Meraki

Ritchie · ‎Feb 19 2018

Hi guys,

Did you already try to setup the MX to block all traffic going to internet and then allow some ip addresses to specific ip address on the cloud?

Thanks.

MilesMeraki · ‎Feb 19 2018

Hello @Ritchie, can you please supply some more information on what you're trying to achieve? Best practice design is to block all outbound traffic and only allow through services which are required. It would be great to understand more about what services you're trying to allow cloud connectivity?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Ritchie · ‎Feb 19 2018

Hi @MilesMeraki ,

Let say i want to allow my local network to access specific website such as google.com, cisco.com and office365. The rest will be block.

Thanks in advance.

Ritchie · ‎Feb 19 2018

especially allow to access to meraki dashboard.

MerakiDave · ‎Feb 19 2018

Hi Ritchie, Not sure if I follow the question exactly, but you certainly have the ability to add firewall rules to allow whatever specific traffic needs to get out, followed by a deny any/any/any rule, which would drop everything else. But you also mentioned allowing access to specific IP addresses in the Meraki cloud. If you happened to be looking at the Help > Firewall Rules page, you do not need to configure the MX itself with any of those firewall rules to allow cloud connectivity.

That's usually not something you need to worry about unless you're equipment is behind a more restrictive perimeter firewall or proxy that blocks all outbound connections by default, in which case you would refer to the Help > Firewall Rules page. That page shows you a snapshot of any/all FW rule info the Meraki equipment is expecting to have for all of the Dashboard comms, live tools, etc.

Let me know if I misunderstood the question.

Ritchie · ‎Feb 19 2018

@MerakiDavehow about websites like youtube, google, facebook or even categorize url. Since in the firewall rules, it cannot be done because it used ip addresses for the policy.

Anyway, i was trying to use content filtering here, blocking all the category and then i use whitelisting to allow google.com but suddenly it didn't work.

Do you have a suggestion?

PhilipDAth · ‎Feb 19 2018

I would use a content filtering rule and a layer 3 firewall rule.

Under Security "Appliance/Content Filtering" you could block all URLs and only allow the ones you want. Something like:

Then create a layer 3 rule only allow http and https to the Internet for the hosts that are allowed (which will be restricted by the content filtering rules). Something like:

Ritchie · ‎Feb 19 2018

I will try this one. Get back to you once done. @PhilipDAth

Ritchie · ‎Feb 19 2018

@PhilipDAthit works but some of the graphics of website are not visible. Like for example the facebook.com, most of the CSS style are not visible.

PhilipDAth · ‎Feb 19 2018

Try adding:

fbcdn.net

Ritchie · ‎Feb 19 2018

@PhilipDAthit works now.

Is there a way to put 1 URL to cover all domain of Facebook?

Just like now you are recommending to add fbcdn.net for the facebook.

How about in the Google, since google has many sub domain like mail.google.com and more.

How can i address that?

PhilipDAth · ‎Feb 19 2018

Separate your domain names with a comma.

If you specify "google.com" it also covers mail.google.com, maps.google.com, etc.

Ritchie · ‎Feb 19 2018

I have done doing that but it didn't work on my side.

PhilipDAth · ‎Feb 19 2018

Changes only take affect on new client connections. If it is only you on the network then give the MX a reboot to force it to happen. Otherwise you probably just need to wait longer (like 10 minutes).

Ritchie · ‎Feb 20 2018

@PhilipDAthi tried to whitelist only "google.com" and then save it and i also restart the appliance but it seems it didn't take effect.

But it work on the other sites like facebook, cisco.com, youtube.com but only in google site.

Did you try it already on your side?

PhilipDAth · ‎Feb 20 2018

What specific Google URL is not working?

Ritchie · ‎Feb 20 2018

The whitelisting for google.com wasn't effective.

Ritchie · ‎Feb 20 2018

@PhilipDAthi just type google.com

PhilipDAth · ‎Feb 20 2018

If you look at your screenshot you are not accessing google.com, but google.com.ph. Added google.com.ph to your whitelist.

Ritchie · ‎Feb 20 2018

Ive added it too "google.com.ph" and then it can access but still of those sub domains are necessary to add in the whitelisting.
I am trying here both my mx64 and mx65w.

Adam · ‎Feb 20 2018

This is somewhat difficult in practice since many websites access secondary resources and CDNs. May take you a while to get all of the things you need whitelisted. You can go to Network Wide>Event Log then filter for 'Content Filtering blocked URL'. This will help you identify other things you may need to whitelist.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Coupe2112 · ‎Jun 19 2018

I'm going through the same thing now, in particular with Facebook (what a PIA) and had to whitelist the following to finally get it to work fully (for now)...

facebook.com
doubleclick.net
fbcdn.net
l.facebook.com
external-ams3-1.xx.fbcdn.net
static.xx.fbcnd.net
scontent-ams3-1.xx.fbcdn.net

Adam · ‎Jun 19 2018

@Coupe2112 wrote:
I'm going through the same thing now, in particular with Facebook (what a PIA) and had to whitelist the following to finally get it to work fully (for now)...

facebook.com
doubleclick.net
fbcdn.net
l.facebook.com
external-ams3-1.xx.fbcdn.net
static.xx.fbcnd.net
scontent-ams3-1.xx.fbcdn.net

Did the fbcdn.net not capture the bottom three? or maybe *.fbcdn.net

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Meraki

Community

BLOCK ALL and ALLOW SOME

BLOCK ALL and ALLOW SOME