After configuring an Application Firewall to block a website, users notice that the browser hangs for a few minutes before issuing an error page that the content cannot be displayed. This article explains what is happening and how to correct it.

The problem is that with the 11.4 Junos code, there were two choices for an AppFW rule action: deny and permit

[edit security application-firewall rule-sets skype]
root# set rule "block skype" then ?


Possible completions:

<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
deny Deny packets
permit Permit packets

Choosing the "deny" option causes the session to be silently dropped, with no notification to the client or server.

Since there is no notification to the client or server, this means that the TCP session is still alive on both nodes. The TCP session will timeout with the value configured for TCP on both nodes. This can take more than a minute.

The solution is to upgrade to Junos OS 12.1X44, 45, 46 or 47 (basically from 12.1X44-D10 onward). After upgrading, user will be able to select "reject".

[edit security application-firewall rule-sets skype]
root# set rule "block skype" then ?

Possible completions:

<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
deny Deny packets
permit Permit packets
reject Reject packets

This will allow the SRX to send a RST to the client and server, thus eliminating the need to wait for the browser to timeout on TCP. Note that for non HTTP/S application, an "ICMP port not available" message is sent.