ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 143
Registered: ‎04-17-2015
0 Kudos

How to configure web-filtering?

Hello all, 

I have a problem regarding of web-filtering.

I've used a filrewall : ISG-1000.

 

I already know that ISG-1000 do not support to block HTTPS(443).

So, I decided that I have to block URL by configuring white-list method like below picture.

(Please concentrate RED square)

1.JPEG

 

 

I'll try to configure like RED square.

Please confirm whether this method can do well or not.?

1. V1-Trust -> V1-Untrust : Source(SN_Network), Destination(white-list)

2. V1-Untrust -> V1-Trust : Source(white-list), Source(SN_Network)

 

*SN_Network : The IPs we use

*white-list : The IPs and URLs we'll block.

 

Regards,

Distinguished Expert
Posts: 4,698
Registered: ‎03-30-2009
0 Kudos

Re: How to configure web-filtering?

You only need the rule to be in the direction that the tcp session is initiated, number 1 in your case.

 

But I don't think your white list url filter will work.  My recollection is that there is no ssl decryption on this platform so we cannot read the url to do the match.  Your only option with ssl traffic is ip address based blocking in the firewall rule destination addresses for encrypted flows.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Distinguished Expert
Posts: 648
Registered: ‎06-22-2011
0 Kudos

Re: How to configure web-filtering?

The only way to use SSL decryption is with an external websense server.  Also, traffic would never hit any rule below rule 3, as it is an any any rule.

 

Highlighted
Contributor
Posts: 143
Registered: ‎04-17-2015
0 Kudos

Re: How to configure web-filtering?

Hello expert,

But, I configured No.1 case to disable.

..

 

Should I revert something sir?

SK.