SRX Services Gateway
SRX Services Gateway

Custom App Friewall app

‎06-05-2018 03:50 AM

Hello, 

 

I'd like to create an app that would allow me to block https url. I run ssl-proxy and it works, as I can see substituted ssl certificate (my srx1500 does the susbstitution). But the rule won't go. Here it is:

 

 

rule block-youtube-url {
    match {
        dynamic-application app1;
    }
    then {
        deny;
    }
}
default-rule {
    permit;
}

The custom app is defined like this:

 

 

show services application-identification application app1
over HTTP {
    signature s1 {
        member m02 {
            context http-url-parsed;
            pattern ".*youtube\.com\/watch.*";
            direction client-to-server;
        }
    }
}

and then this all applied to policy like this:

 

 

 

match {
    source-address tests;
    destination-address any;
    application [ junos-https junos-http ];
}
then {
    permit {
        application-services {
            ssl-proxy {
                profile-name ssl-inspect;
            }
            application-firewall {
                rule-set test2;
            }
        }
    }
    log {
        session-close;
    }
}

 

and by running show command I see that traffic hits only the default-rule (permit), not the app1 rule. If I try some built-in rules - the work. I can deny skype etc. But not the custom one. I know that I might be doing it wrong, but I would like you guys to help me Smiley Happy

 

PS

I've followed this article (its a bit old, but point is the same). 

 

PPS 

And the youtube is only for testing purposes, I DON'T want to block it.

2 REPLIES 2
SRX Services Gateway

Re: Custom App Friewall app

‎06-19-2018 12:53 AM

Hello,

 

What is the junos version?

If you enable APPID traceoptions, do you see anything as to why default-rule is hit instead of the custom rule you created?

 

Regards,

 

Rushi

SRX Services Gateway

Re: Custom App Friewall app

‎06-19-2018 08:43 PM

You have mentioned HTTPS, but the custom application is specified as over http, can you try using ssl ?

 

set services application-identification application app1 over ssl signature s1 member m02

 

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too