Knowledge Center Search


 

[Archive] How do I block access to web sites?

  [KB4320] Show KB Properties

  [KB4320] Hide KB Properties

Categories:
Knowledge Base ID: KB4320
Last Updated: 28 Mar 2013
Version: 6.0

Summary:
Creating an Address Group allows you to block multiple domains.  Included is information on configuring DNS on the NetScreen so that address book items can resolve the DNS to an IP address.

Problem or Goal:

Cause:

Solution:

Note: This article applies to ScreenOS 4.0 and higher.

When you block access to websites, you will need to create an Address Group, which includes an address book entry for the DNS name. You can add multiple domain names. For this example, we will block access to www.blockeddomain.com. You will need to configure DNS on the NetScreen before the address book items can resolve the DNS to an IP address.

To block access to websites, perform the following steps:

Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen Using the WebUI.

From the NetScreen options menu, click Network, and then click DNS.

Image of step two

In the Host Name, Domain Name, Primary DNS Server, and Secondary DNS Server text boxes, enter your information.

For this example, we have entered a Host Name of ns50, a Domain Name of netscreen.com, a Primary DNS Server of 1.1.1.1, and a Secondary DNS Server of 1.1.1.2.

Image of step three and four

Click Apply.

From the NetScreen options menu, click Objects, select Addresses, and then click List.

Image of step five


From the interface drop-down menu, select Untrust, and then click to select New.

Image of step six


In the Address Name text box, enter an address name.

Image of step seven and eight

Under IP Address/Domain Name, click to select Domain Name. In the Domain Name text box, enter the domain name that you want to block.

In the Zone drop-down menu, click to select Untrust.

Image of step nine and ten


Click OK.

From the NetScreen options menu, click Objects, select Addresses, and then click Groups.

Image of step eleven


From the interface drop-down menu, click to select Untrust, and then click New.

Image of step twelve


In the Group Name text box, enter a group name.

Image of step thirteen and fourteen

From Available Members, click to choose the available member that you would like to add to this group, and then click <<.
The Group Members box will now show www.blockeddomain.com.

Image of note and step fifteen

Click OK.

From the NetScreen options menu, click Policies.

Image of step sixteen

In the From drop-down menu, click to select Trust. From the To drop-down menu, click to select Untrust.

Image of step seventeen and eighteen

Click New.

From Source Address, click to select Address Book. From the Address Book drop-down menu, click to select Any.

Image of step nineteen and twenty

From Destination Address, click to select Address Book. From the Address Book drop-down menu, click to select www.blockeddomain.com.

From the Service drop-down menu, click to select ANY.

Image of step twenty-one and twenty-two

From the Action drop-down menu, click to select Deny.

Click OK.

Image of step twenty-three

Additionally, the Juniper firewall provides the feature of URL filtering to block the website.  For more information, refer to Concepts & Examples ScreenOS Reference Guide, Attack Detection and Defense Mechanisms - Release 6.3.0, Rev. 01 (Web Filtering - Chapter 4).


Also, refer to KB6868 - What is BACKDOOR_DETECTED subcategory?

Purpose:
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.