Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Access to website is obtained; however, not all graphics are shown.

0

0

Article ID: KB6326 KB Last Updated: 22 Jun 2010Version: 3.0
Summary:
Access to website is obtained; however, not all graphics are shown.
Symptoms:

Domain used as destination

Access to website is being denied even with permit rule above outbound ANY ANY ANY deny rule Access to website is obtained; however, not all graphics are shown.'  Unable to ping website
Solution:

Below is a Sample Configuration of what may be currently used but does not work:
set address trust "WarehousePC" 192.168.1.100/32 [Enter]
set address untrust "FedEx" fedex.com [Enter]
set policy name "FedEx Access" from trust to untrust "WarehousePC" "FedEx" "http" permit log [Enter]
set policy name "No Internet Access" from trust to untrust "ANY" "ANY" "ANY" deny log [Enter]

Web access is denied even with permit rule because the Domain Name is used instead of IP Address.  In that case, DNS access is required.  However, if the DNS server is local and access to website can be obtained, but not all graphics are shown, it could mean that the website uses a third party for hosting graphics, as in the case below.  To combat that issue, you need to add that additional domain name to the policy. Inability to ping the website is because you do not have "ping" permitted as well as DNS to resolve the domain name. 

Below is an example of a single host, WarehousePC, having access to one website, FedEx.com. 
set address trust "WarehousePC" 192.168.1.100/32 [Enter]
set address untrust "FedEx" fedex.com [Enter]
set address untrust "FedEx-graphics" a2.g.akamai.net [Enter]
set address untrust "DNS Server" 216.148.227.68/32 [Enter]
set group address untrust "FedExGroup" [Enter]
set group address untrust "FedExGroup" add "FedEx" [Enter]
set group address untrust "FedExGroup" add "FedEx-graphics" [Enter]
set group address untrust "FedExGroup" add "DNS Server" [Enter]
set group service "FedExServices" [Enter]
set group service "FedExServices" add http [Enter]
set group service "FedExServices" add https [Enter]
set group service "FedExServices" add DNS [Enter]
set group service "FedExServices" add ping [Enter]
set policy name "FedEx Access" from trust to untrust "WarehousePC" "FedExGroup" "FedExServices" permit log [Enter]
set policy name "No Internet Access" from trust to untrust "ANY" "ANY" "ANY" deny log [Enter]



Please note this configuration above is for reference only as the domain names and IP addresses could change at any time without prior notice.

Here is the problem or goal:

  • Access to website is being denied even with permit rule above outbound ANY ANY ANY deny rule
  • Access to website is obtained; however, not all graphics are shown. 
  • Unable to ping website
  • How To: Allow only single host access to only one website

Problem Environment:

  • Domain used as destination

Applicable Products:

  • NetScreen-5XP
  • NetScreen-5XT
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500
  • NetScreen-1000
  • NetScreen-5200
  • NetScreen-5400

Applicable ScreenOS:

  • 4.0.0
  • 4.0.0-DIAL
  • 4.0.1
  • 4.0.2


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search