How to block specific HTTPS URLs through Application Firewall

Block specific HTTPS URLs through Application Firewall

Sometimes customers need to block sub-URLs of a website rather than blocking the whole site. This article provides the instructions to achieve that task using Junos AppSecure Application Firewall.

Customer needs to block the following URLs without blocking the whole site creative.adobe.com, i.e., users should still be allowed to browse https://creative.adobe.com.

  1. https://creative.adobe.com/api/assets
  2. https://creative.adobe.com/api/collections
  3. https://creative.adobe.com/api/share
  4. https://creative.adobe.com/files

This can be accomplished by using the Junos AppSecure Application Firewall, but since the URLs are HTTPS, they are encrypted. AI requires decrypted data in order to recognize the HTTP pattern and content. The data must be decrypted first, using the SSL Forward Proxy feature of Junos OS.

The following steps summarize how the task can be accomplished:

1.Configure SSL Forward Proxy (SSLFP) so that SSL traffic gets decrypted into standard HTTP for inspection, that way the SRX can look at the sub URLs
2.Create a custom nested application to identify the specific sub URLs within the main site
3.Block the custom app through Application Firewall
4.Apply both AppFw and SSLFP profile to the relevant security policies
The following instructions describe the steps in detail, with a sample configuration. Refer to http://www.juniper.net/techpubs/en_US/junos12.1×44/information-products/pathway-pages/security/security-basic-ssl-proxy.pdf for detailed information about the Junos SSL Forward Proxy feature.

1.Generate the self-signed cert on the SRX.

2.Configure the loaded self-signed cert as root-ca:

3.Trust all the loaded trusted certs of the browser:

4.Create a whitelist to exempt the known sites from getting decrypted by SRX. This example shows that www.juniper.net is exempted:

5.Ignore errors encountered during server certificate verification process at the time of SSL handshake:

6.Here is the custom nested application that will block the specified sub-URLs, while still allowing access to the main site https://creative.adobe.com:

7.Application firewall config which blocks the above custom app and will allow everything else:

8.Apply AppFw and SSL proxy to security policy:

9.Commit the changes.

commit
Upon testing the issue, we can see that all the sub-URLs are blocked by AppFw, No files can be viewed, no files can uploaded, etc., while access to the main site https://creative.adobe.com itself is permitted.

NOTE: It is important to load ALL the trusted certificates of the browser, otherwise SSL proxy will not work thereby blocking or allowing relevant traffic depending upon AppFW rules. In this specific example, if SSL FP is not able to decrypt the traffic properly for some reason (example missing certs), AI cannot recognize the custom app, thereby all traffic will fall under permit rule in this example.

About the author

James Palmer

Leave a Comment