ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Chat / Multimedia / Exe Blocking

06.30.08   |  
‎06-30-2008 01:53 AM

Dear All,

i need advices for blocking the following issues,

 

1. full blocking for chat programs (Yahoo/MSN/IRC) web and program

2. block downloading files from internet, such as (EXe/MP3)

3. how to create log reports containing the user IP with the visited websites.

 

* i have AV/DI/WebSurf installed and licensed on the box.

* i dont have NSM at the site.

 

 

Tariq Morad
3 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Chat / Multimedia / Exe Blocking

06.30.08   |  
‎06-30-2008 03:33 AM

With respect to the Chat/P2P applications blocking, you need to do the following:

- Create a policy to Block their TCP/UDP ports such as Gnutella (TCP/UDP 6346) and MSN (TCP 1863), etc

- The will then try to use different ports, let's say HTTP (TCP 80) or (DNS 53), so you enable the Deep Inspection Signatures for IM and P2P on your other permitted policies and make the action drop

- Sometime people may use Web Based IM applications such as Meebo etc, so you will need to add the Chat category into your Web Filtering policy and then activate that category in your HTTP/HTTPS policies 

 

Sometimes people who doesn't have DI license prefer to permit the P2P/IM Applications Port, and then do Traffic Shapping on the related policy in order to me them not usable at all. 

 

With respect to EXE and Zip file there is an aption for that in the Screening Options that you can use it, and you may also write custom DI Signatures to block whatever extensions you want.

 

Finally, you can re-configure your Syslog settings on your firewall to send your Traffic Logs as well, you need to enable Logging on your policies too. But in order to resolve the IP's to Web Servers (Domains), you need your Syslog Server to be able to parse Juniper NetScreen Syslog format and do reverese DNS on the IP's there. And the alternative solution for that is using NSM.

Gr33n Data
JNCIS-FWV, JNCIA-IDP

@gr33ndata

http://gr33ndata.blogspot.com/
ScreenOS Firewalls (NOT SRX)

Re: Chat / Multimedia / Exe Blocking

01.11.10   |  
‎01-11-2010 12:32 PM

Hi Friend,

 

Regarding your statement:

 

"Sometimes people who doesn't have DI license prefer to permit the P2P/IM Applications Port, and then do Traffic Shapping on the related policy in order to me them not usable at all."

 

Kindly can you tell me what setting is required for policy bandwidth, max etc in traffic shapping for this policy?

 

Thanks

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Chat / Multimedia / Exe Blocking

01.11.10   |  
‎01-11-2010 12:36 PM

Hi

 

Also how can you give me the sample for custom signature for file extension .zip or .exe?

 

Thanks