Blocking Sites via FQDN in SRX

In this example we’re emulating the configuration script with two sites “youtube & facebook”

  • First we need to configure a global DNS so that the SRX is going to resolve addresses through it:

set system name-server 1.1.1.1
set system name-server 2.2.2.2

  • Configure address-book in the untrust zone by DNS-name:

set security zones security-zone Untrust address-book address facebook dns-name facebook.com
set security zones security-zone Untrust address-book address youtube dns-name youtube.com ipv4-only
set security zones security-zone Untrust address-book address facebook_2 dns-name http://www.facebook.com
set security zones security-zone Untrust address-book address youtube_2 dns-name http://www.youtube.com

  • Assigning the address-book to an address-set:

set security zones security-zone Untrust address-book address-set deny-websites address facebook
set security zones security-zone Untrust address-book address-set deny-websites address youtube
set security zones security-zone Untrust address-book address-set deny-websites address facebook_2
set security zones security-zone Untrust address-book address-set deny-websites address youtube_2

  • Policy from trust to untrust zone:

set security policies from-zone Trust to-zone Untrust policy block-facebook match source-address any
set security policies from-zone Trust to-zone Untrust policy block-facebook match destination-address deny-websites
set security policies from-zone Trust to-zone Untrust policy block-facebook match application any
set security policies from-zone Trust to-zone Untrust policy block-facebook then deny

** Please note: If you have an implicit permit policy , insert the FQDN blocking policy before it :

insert security policies from-zone Trust to-zone Untrust policy deny-websites before policy permitall

  • And of course don’t forget the commit:

commit

Verifing:

show security policies policy-name block-facebook detail
Policy: block-facebook, action-type: permit, State: enabled, Index: 11, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: Trust, To zone: Untrust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
youtube_2: 212.179.154.242/32
youtube_2: 212.179.154.237/32
youtube_2: 212.179.154.217/32
youtube_2: 212.179.154.251/32
youtube_2: 212.179.154.212/32
youtube_2: 212.179.154.236/32
youtube_2: 212.179.154.246/32
youtube_2: 212.179.154.216/32
youtube_2: 212.179.154.241/32
youtube_2: 212.179.154.247/32
youtube_2: 212.179.154.221/32
youtube_2: 212.179.154.227/32
youtube_2: 212.179.154.226/32
youtube_2: 212.179.154.231/32
youtube_2: 212.179.154.232/32
youtube_2: 212.179.154.222/32
facebook_2: 31.13.93.209/32
facebook: 173.252.120.6/32
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No

Good Luck 🙂

Shared by : Abed AL-R. Bishara

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s