Friday, February 21, 2014

Juniper Mx / M series url blocking without license for http traffic.


Steps for url blocking without license for http traffic:


1.     Create URL pattern (eg: youtube-block, url, Fb1)


set security utm custom-objects url-pattern youtube-block value "http://www.youtube.com/watch?v=n3sYq4Y9hIQ"
set security utm custom-objects url-pattern url value "http://www.youtube.com/watch?v=LX0Ced3G5eg"
set security utm custom-objects url-pattern Fb1 value "http://www.facebook.com/rajesh.achari.75?sk=wall"
set security utm custom-objects url-pattern Fb1 value http://www.facebook.com/king.rajesh.921
set security utm custom-objects url-pattern Fb1 value "https://www.facebook.com/king.rajesh.921?fref=ts"
set security utm custom-objects url-pattern Fb1 value "http://www.facebook.com/jaihomullichodbaba?ref=profile"
set security utm custom-objects url-pattern Fb1 value "http://www.facebook.com/manoj.kaushal.7121?fref=ts"

2.       Add the url (youtube-block, url, Fb1) to category-list (youtube-block-custom)

set security utm custom-objects custom-url-category youtube-block-custom value youtube-block
set security utm custom-objects custom-url-category youtube-block-custom value url
set security utm custom-objects custom-url-category youtube-block-custom value Fb1

3.       Call youtube-block-custom list to blacklist:

set security utm feature-profile web-filtering url-blacklist youtube-block-custom


4.       Define web-filtering type as juniper-local (it will check its local database for urls, since we are not using any web-filtering license)

set security utm feature-profile web-filtering type juniper-local

5.       Create utm-policy (eg; web-block)

set security utm utm-policy web-block web-filtering http-profile junos-wf-local-default
set security utm utm-policy web-block traffic-options sessions-per-client over-limit log-and-permit


6.       Apply it in security policy (for source-address 203.129.209.9)

set security policies from-zone Trust-Customer-LAN to-zone Untrust-WAN policy test-policy match source-address 203.129.209.9
set security policies from-zone Trust-Customer-LAN to-zone Untrust-WAN policy test-policy match destination-address any
set security policies from-zone Trust-Customer-LAN to-zone Untrust-WAN policy test-policy match application any
set security policies from-zone Trust-Customer-LAN to-zone Untrust-WAN policy test-policy then permit application-servicesutm-policy web-block

By -

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Optimization of fortigate IPS

IPS signature need select according to infrastructure environment  Eg:-  if  we are not have Linux servers this ips signature can disable (d...