Block websites or applications using SRx Firewall

By Published on

Hi, everyone on today we are going discuss on how to block websites or applications now this is trending news that many officials social  media accounts are hacked. We will see in juniper SRx Firewall.

Some of the websites are not easy to block using web filter because they used signature and dynamic IPs, but we can block through Application Firewall.

This example uses following zones and interfaces configuration.

The client system is connected to the ge-0/0/0.0 interface with IP address 4.0.0.254/24. It is part of the trust zone.

The server system is connected to the ge-0/0/1.0 interface with IP address 5.0.0.254/24. It is part of the untrust zone.

• Configuration

》CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set security dynamic-application profile profile1 redirect-message type custom-text content "THIS APPLICATION IS BLOCKED"

set security policies from-zone trust to-zone untrust policy policy-1 match source-address any

set security policies from-zone trust to-zone untrust policy policy-1 match destination-address any

set security policies from-zone trust to-zone untrust policy policy-1 match application any

set security policies from-zone trust to-zone untrust policy policy-1 match dynamic-application junos:TWITTER-ACCESS

set security policies from-zone trust to-zone untrust policy policy-1 match dynamic-application junos:FACEBOOK-ACCESS

set security policies from-zone trust to-zone untrust policy policy-1 then reject profile profile1

set security policies default-policy permit-all

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust interfaces ge-0/0/0.0

set security zones security-zone untrust host-inbound-traffic system-services all

set security zones security-zone untrust interfaces ge-0/0/1.0

set interfaces ge-0/0/0 unit 0 family inet address 4.0.0.254/24

set interfaces ge-0/0/1 unit 0 family inet address 5.0.0.254/24


• To configure a unified policy using dynamic applications:

》Configure security zones and interfaces.

[edit]

user@host#set security zones security-zone trust host-inbound-traffic system-services all

user@host#set security zones security-zone trust interfaces ge-0/0/0.0

user@host#set security zones security-zone untrust host-inbound-traffic system-services all

user@host#set security zones security-zone untrust interfaces ge-0/0/1.0

user@host#set interfaces ge-0/0/0 unit 0 family inet address 4.0.0.254/24

user@host#set interfaces ge-0/0/1 unit 0 family inet address 5.0.0.254/24


》Create redirect profile

[edit]

user@host#set security dynamic-application profile profile1 redirect-message type custom-text content "THIS APPLICATION IS BLOCKED"


》Create a security policy with a dynamic application as the match criteria.

[edit]

user@host#set security policies from-zone trust to-zone untrust policy policy-1 match source-address any

user@host#set security policies from-zone trust to-zone untrust policy policy-1 match destination-address any

user@host#set security policies from-zone trust to-zone untrust policy policy-1 match application any

user@host#set security policies from-zone trust to-zone untrust policy policy-1 match dynamic-application junos:TWITTER-ACCESS

user@host#set security policies from-zone trust to-zone untrust policy policy-1 match dynamic-application junos:FACEBOOK-ACCESS

user@host#set security policies from-zone trust to-zone untrust policy policy-1 then reject profile profile1

》Create a default policy to permit the remaining traffic.

[edit]

user@host#set security policies default-policy permit-all

Result :

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]

user@host# show security

dynamic-application {

profile profile1 {

redirect-message {

type {

custom-text {

content "THIS APPLICATION IS BLOCKED";

}

}

}

}

}

policies {

from-zone trust to-zone untrust {

policy policy-1 {

match {

source-address any;

destination-address any;

application any;

dynamic-application [junos:Twitter-ACCESS junos:FACEBOOK-ACCESS ];

}

then {

reject {

profile profile1;

}

}

}

}

default-policy {

permit-all;

}

}

zones {

security-zone trust {

host-inbound-traffic {

system-services {

ping;

}

}

interfaces {

ge-0/0/0.0;

}

}

security-zone untrust {

host-inbound-traffic {

system-services {

ping;

}

}

interfaces {

ge-0/0/1.0;

}

}

}


[edit]

user@host# show interfaces

ge-0/0/0 {

unit 0 {

family inet {

address 4.0.0.254/24;

}

}

}

ge-0/0/1 {

unit 0 {

family inet {

address 5.0.0.254/24;

}

}

}

fxp0 {

unit 0 {

family inet {

address 10.102.70.185/24;

}

}

}


If you are done configuring the device, enter commit from configuration mode.

Therefore we can check in browse r to check whether it is blocked or not. 

Stay tuned for more juniper concepts and day to day life in networking will be shared.

Comments

Post a Comment

Popular posts from this blog

Juniper Certification | JNCIA-JUNOS | Day-5 Exception Traffic Processing

By Published on
Today friends we are going to look over exception at traffic processing  is traffic that is destined for the local system. Unlike transit traffic, exception traffic does not pass through local device. It requires some for of special handling. Now let's see this simple example if you wanted to check if the router up, you would ping its loopback address. This would be regarded as Exception Traffic, as packets destined for a device requires additional processing by the Routing Engine (RE). Traffic that requires the generation of Internet Control Message Protocol (ICMP) messages. ICMP messages are sent to the packet’s source to report various error conditions and to respond to ping requests.  When we see some examples of ICMP errors include destination unreachable messages, which are sent when no entry is present in the forwarding table for the packet’s destination address, and time-to-live (TTL) expired messages, which are sent when a packet’s ...
Read more

Juniper Certification | JNCIA-JUNOS | Day-7 What is SDN and Products in Juniper

By Published on
On this particular day we are going to see on topic called SDN in Juniper. What is SDN ? SDN is a network software defined in networking term as Software Defined Networking. That this software do not run some Junos OS because there are group of designs made for juniper networking into cloud based solutions are made.  These are some products you need to know in juniper; NFX series are network services platform used in junos as customer premises equipment (CPE), that they are designed with these features : to provide very fast custom services  with delivery on demand they are secure on-premises can run and chains with multiple virtualisation network it functions simultaneously in an open environment   it also supports embedded vSRX security functionality Contrail Cloud it is just suite of products that enabling SDN does : network function virtualisation (NFV) and services done in cloud environment   it uti...
Read more

Juniper Certification | JNCIA-JUNOS | Day-4 Transit Traffic Processing

By Published on
Image
On this session we will proceed to Transit Traffic Processing consists of all the traffic that enters an ingress (i.e., an action of going in or entering) a network port, it is compared against the forwarding table entries and it is finally forwarded out an egress (i.e., action of going out or leaving) the network port toward its destination.  A forwarding table entry for a destination must exist for the device running the Junos OS to successfully forward transit traffic to that destination. A Transit Traffic passes through the fo rwarding plane only and is never sent to or processed by the control plane only and it is never sent to or processed by the control plane. By processing transit traffic through the forwarding plane only, platforms running the Junos OS can achieve predictably high in performance rates. From the above image we can see that Transit Traffic can be both ; Unicast Multicast I n Unicast transit traffic which enters one ingress port and it is tra...
Read more