont have this feature even it already 2024 like other firewall that support it such as Fortiget and Sophos. So currently i'm migrating sophos to srx and facing issue to convert  *.azurewebsites.net and *.cloudapp.net to SRX. I'm try google and not found the list url or services for that two wildcard. Appreciate if someone here has experience how to solve this issue?

Thanks

I know that Local Web Filtering doesn't require license, but I'm not familiar enough with it to tell if it can do the wildcard.

Hi Nikolay,

Let's say i dont have web filtering license. Is there any alternative i can get the list of that "*"?

Thanks

The address-book is strictly for matching the IP addresses in the packet headers. A wildcard domain matching would require you to examine the packet payload. On the SRX you can do that with Web Filtering (https://www.juniper.net/documentation/us/en/software/junos/utm/topics/concept/utm-web-filtering-overview.html) and, to a certain extent, with Application Identification (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-identification-overview.html).

Hi all,

Referring to this url https://supportportal.juniper.net/s/article/SRX-DNS-address-book-entries-with-wildcard-is-not-accepted?language=en_US SRX still dont have this feature even it already 2024 like other firewall that support it such as Fortiget and Sophos. So currently i'm migrating sophos to srx and facing issue to convert  *.azurewebsites.net and *.cloudapp.net to SRX. I'm try google and not found the list url or services for that two wildcard. Appreciate if someone here has experience how to solve this issue?

Thanks

Starting in Junos OS Release 15.1X49-D110, the "* " in a wildcard syntax, used for URL pattern Web filtering profile, matches all subdomains. For example, *.example.net matches:

• http://a.example.net

• http://example.net

• aaa.example.net

Reference: https://www.juniper.net/documentation/us/en/software/junos/utm/topics/topic-map/security-utm-local-web-filtering.html

I know that Local Web Filtering doesn't require license, but I'm not familiar enough with it to tell if it can do the wildcard.

Hi Nikolay,

Let's say i dont have web filtering license. Is there any alternative i can get the list of that "*"?

Thanks

The address-book is strictly for matching the IP addresses in the packet headers. A wildcard domain matching would require you to examine the packet payload. On the SRX you can do that with Web Filtering (https://www.juniper.net/documentation/us/en/software/junos/utm/topics/concept/utm-web-filtering-overview.html) and, to a certain extent, with Application Identification (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-identification-overview.html).

Hi all,

Referring to this url https://supportportal.juniper.net/s/article/SRX-DNS-address-book-entries-with-wildcard-is-not-accepted?language=en_US SRX still dont have this feature even it already 2024 like other firewall that support it such as Fortiget and Sophos. So currently i'm migrating sophos to srx and facing issue to convert  *.azurewebsites.net and *.cloudapp.net to SRX. I'm try google and not found the list url or services for that two wildcard. Appreciate if someone here has experience how to solve this issue?

Thanks

Starting in Junos OS Release 15.1X49-D110, the "* " in a wildcard syntax, used for URL pattern Web filtering profile, matches all subdomains. For example, *.example.net matches:

• http://a.example.net

• http://example.net

• aaa.example.net

Reference: https://www.juniper.net/documentation/us/en/software/junos/utm/topics/topic-map/security-utm-local-web-filtering.html

I know that Local Web Filtering doesn't require license, but I'm not familiar enough with it to tell if it can do the wildcard.

Hi Nikolay,

Let's say i dont have web filtering license. Is there any alternative i can get the list of that "*"?

Thanks

The address-book is strictly for matching the IP addresses in the packet headers. A wildcard domain matching would require you to examine the packet payload. On the SRX you can do that with Web Filtering (https://www.juniper.net/documentation/us/en/software/junos/utm/topics/concept/utm-web-filtering-overview.html) and, to a certain extent, with Application Identification (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-identification-overview.html).

Hi all,

Referring to this url https://supportportal.juniper.net/s/article/SRX-DNS-address-book-entries-with-wildcard-is-not-accepted?language=en_US SRX still dont have this feature even it already 2024 like other firewall that support it such as Fortiget and Sophos. So currently i'm migrating sophos to srx and facing issue to convert  *.azurewebsites.net and *.cloudapp.net to SRX. I'm try google and not found the list url or services for that two wildcard. Appreciate if someone here has experience how to solve this issue?

