Topic: How do I block access to websites

[good]

Hi all

i have ssg-140 ( firmware version 6.1.0r2.0) juniper
i want to make blok youtube and facebook for my users
can you help me? How do I block access to websites?
thanks..

[screenie.]

easiest way:

Configure the firewall to use the same dns server your hosts are using. (network dns in gui). Then you configure a policy from trust to untrust:
for source and service you select any. For destination the FQDN name of the webs you want to block. Action you set on reject. Select the postion on top checkbox and it should work.

[good]

please, can you give me a picture about it? i am using a ssg-140

[good]

or video for it

[screenie.]

Please read this doc to find the needed info: http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/ce_v1.pdf may the next chapter from this site as well. I don't mind helping of course, but I don't have the time to rewrite manuals, I'm sorry.

[balagvasi]

Screenie...!

There is every possibility that a user can query a third party or another public dns server (apart from the one that the LAN and the Firewall is using) and get the IPs for those websites. Those resolved IPs wil be different from the ones that have been resolved by the local dns. And the user(s) may go ahead in accessing the sites with these new IPs. Better to query the root name servers and get the max possibl IPs for those domains that are to be blocked. Again this is not a complete solution.

[screenie.]

You're right about that, but you can solve this, we don't let our users foll arounf with us do we?


Solutions: configure the firewall as dns proxy, using the same upstream dns you use for the firewall self. Block transit dns in policy.

Better: configure an internall host as dns (caching) server. Allow only this host to contact upstream dns servers. Configure the firewall to use this dns server.

In both cases you're sure the same adress for host with multiple adresses is used.

It realy works: I've got a 5gt at home and use this to block certain sites during "homework hours" for my kids (using schedule in policy). They hate having a dad how knows what's out there on the internet and how to block it.... 

[him007]

Hi balagvasi / Screenie,

Thanks for update, but I'm getting the problem to configure the same...

Pls help me out how to do step/step.

I am using NS500.

him007

[him007]

Any Update?

[chobbney]

I'm also trying to do this. Here is what I have done but it doesn't work.



Am I doing it right? (I do not have the annual security package that includes full web filtering)

I contacted Juniper support, but the guy was useless and was clearly guessing his way round the issue. In the end he said it wasn't possible. Something I find very difficult to believe.

[screenie.]

You don't have to use webfiltering, your filtering on a resoved IP address. It looks ok, as long as your using the same dns server as your users and defined rrr.com in the addressbook to do FQDN resolving. Furthermore this rule must be hit before an accept. It cannot be it doesn't work. It's so basic functionality! Just a firewall rulke....

[chobbney]

The Network > DNS > Host addresses are the 2 external DNS servers we use. The client PCs use the Juniper's DHCP settings which are:
DNS#1: The local IP of the Server
DNS#2: The local IP of the Juniper
DNS#3: The first external IP address

I found that until I did this I was getting DNS errors on the network, like printers not being found and paths to network shares not working. Should I change the Network > DNS > Host details to the same as the DHCP DNS?

I turned off Web Filtering but it still doesn't work.

What do you mean by 'Furthermore this rule must be hit before an accept.'

Thanks for the help...

[chobbney]

I just had Juniper support back on. They have resolved the problem. Apparently there are ways that users can get round it, but they're beyond most people's IT skills.

I hope this information helps...

a) Create an Address Group called Blockedsites (or whatever).
b) Create a Policy like this:


Then for each website you want to block just do the following. No need to repeat the above steps.

1.   BLOCK THE PURE DOMAIN NAME
2.   Go to Policy > Policy Elements > Addresses > List
3.   The drop-down should be Untrust, then click New.
4.   Address Name – name the address the same as the domain name (e.g aaa.com)
5.   Click Domain Name and enter the full domain (e.g www.aaa.com)
6.   OK this.

7.   BLOCK ANY SUB-DOMAIN
8.   Back in Policy > Policy Elements > Addresses > List , the drop-down should be Untrust, then click New.
9.   Address Name – name the address the same as the domain name but with an asterisk (e.g aaa.com *)
10.   Click Domain Name and enter the domain with an asterisk before it(e.g *.aaa.com)
11.   OK this.

12.   BLOCK ANY SUB-FOLDERS
13.   Back in Policy > Policy Elements > Addresses > List , the drop-down should be Untrust, then click New.
14.   Address Name – name the address the same as the domain name but with two asterisks (e.g aaa.com **)
15.   Click Domain Name and enter the full domain with a forward slash and an asterisk after it(e.g  www.aaa.com/*)
16.   OK this.

17.   BLOCK THE IP ADDRESSES
18.   Open a Command Prompt and enter (for example) ping aaa.com
19.   Back in Policy > Policy Elements > Addresses > List , the drop-down should be Untrust, then click New.
20.   Address Name – name the address the same as the domain name then add ‘IP’ to differentiate it from the other address(e.g aaa.com IP)
21.   Click IP Address/Netmask (wildcard mask) and enter the IP address from the ping, with a 32 after the slash.
22.   OK this.
23.   Repeat for each IP you receive.

24.   Go to Policy > Policy Elements > Addresses > Groups and Edit the Blockedsites Group.
25.   On the right, multiple-click the new Addresses and click the << button to add them to the Group to be blocked (on the left).
26.   Click OK.

27.   

[tahirali]

Hi tahir

i have ssg-140 ( firmware version 6.1.0r2.0) juniper
i want to make blok youtube and facebook for my users
can you help me? How do I block access to websites?
thanks..