SRX240 AppFw block message

juniper-srx

I am configuring the AppFw on a SRX240 chassis this works fine to block Facebook or Twitter or whatever application. I also configured a custom block message to redirect a user to a specific web page when the policy is met.

The problem is that this block message does not work with either Facebook or Twitter, the content is blocked (thus the policy must be met?) but the connection times out in stead of redirecting the user to the configured block-message.

When I configure another application like Reuters, it all works flawless. I'm mainly puzzled why this happens and of course it would be excellent if anyone knows how to show the block message or redirect!

As per request my AppFw test config:

application-firewall {
    profile test_block_msg {
        block-message {
            type {
                custom-redirect-url {
                    content http://www.justasite.nl;
                }
            }
        }
    }
    rule-sets test-apfw {
        rule 1 {
            match {
                dynamic-application-group junos:web:social-networking:facebook;
            }
            then {
                deny;
            }
        }
        rule 2 {
            match {
                dynamic-application [ junos:TWITTER junos:TWITTER-UPDATE junos:TWITVID junos:TWITTER-SSL ];
            }
            then {
                deny;
            }
        }
        default-rule {
            permit;
        }
        profile test_block_msg;
    }
}

And my policies:

policies {
    from-zone Inside to-zone Outside {
        policy test-apfw-pol {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit {
                    application-services {
                        application-firewall {
                            rule-set test-apfw;
                        }
                    }
                }
            }
        }
        policy in-to-out {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone Outside to-zone Inside {
        policy Outside-to-IIS {
            match {
                source-address IIS_Ext_permitted;
                destination-address IIS_Test;
                application HTTP;
            }
            then {
                permit;
                log {
                    session-init;
                    session-close;
                }
            }
        }
        policy my-ssh {
            match {
                source-address any;
                destination-address any;
                application my-ssh;
            }
            then {
                permit;
            }
        }
        policy dyn-vpn-SECPOL {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit {
                    tunnel {
                        ipsec-vpn SRX100;
                    }
                }
            }
        }
    }
}

Hope this helps.

Best Answer

It looks like the usual problem where HTTP redirect works (Reuters), but HTTPS doesn't (Facebook and Twitter).

To display a "this page is blocked" message when it's a HTTPS connection, you'll need a MITM, because you'll need not to break the TLS handshake (which is happening right now).

Run the test - try connecting to a HTTP site that you've blocked, and then try an HTTPS version of the same site (just make sure it's not a site that redirects from HTTP to HTTPS like Facebook and Twitter do).

Related Solutions

Juniper SRX240 Clustering – Policy out of sync

You description is implying the issue is between the primary and secondary nodes, but the article is referencing an out of sync between the Control Plane and Data Plane ( or Routing Engine and Packet Forwarding Engine.

If it is indeed the PFE out of Sync you might also try the hidden command 'commit full'.

I know I had an issue where my 2 routing engines were out of sync. I don't recall if it was on a cluster SRX or something like a VC switch or dual RE router. In my case it was because I had issued a 'commit confirmed' and let the timer expire. The backup RE was out of sync. I had to log into the backup RE and manually do a 'rollback 1' to get them back in sync.

Juniper SRX240 and EX2200 Network Configuration

To answer this question, I'll go through your configuration piece by piece.

Your SRX240 configuration is essentially correct and should work, with one small issue, that is your WAN/Internet interface (ge-0/0/0) appears to be using DHCP:

SRX:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
[...]

While you've got a default gateway defined:

SRX:

routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.129.152.129;
    }
}

Likely, your default gateway is provided by DHCP, so you probably don't need/want to define it statically. If 10.129.152.129 is not in your dhcp address/netmask though, JunOS is probably ignoring it, and since you also said that you were able to successfully get Internet connectivity when directly plugged into the SRX, this is probably not causing a problem. To get rid of this for cleanliness, issue the following commands on the SRX240:

SRX:

configure
delete routing-options static
commit

On to the switches. You didn't tell us which port on the SRX240 is connected to which port on the EX2200, so this is hard to answer, but based on the configuration provided I can deduce that your WAN/Internet link is ge-0/0/0 on the SRX240, and that at least one switch is plugged into one of the other interfaces on the SRX (ge-0/0/1 through 15.)

With the configuration you provided (for only the EX2200-24, and not the EX2200-48), your topology should work as long as port ge-0/0/0 through 21 are connected to the SRX. If, however the SRX is plugged into ports 22 or 23 on the the EX, you have a problem, because those ports are in trunk mode and the SRX isn't configured for or expecting VLAN-tagged ethernet frames.

EX:

interfaces {
[...]
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
[...]

