block-message (Application Firewall)
Statement introduced in Junos OS Release 12.1X45-D10.
Defines the profile of the notification to be sent to clients when HTTP or HTTPS traffic is blocked by a reject or deny action from an application firewall.
The block message option is not supported for non-HTTP traffic such as FTP, SSH, Telnet, and so on. In these instances, if the action is drop or reject, the traffic is silently dropped or rejected. The user is not informed of the action and no redirection occurs. The associated system log message identifies the action taken for this traffic.
The reject or deny message actions are logged with the reason field containing one of the following phrases:
Following sample shows a system log message for SSH traffic, where the traffic was rejected:
RT_FLOW_SESSION_DENY [firstname.lastname@example.org source-address="220.127.116.11" source-port="53540" destination-address="18.104.22.168" destination-port="22" connection-tag="0" service-name="junos-ssh" protocol-id="6" icmp-type="0" policy-name="p1" source-zone-name="untrust" destination-zone-name="trust" application="SSH" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" encrypted="No" reason="appfw reject"]
You need to enable SSL forward proxy for the HTTPS traffic that needs to be blocked by a reject or a deny action from an application firewall.
When the block-message option is specified, a splash screen and message inform the client that the traffic has been blocked. The default message text is:
“username, Application Firewall has blocked your request to application application-name at dest-ip:dest-port accessed from src-ip:source-port ”
The variables in the message are replaced with specific traffic
values. For clarity, the prefix
junos: is truncated from the application name.
You need to enable SSL forward proxy for the HTTPS traffic,that needs to be blocked by a reject or a deny action from an application firewall.
Starting in Junos OS Release 18.2R1, the application firewall (AppFW) functionality is deprecated. As a part of this change, the [edit security application-firewall] hierarchy and all the configuration options under this hierarchy are deprecated— rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration.
Use the following option pairs to customize the default message or to redirect the client to a custom webpage instead of the default splash screen.
Both the type and content fields must be used to add custom text or redirect the client to a URL.
type—(Optional) The message type to be displayed after a reject or deny action.
custom-text—Text message in HTML to be added to the default text. If custom-text is specified, the splash screen displays both the default block message and the custom-defined block message.
When specified, the user is redirected when a reject or deny action is taken during one of the following HTTP methods: GET, POST, OPTIONS, HEAD, PUT, DELETE, TRACE, CONNECT, PROPFIND, PROPPATCH, LOCK, UNLOCK, COPY, MOVE, MKCOL, BCOPY, BDELETE, BCOPY, BMOVE, BPROPFIND, BPROPPATCH, POLL, SEARCH, SUBSCRIBE, and UNSUBSCRIBE. If the reject or deny action occurs during a different HTTP method, the traffic is silently dropped.
content—(Optional) Message content for the selected message type.
The content value must match the type option selected: custom-text requires text, and custom-redirect-url requires a URL value.
custom-text—Custom text to be added to the splash screen. Custom text is inserted below the default message. Add the characters \n to insert a line break in the displayed text.
custom-redirect-url—The URL of the webpage to which the client is directed. When traffic is rejected or denied, the client is redirected to the specified webpage for further action. The URL can be hosted on either the SRX Series device or an external server.
Enter the redirect URL in quotation marks for an HTTP or HTTPS site, as shown in the following examples:“http://custom-redirect-url”“https://custom-redirect-url”
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.