ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Arzo
Posts: 171
Registered: ‎11-12-2007
0

Chat / Multimedia / Exe Blocking

Dear All,

i need advices for blocking the following issues,

 

1. full blocking for chat programs (Yahoo/MSN/IRC) web and program

2. block downloading files from internet, such as (EXe/MP3)

3. how to create log reports containing the user IP with the visited websites.

 

* i have AV/DI/WebSurf installed and licensed on the box.

* i dont have NSM at the site.

 

 

Tariq Morad
Contributor
gr33ndata
Posts: 69
Registered: ‎02-02-2008

Re: Chat / Multimedia / Exe Blocking

With respect to the Chat/P2P applications blocking, you need to do the following:

- Create a policy to Block their TCP/UDP ports such as Gnutella (TCP/UDP 6346) and MSN (TCP 1863), etc

- The will then try to use different ports, let's say HTTP (TCP 80) or (DNS 53), so you enable the Deep Inspection Signatures for IM and P2P on your other permitted policies and make the action drop

- Sometime people may use Web Based IM applications such as Meebo etc, so you will need to add the Chat category into your Web Filtering policy and then activate that category in your HTTP/HTTPS policies 

 

Sometimes people who doesn't have DI license prefer to permit the P2P/IM Applications Port, and then do Traffic Shapping on the related policy in order to me them not usable at all. 

 

With respect to EXE and Zip file there is an aption for that in the Screening Options that you can use it, and you may also write custom DI Signatures to block whatever extensions you want.

 

Finally, you can re-configure your Syslog settings on your firewall to send your Traffic Logs as well, you need to enable Logging on your policies too. But in order to resolve the IP's to Web Servers (Domains), you need your Syslog Server to be able to parse Juniper NetScreen Syslog format and do reverese DNS on the IP's there. And the alternative solution for that is using NSM.

Gr33n Data
JNCIS-FWV, JNCIA-IDP

@gr33ndata

http://gr33ndata.blogspot.com/
Contributor
aeroplane
Posts: 723
Registered: ‎06-30-2009
0

Re: Chat / Multimedia / Exe Blocking

Hi Friend,

 

Regarding your statement:

 

"Sometimes people who doesn't have DI license prefer to permit the P2P/IM Applications Port, and then do Traffic Shapping on the related policy in order to me them not usable at all."

 

Kindly can you tell me what setting is required for policy bandwidth, max etc in traffic shapping for this policy?

 

Thanks

Contributor
aeroplane
Posts: 723
Registered: ‎06-30-2009
0

Re: Chat / Multimedia / Exe Blocking

Hi

 

Also how can you give me the sample for custom signature for file extension .zip or .exe?

 

Thanks

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.