Thanks

Starting in Junos OS Release 15.1X49-D110, the "* " in a wildcard syntax, used for URL pattern Web filtering profile, matches all subdomains. For example, *.example.net matches:

• http://a.example.net

• http://example.net

• aaa.example.net

Reference: https://www.juniper.net/documentation/us/en/software/junos/utm/topics/topic-map/security-utm-local-web-filtering.html

I know that Local Web Filtering doesn't require license, but I'm not familiar enough with it to tell if it can do the wildcard.

Hi Nikolay,

Let's say i dont have web filtering license. Is there any alternative i can get the list of that "*"?

Thanks

The address-book is strictly for matching the IP addresses in the packet headers. A wildcard domain matching would require you to examine the packet payload. On the SRX you can do that with Web Filtering (https://www.juniper.net/documentation/us/en/software/junos/utm/topics/concept/utm-web-filtering-overview.html) and, to a certain extent, with Application Identification (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-identification-overview.html).

Hi all,

Referring to this url https://supportportal.juniper.net/s/article/SRX-DNS-address-book-entries-with-wildcard-is-not-accepted?language=en_US SRX still dont have this feature even it already 2024 like other firewall that support it such as Fortiget and Sophos. So currently i'm migrating sophos to srx and facing issue to convert  *.azurewebsites.net and *.cloudapp.net to SRX. I'm try google and not found the list url or services for that two wildcard. Appreciate if someone here has experience how to solve this issue?

Thanks

Hi All,

Is the config below is correct? The objective was from source-address is "*.azurewebsite.net". Appreciate any advise.

[edit]
root@JSRX1600# run show configuration security utm | display set 
set security utm custom-objects url-pattern urllist1 value http://*.azurewebsites.net
set security utm custom-objects url-pattern urllist2 value http://*.cloudapp.net
set security utm custom-objects url-pattern urllist3 value https://*.azurewebsites.net
set security utm custom-objects url-pattern urllist4 value https://*.cloudapp.net
set security utm custom-objects custom-url-category cust-permit-list value urllist1
set security utm custom-objects custom-url-category cust-permit-list value urllist2
set security utm custom-objects custom-url-category cust-permit-list value urllist3
set security utm custom-objects custom-url-category cust-permit-list value urllist4
set security utm feature-profile web-filtering juniper-local profile localprofile1 default block
set security utm feature-profile web-filtering juniper-local profile localprofile1 category cust-permit-list action log-and-permit
set security utm utm-policy utmp5 web-filtering http-profile localprofile1

set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE match source-address any
set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE match destination-address any
set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE match application any
set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE then permit application-services utm-policy utmp5

Starting in Junos OS Release 15.1X49-D110, the "* " in a wildcard syntax, used for URL pattern Web filtering profile, matches all subdomains. For example, *.example.net matches:

• http://a.example.net

• http://example.net

• aaa.example.net

Reference: https://www.juniper.net/documentation/us/en/software/junos/utm/topics/topic-map/security-utm-local-web-filtering.html

I know that Local Web Filtering doesn't require license, but I'm not familiar enough with it to tell if it can do the wildcard.

Hi Nikolay,

Let's say i dont have web filtering license. Is there any alternative i can get the list of that "*"?

Thanks

The address-book is strictly for matching the IP addresses in the packet headers. A wildcard domain matching would require you to examine the packet payload. On the SRX you can do that with Web Filtering (https://www.juniper.net/documentation/us/en/software/junos/utm/topics/concept/utm-web-filtering-overview.html) and, to a certain extent, with Application Identification (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-identification-overview.html).

Hi all,

Referring to this url https://supportportal.juniper.net/s/article/SRX-DNS-address-book-entries-with-wildcard-is-not-accepted?language=en_US SRX still dont have this feature even it already 2024 like other firewall that support it such as Fortiget and Sophos. So currently i'm migrating sophos to srx and facing issue to convert  *.azurewebsites.net and *.cloudapp.net to SRX. I'm try google and not found the list url or services for that two wildcard. Appreciate if someone here has experience how to solve this issue?

Thanks