SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Wildcard fqdn not support in address-book?

    Posted 05-07-2024 10:07

    Hi all,

    Referring to this url https://supportportal.juniper.net/s/article/SRX-DNS-address-book-entries-with-wildcard-is-not-accepted?language=en_US SRX still dont have this feature even it already 2024 like other firewall that support it such as Fortiget and Sophos. So currently i'm migrating sophos to srx and facing issue to convert  *.azurewebsites.net and *.cloudapp.net to SRX. I'm try google and not found the list url or services for that two wildcard. Appreciate if someone here has experience how to solve this issue?

    Thanks



  • 2.  RE: Wildcard fqdn not support in address-book?

    Posted 05-07-2024 11:06

    The address-book is strictly for matching the IP addresses in the packet headers. A wildcard domain matching would require you to examine the packet payload. On the SRX you can do that with Web Filtering (https://www.juniper.net/documentation/us/en/software/junos/utm/topics/concept/utm-web-filtering-overview.html) and, to a certain extent, with Application Identification (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-identification-overview.html).



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 3.  RE: Wildcard fqdn not support in address-book?

    Posted 05-07-2024 11:52

    Hi Nikolay,

    Let's say i dont have web filtering license. Is there any alternative i can get the list of that "*"?

    Thanks




  • 4.  RE: Wildcard fqdn not support in address-book?

    Posted 05-07-2024 12:08

    I know that Local Web Filtering doesn't require license, but I'm not familiar enough with it to tell if it can do the wildcard.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 5.  RE: Wildcard fqdn not support in address-book?

     
    Posted 05-07-2024 16:21

    Starting in Junos OS Release 15.1X49-D110, the "* " in a wildcard syntax, used for URL pattern Web filtering profile, matches all subdomains. For example, *.example.net matches:

    • http://a.example.net

    • http://example.net

    • aaa.example.net

    Reference: https://www.juniper.net/documentation/us/en/software/junos/utm/topics/topic-map/security-utm-local-web-filtering.html



    ------------------------------
    Andy Sharp
    ------------------------------



  • 6.  RE: Wildcard fqdn not support in address-book?

    Posted 05-07-2024 21:12

    Hi @asharp,

    If i see url that u shared it's still need list of domain need to be put in the UTM custom-objects url-pattern. 

    Or i miss understood it.

    Thanks and appreciate your feedback




  • 7.  RE: Wildcard fqdn not support in address-book?

    Posted 05-07-2024 21:36

    Hi @asharp,

    If i dont have list of web site that dont need to block then i just made cust-permit-list only right? If the url not in the list is it will by default block?

    set security utm feature-profile web-filtering juniper-local profile localprofile1 category cust-permit-list action log-and-permit 
    set security utm feature-profile web-filtering juniper-local profile localprofile1 default log-and-permit 
    set security utm feature-profile web-filtering juniper-local profile localprofile1 fallback-settings default block  
    set security utm feature-profile web-filtering juniper-local profile localprofile1 fallback-settings too-many-requests block 

    Thanks




  • 8.  RE: Wildcard fqdn not support in address-book?

    Posted 05-07-2024 22:19

    Hi All,

    Is the config below is correct? The objective was from source-address is "*.azurewebsite.net". Appreciate any advise.

    [edit]
    root@JSRX1600# run show configuration security utm | display set 
    set security utm custom-objects url-pattern urllist1 value http://*.azurewebsites.net
    set security utm custom-objects url-pattern urllist2 value http://*.cloudapp.net
    set security utm custom-objects url-pattern urllist3 value https://*.azurewebsites.net
    set security utm custom-objects url-pattern urllist4 value https://*.cloudapp.net
    set security utm custom-objects custom-url-category cust-permit-list value urllist1
    set security utm custom-objects custom-url-category cust-permit-list value urllist2
    set security utm custom-objects custom-url-category cust-permit-list value urllist3
    set security utm custom-objects custom-url-category cust-permit-list value urllist4
    set security utm feature-profile web-filtering juniper-local profile localprofile1 default block
    set security utm feature-profile web-filtering juniper-local profile localprofile1 category cust-permit-list action log-and-permit
    set security utm utm-policy utmp5 web-filtering http-profile localprofile1

    set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE match source-address any
    set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE match destination-address any
    set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE match application any
    set security policies from-zone WAN to-zone LAN policy PERMIT-AZURE then permit application-services utm-policy utmp5




  • 9.  RE: Wildcard fqdn not support in address-book?

    Posted 05-07-2024 23:40

    Hi all,

    Another alternative i think need to use SecIntel feature so it will have all list ip address from Azure.

    Thanks