Group Policy not updating

MrMatt
Just browsing

Group Policy not updating

Thanks in advance for any help you can provide a Meraki Noob.  I inherited a system with a MX75 and I'm missing something. 

If I create a group policy with a level 7 firewall rule blocking social media, it works fine. These are applied on a per-client basis and sites are blocked as intended.  However, if I then go into Client details for a specific client and change the policy back to normal or even whitelisted, the websites remain blocked for that client. Clients who never had the Group policy changed retain access.

 

Also, i can go into the group policy and remove the level 7 firewall rule, returning access to all clients including the whitelisted/normal client.  It seems that even though I'm choosing a different policy option in client details, once I have applied a group policy to a client, it remains applied.

 

I'm sure I'm missing something super obvious, but cannot figure it out.  Any help would be much appreciated

7 Replies 7
ww
Kind of a big deal
Kind of a big deal

Did the client reconnect the network after you changed the policy?

 

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Troubleshooting_Gr...

alemabrahao
Kind of a big deal
Kind of a big deal

Have you tested it on an incognito tab to see if it's not the browser cache?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Inderdeep
Kind of a big deal
Kind of a big deal

@MrMatt : make sure you did it right 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying... 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Islam-Hussien
Here to help

 

 

  could you please follow these steps and give us the updates :

 

  1. Make sure the client disconnects and reconnects to the network. A policy will not be applied until the device connects to the network.
  2. Under Monitor > Clients, look under the Access column and see if the policy is being applied (if you do not see this column, press the plus icon and enable it). If the policy is not listed here for that client, check that the client fits the criteria for the policy to be applied.
  3. Check that the desired policy is not being overwritten by policies that take a higher priority (see below, under "What is the order of priority for Group Policies").
  4. If the part of the policy that's not working is a content filtering/layer-7 firewall rule, check that the client is not using HTTPS or a proxy. This can prevent content filtering from working properly.
  5. Check your policy to determine if Blocked Website Categories has been set to Override with no categories defined. This would enforce the network-default categories (Configure > Content Filtering)
  6. If possible, delete the policy and see if that changes client behavior, then recreate the policy and follow previous steps.
  7. Create a more limited test policy (only blocking one website, for example) and manually apply that policy to the client, to see if any policies work.
Islam Hussien
MrMatt
Just browsing

First of all, I appreciate all the information.  However, I feel I may have explained poorly.  I will try to do better. 

example:

I create a GP with a single lvl7 rule blocking, say FB, then apply that GP to a client, it will block FB as intended.  However, when I change that client back to normal, or even whitelisted, FB remains blocked. 

If I edit the GP and remove the lvl7 rule, FB becomes accessible to the client that is no longer assigned to that GP.   It's like there's an "update policy" button I'm missing, but that doesn't seem to be the case.  

 

I am selecting the Group Policy to apply via the drop down in client details. 

This is the only Group Policy that has been created. 

My test group policy contains nothing but a single level 7 rule. 

I am disconnecting from the network after changes are made.

I can reproduce this on other clients, as well as by recreating the Group Policy. 

I am on the latest FW version.

I looked through the documentation you folks kindly provided, but am not seeing the issue there. 

 

Any help is much appreciated

alemabrahao
Kind of a big deal
Kind of a big deal

I suggest you to open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MrMatt
Just browsing

Bummer, I was afraid of that.  Just hoped it was something I had obviously done wrong that would be apparent 😞 

Thanks to everyone who took the time to offer suggestions all the same.

Get notified when there are additional replies to this discussion.