Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Redirect Websense URL filtering fails if HTTP ALG is not enabled

0

0

Article ID: KB26272 KB Last Updated: 07 Oct 2013Version: 2.0
Summary:

This article explains a situation in which redirect Websense URL filtering does not work. In situations where it fails, it is discovered that filtering is not enabled. To enable it, use the following command:

set alg http enable
Symptoms:
A Websense server is configured for redirect URL filtering. On the device, the following configuration is present:
set url protocol websense
set server 192.168.93.152 15868 10
set deny-message "You cant go here dummy! "
URL filtering has also been enabled in the policy:
set policy id 4 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "ANY" nat src permit url-filter
The connection between Websense and the firewall is also good.
get url all

System State Server Port Timeout Fail-Mode Connection
==============================================
Root Enabled 192.168.1.10 15868 10 Block OK
In the output of debug url all, the URL is being handed up to the Websense server correctly and a response is received from the Websense server, which states that  the URL should be blocked; but  the firewall is still unable to block the web site:
## 2004-07-09 18:12:46 : Web filtering statusCode (id 4998): Block
## 2004-07-09 18:12:46 : f: 289b9e70, l: 289b9e30, n: 2, p: 225
## 2004-07-09 18:12:46 : insert req item: id = 4996; last pak: 6096250; current pak: 6097040
## 2004-07-09 18:12:46 : insert_log_request_for_query: type log, id 4998, in time 6097030, elapsed 6097040, category 86, status code 1, desc code 1025, bytes sent 171, time out 10
## 2004-07-09 18:12:46 : send_block html page back to client:
HTTP/1.0 302 Moved
Location: http://192.168.93.152:15871/cgi-bin/blockpage.cgi?ws-session=2415976870
Pragma: no-cache
Cache-Control: no-cache
Cause:

Solution:

When the configuration was checked, it was found that the HTTP ALG was disabled; to enable it, use the following command:

set alg http enable

After enabling the HTTP ALG, it started to work.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search