[j-nsp] SRX AppFW issue

[ben b]

Try these two rules...

   rule facebook {
        match {
            dynamic-application-group junos:web:social-networking:facebook;
        }
        then {
            deny;
        }
    }
   rule facebook-1 {
        match {
            dynamic-application junos:FACEBOOK-ACCESS;
        }
        then {
            deny;
        }
    }



On Wed, Oct 22, 2014 at 7:13 AM, Yuriy B. Borysov <yokodzun at yokodzun.kiev.ua
> wrote:

> Hello!
>
> I have configured application-firewall on SRX220H (12.1X45-D15.5).
>
> Configuration is below:
>
> security application-firewall
> rule-sets common-customers {
>     rule soc-net {
>         match {
>             dynamic-application-group [ junos:social-networking
> junos:web:social-networking ];
>         }
>         then {
>             deny;
>         }
>     }
>     rule bt-block {
>         match {
>             dynamic-application-group [ junos:p2p junos:p2p:file-sharing
> junos:web:p2p junos:web:p2p:file-sharing ];
>         }
>         then {
>             deny;
>         }
>     }
>     rule unknow-staff {
>         match {
>             dynamic-application junos:UNSPECIFIED-ENCRYPTED;
>         }
>         then {
>             deny;
>         }
>     }
>     default-rule {
>         permit;
>     }
> }
>
> security policies from-zone trust to-zone untrust
> policy trust-to-untrust {
>     match {
>         source-address any;
>         destination-address any;
>         application any;
>     }
>     then {
>         permit {
>             application-services {
>                 application-firewall {
>                     rule-set common-customers;
>                 }
>             }
>         }
>     }
> }
>
>
> All necessary licenses and signatures installed.
>
> But when I go to facebook.com or vk.com, pages open.
>
> And the counters on the rule "soc-net" show 0:
>
>
> # run show security application-firewall rule-set all
> Rule-set: common-customers
>     Rule: soc-net
>         Dynamic Application Groups: junos:social-networking,
> junos:web:social-networking
>         Action:deny
>         Number of sessions matched: 0
>         Number of sessions redirected: 0
>     Rule: bt-block
>         Dynamic Application Groups: junos:p2p, junos:p2p:file-sharing,
> junos:web:p2p, junos:web:p2p:file-sharing
>         Action:deny
>         Number of sessions matched: 95863
>         Number of sessions redirected: 0
>     Rule: unknow-staff
>         Dynamic Applications: junos:UNSPECIFIED-ENCRYPTED
>         Action:deny
>         Number of sessions matched: 19296
>         Number of sessions redirected: 0
> Default rule:permit
>         Number of sessions matched: 172311
>         Number of sessions redirected: 0
> Number of sessions with appid pending: 241
>
>
> Where am I wrong?
>
> Thanks!
>
> --
> WBR, Yuriy B. Borysov
> YOKO-UANIC | YOKO-RIPE
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>