Also, if all you really wanted was a flat L2 topology, you have some configuration left over from someone that didn't:

EX:

ge-0/0/XX {
    unit 0 {
        family ethernet-switching {
            vlan {
                members public-eth;
            }
        }
    }
}

and

EX:

vlans {
    management {
        vlan-id 10;
        l3-interface vlan.10;
    }
    private-eth {
        vlan-id 20;
    }
    public-eth {
        vlan-id 30;
    }
    wan {
        vlan-id 100;
        l3-interface vlan.100;
    }
}

and

EX:

interfaces {
[...]
    vlan {
        unit 10 {
            family inet {
                address 192.168.1.2/24;
            }
        }
        unit 100 {
            family inet {
                address 10.129.152.135/25;
            }
        }
    }

You can see several IP addresses, vlans and such configured. To get back to the most basic of L2 functionality, we should remove some of that old unnecessary configuration (as long as you're sure that this is your network and you're not a rogue going against the wishes of your network admin.)

EX:

configure
delete interfaces ge-0/0/0
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete interfaces ge-0/0/3
delete interfaces ge-0/0/4
delete interfaces ge-0/0/5
delete interfaces ge-0/0/6
delete interfaces ge-0/0/7
delete interfaces ge-0/0/8
delete interfaces ge-0/0/9
delete interfaces ge-0/0/10
delete interfaces ge-0/0/11
delete interfaces ge-0/0/12
delete interfaces ge-0/0/13
delete interfaces ge-0/0/14
delete interfaces ge-0/0/15
delete interfaces ge-0/0/16
delete interfaces ge-0/0/17
delete interfaces ge-0/0/18
delete interfaces ge-0/0/19
delete interfaces ge-0/0/20
delete interfaces ge-0/0/21
delete interfaces ge-0/0/22
delete interfaces ge-0/0/23
set interfaces ge-0/0/0.0 family ethernet-switching
set interfaces ge-0/0/1.0 family ethernet-switching
set interfaces ge-0/0/2.0 family ethernet-switching
set interfaces ge-0/0/3.0 family ethernet-switching
set interfaces ge-0/0/4.0 family ethernet-switching
set interfaces ge-0/0/5.0 family ethernet-switching
set interfaces ge-0/0/6.0 family ethernet-switching
set interfaces ge-0/0/7.0 family ethernet-switching
set interfaces ge-0/0/8.0 family ethernet-switching
set interfaces ge-0/0/9.0 family ethernet-switching
set interfaces ge-0/0/10.0 family ethernet-switching
set interfaces ge-0/0/11.0 family ethernet-switching
set interfaces ge-0/0/12.0 family ethernet-switching
set interfaces ge-0/0/13.0 family ethernet-switching
set interfaces ge-0/0/14.0 family ethernet-switching
set interfaces ge-0/0/15.0 family ethernet-switching
set interfaces ge-0/0/16.0 family ethernet-switching
set interfaces ge-0/0/17.0 family ethernet-switching
set interfaces ge-0/0/18.0 family ethernet-switching
set interfaces ge-0/0/19.0 family ethernet-switching
set interfaces ge-0/0/20.0 family ethernet-switching
set interfaces ge-0/0/21.0 family ethernet-switching
set interfaces ge-0/0/22.0 family ethernet-switching
set interfaces ge-0/0/23.0 family ethernet-switching
delete interfaces vlan.100
delete vlans
delete snmp
rename interfaces vlan.10 to unit 0
set vlans default l3-interface vlan.0
set vlans default vlan-id 1
delete routing-options
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1

commit

The above commands do the following:

Clear the current configuration of each of the interfaces on the switch
Create new blank/default configuration for each of the same interfaces
Get rid of the probably unused IP address on vlan 100
Remove SNMP configuration (which is not relevant to your stated goal)
Consolidate everything to the default VLAN (all of the interfaces are automatically members of "default" if another VLAN isn't specified.)
Change the Management VLAN to the default VLAN, as it normally would be on a factory-fresh JunOS install
Set the default gateway to be the Firewall, which is not strictly necessary in this topology since the EX is just acting as a layer 2 switch in this case, but at least you'll be able to ping hosts on the internet from the switch if everything is working.

You'll probably want to do something similar for the EX2200-48 that you didn't give the configuration for, but hopefully you can look at the commands above and perform a similar procedure. If you flatten the topology as I've described, all of your clients will get their IP addresses from the SRX240 and will get internet access.

Best Answer

Related Solutions

Juniper SRX240 Clustering – Policy out of sync

Juniper SRX240 and EX2200 Network Configuration

Related Topic