Meraki

Community

Allow some sites and deny the rest

Solved
jparadis
Here to help
‎Nov 23 2017 12:46 PM
‎Nov 23 2017 12:46 PM

Allow some sites and deny the rest

Hi there, first time sending a message to the Meraki Community!

 

Maybe it's a stupid question, but I didn't find a way to do what I want with my MX64 on the web:

I have to install wireless computers to employees, but I want to restrict access to only some websites (eg: the intranet to see their pay, emails and the insurance company to print out forms, etc.). How can I do that?

 

First, I created a group policy and assigned it to my 2 clients.

  1. I tried to block port 80 and 443 with layer 7 rules and URL whitelist google.*
  2. I tried to deny access to the Meraki with a level 3 deny any rule and URL whitelist google.*

Thanks for your kind help!

Labels:
0 Kudos
1 Accepted Solution
In response to jparadis
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 29 2017 10:25 AM
‎Nov 29 2017 10:25 AM

Use my method method.  Use content filtering, black list *, and then add in the allowed URLs to the wihtelist.

View solution in original post

14 Replies 14
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 23 2017 1:51 PM
‎Nov 23 2017 1:51 PM

Try using content filtering.  Blacklist the URL pattern:

*

 

Then add in the URLs you want them to be able to get to.  Note it only takes affects on new flows, so if you change it you don't always see the impact immediately.

0 Kudos
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Nov 23 2017 1:59 PM
‎Nov 23 2017 1:59 PM

I am not sure I understand you correctly, do you want to block everything except a couple of websites i.e. really locked down or do you want to allow most websites apart from a few?

 

Depending on what you want will depend on how its done.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
jparadis
Here to help
‎Nov 29 2017 10:24 AM
‎Nov 29 2017 10:24 AM

I want to allow access to some websites and block the rest.

0 Kudos
In response to jparadis
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 29 2017 10:25 AM
‎Nov 29 2017 10:25 AM

Use my method method.  Use content filtering, black list *, and then add in the allowed URLs to the wihtelist.

In response to BlakeRichardson
jparadis
Here to help
‎Nov 29 2017 10:35 AM
‎Nov 29 2017 10:35 AM

Thanks for the answer!

So, you're telling me that in my group policy, I enter "*" in the "Blocked URL patterns" field and "*.google.com" in the "Whitelisted URL patterns" to test with Google?
0 Kudos
In response to jparadis
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 29 2017 10:38 AM
‎Nov 29 2017 10:38 AM

Correct.

 

Note it only affects new TCP flows.  Because of this it doesn't always appear to "kick in" immediately.

0 Kudos
In response to PhilipDAth
jparadis
Here to help
‎Nov 29 2017 11:45 AM
‎Nov 29 2017 11:45 AM

Thanks PhilipDAth!
Works well after the client computer reset.
0 Kudos
In response to jparadis
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 29 2017 11:49 AM
‎Nov 29 2017 11:49 AM

Yeah, used it a few times.

 

The thing that catches most people out is that it only applies to new TCP flows.  So you make a change, and it doesn't look like it is working.  You go away and get a coffee and then it is working.

0 Kudos
In response to PhilipDAth
jparadis
Here to help
‎Nov 29 2017 12:18 PM
‎Nov 29 2017 12:18 PM

One more thing: are you able to let Windows Update go through with these rules?

I added :
*.download.windowsupdate.com
*.au.windowsupdate.com
*.tlu.dl.delivery.mp.microsoft.com
to my whitelist as per https://support.microsoft.com/en-us/help/3175743/proxy-requirements-for-windows-update.

I get error 0x80d05001 when I try to update and http://download.windowsupdate.com is blacklisted when I test in the browser.

Maybe it's linked, but if I change google.ca to google.*, neither google.com or google.ca works. As if the wildcard doesn't works for me.
In response to jparadis
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 29 2017 12:20 PM
‎Nov 29 2017 12:20 PM

Those URLs will very a little bit depending on where in the world you are.  Does the below work?

 

*.windowsupdate.com

*.microsoft.com

0 Kudos
In response to PhilipDAth
jparadis
Here to help
‎Nov 29 2017 12:55 PM
‎Nov 29 2017 12:55 PM

Nice! Simply having "windowsupdate.com (and) microsoft.com" allow me to update. Seems like my system doesn't like the "*".
0 Kudos
In response to jparadis
gary1burke
New here
‎Dec 29 2017 2:43 PM
‎Dec 29 2017 2:43 PM

This is what I need except with the twist that the two business owners want their computers (on the same LAN) to have full Internet access but the others to be restricted to business required only sites. ANyone have any thoughts on how to do that? 

 

Thanks,

 

G

0 Kudos
In response to gary1burke
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 29 2017 3:58 PM
‎Dec 29 2017 3:58 PM

Apply the "whitelist" group policy to their two computers.

0 Kudos
In response to gary1burke
jparadis
Here to help
‎Jan 4 2018 12:33 PM
‎Jan 4 2018 12:33 PM

I finally used the "Blocked website categories" (nearly everything) with the following whitelist to let Gmail through (even if "Search Engines" is blocked):

  • mail.google.com
  • accounts.google.com
  • accounts.google.ca
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.