Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Long Timeout Period for AppFW Block Action

0

0

Article ID: KB29817 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:

After configuring an Application Firewall to block a website, users notice that the browser hangs for a few minutes before issuing an error page that the content cannot be displayed. This article explains what is happening and how to correct it.

Symptoms:

The problem is that with the 11.4 Junos code, there were two choices for an AppFW rule action: deny and permit


[edit security application-firewall rule-sets skype]
root# set rule "block skype" then ?

Possible completions:

<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
deny Deny packets
permit Permit packets

Choosing the "deny" option causes the session to be silently dropped, with no notification to the client or server.

Cause:

Since there is no notification to the client or server, this means that the TCP session is still alive on both nodes. The TCP session will timeout with the value configured for TCP on both nodes. This can take more than a minute.

Solution:

The solution is to upgrade to Junos OS 12.1X44, 45, 46 or 47 (basically from 12.1X44-D10 onward). After upgrading, user will be able to select "reject".


[edit security application-firewall rule-sets skype]
root# set rule "block skype" then ?

Possible completions:

<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
deny Deny packets
permit Permit packets
reject Reject packets


This will allow the SRX to send a RST to the client and server, thus eliminating the need to wait for the browser to timeout on TCP. Note that for non HTTP/S application, an "ICMP port not available" message is sent.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search