Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Bypassing Web Filtering or Surf Control with mac addresses

    Posted 10-17-2008 15:55

    Hello,

     

    I have an SSG5 router setup for a medium sized office. I just enabled web filtering for everyone in the building that uses a computer.  This has created frustration among the uper management in the building because they feel they should not be restricted from accessing whatever they what when they want.  I have not been able to find any information on how to excempt certain mac addresses from my fliter restrictions.  Do I need to set up a specific zone for management to bypass the web filter or is there an easier way to allow some access but not all certain websites. 

     

    -Ren



  • 2.  RE: Bypassing Web Filtering or Surf Control with mac addresses

    Posted 10-17-2008 19:35

    If you want some IP address with more privilege,seting up a specific policy is a feasible way.



  • 3.  RE: Bypassing Web Filtering or Surf Control with mac addresses

    Posted 10-18-2008 12:36

    You specify traffic to be redirected to web filtering via security policy. ScreenOS cannot apply policies to MAC addresses, only layer 3 and up. I would suggest that you assign the privileged users static IP addressed. Then place a separate policy above your web filtering policy which permits the traffic from those specific addresses without url filtering

     

    -Richard



  • 4.  RE: Bypassing Web Filtering or Surf Control with mac addresses

    Posted 10-18-2008 12:46

    Thanks for the quick reply guys.  I was really hoping I could use MAC addresses instead of IPs just because the managers that are complaining about it, use laptops.  However, if using static IPs is the only way for me to allow them access then thats the way I will do it. Thanks again guys.

     

    -Ren



  • 5.  RE: Bypassing Web Filtering or Surf Control with mac addresses
    Best Answer

    Posted 10-20-2008 06:16

    Hi Ren,

     

    basically you can use MAC addresses. Just create IP reservations in the DHCP server options (as long as you are using the SSG as DHCP server of course),create a group for those addresses and apply it to the appropriate policy.

     

    If your SSG is not running the DHCP server you might want to check your DHCP if it's capable of IP reservations as it's quite a common feature.

     

    Cheers,

    flo



  • 6.  RE: Bypassing Web Filtering or Surf Control with mac addresses

    Posted 10-20-2008 12:10

    Hi flo,

     

    I am using the SSG5 for my DHPC server.  To test what you suggested, I created an IP of 192.168.1.50 and attached the MAC of my laptop to that IP.  Now how do I set up a group for my reserved IP?  I've looked at Address Groups and created a trusted group named Managers but how do I add members to that group?

     

    thanks,

     

    -Ren



  • 7.  RE: Bypassing Web Filtering or Surf Control with mac addresses

    Posted 10-20-2008 14:27

    OK, in reguards to my last question I just had to do some digging to figure out how to setup groups.  It was a matter to messing with the DHCP reserved ips. Then creating matching ips for in the objects > addresses > making a bunch of custom addresses then grouping them by name in objects> addresses > groups.  So flo and rich thanks a bunch, you guys shoved me in the right direction.

     

     

    thanks agian!

     

    -ren