Mainting PC list on Juniper SSG520 for Web Filtering

Problem Description : 

Need to occassionally update list of PCs on Juniper SSG520 firewall that need to be web filtered.

 Resolution : 

The list of PCs for web filtering (blocking facebook, myspace, ebay, etc.) must be manually maintained on the Juniper SSG520. The following has been developed to help ease this task.

Policy #6 on SSG520 is setup to perform the web filtering. As labs/groups of PCs are identified to need blocking, an Address Group should be created for them. In the policy, each Address Group should be included. The Address Group name should match the .txt file created from inventory on w:\new machine setups\xp_remote. For example, for the Library Lab PCs, the W: filename is liblab.txt and the Address Group is liblab.

On w:\new machine setups\xp_remote are the following files:

1. webfilter.txt contains the list of Address Groups.

2. mk_juniper_addresses.bat accepts the Address Group name as parameter, reads the corresponding inventory .txt file and creates SSG520 commands to clear the existing PCs from Address Group, create an Address device for each PC in the .txt file and add the Address device to the Address Group. NOTE: The old PCs from the group will not be deleted. They will just not be included in the updated Address Group. To delete the old PCs, look for Address devices ending in _AddressGroup before running the commands and delete them.

To create text files with extensions of .webfilter of the SSG520 commands from mk_juniper_addresses.txt, run the command:

for /f %i in (webfilter.txt) do mk_juniper_addresses %i > %i.webfilter

This files can then be opened in text editor and copy/pasted to the SSG520 CLI.

To access the SSG520 CLI,

- Open PUTTY

- Use Telnet connection to 168.26.252.2

- On Terminal options, set Local echo: to Force on (or what you type in telnet screen will not display until you hit Enter)

 Revision Date : 6/10/2011