Meraki

Community

BLOCK ALL and ALLOW SOME

Ritchie
Getting noticed
‎Feb 19 2018 6:53 PM
‎Feb 19 2018 6:53 PM

BLOCK ALL and ALLOW SOME

Hi guys,

 

Did you already try to setup the MX to block all traffic going to internet and then allow some ip addresses to specific ip address on the cloud?

 

Thanks.

0 Kudos
22 Replies 22
MilesMeraki
Head in the Cloud
‎Feb 19 2018 7:48 PM
‎Feb 19 2018 7:48 PM

Hello @Ritchie, can you please supply some more information on what you're trying to achieve? Best practice design is to block all outbound traffic and only allow through services which are required. It would be great to understand more about what services you're trying to allow cloud connectivity?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
In response to MilesMeraki
Ritchie
Getting noticed
‎Feb 19 2018 7:53 PM
‎Feb 19 2018 7:53 PM

Hi @MilesMeraki ,

Let say i want to allow my local network to access specific website such as google.com, cisco.com and office365. The rest will be block.

 

Thanks in advance.

0 Kudos
In response to Ritchie
Ritchie
Getting noticed
‎Feb 19 2018 7:54 PM
‎Feb 19 2018 7:54 PM

especially allow to access to meraki dashboard.
0 Kudos
MerakiDave
Meraki Employee
Meraki Employee
‎Feb 19 2018 7:56 PM
‎Feb 19 2018 7:56 PM

Hi Ritchie, Not sure if I follow the question exactly, but you certainly have the ability to add firewall rules to allow whatever specific traffic needs to get out, followed by a deny any/any/any rule, which would drop everything else.  But you also mentioned allowing access to specific IP addresses in the Meraki cloud.  If you happened to be looking at the Help > Firewall Rules page, you do not need to configure the MX itself with any of those firewall rules to allow cloud connectivity.

 

That's usually not something you need to worry about unless you're equipment is behind a more restrictive perimeter firewall or proxy that blocks all outbound connections by default, in which case you would refer to the Help > Firewall Rules page.  That page shows you a snapshot of any/all FW rule info the Meraki equipment is expecting to have for all of the Dashboard comms, live tools, etc.  

 

Let me know if I misunderstood the question.

0 Kudos
In response to MerakiDave
Ritchie
Getting noticed
‎Feb 19 2018 9:17 PM
‎Feb 19 2018 9:17 PM

@MerakiDavehow about websites like youtube, google, facebook or even categorize url. Since in the firewall rules, it cannot be done because it used ip addresses for the policy.


Anyway, i was trying to use content filtering here, blocking all the category and then i use whitelisting to allow google.com but suddenly it didn't work.

 

Do you have a suggestion?

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 19 2018 9:18 PM
‎Feb 19 2018 9:18 PM

I would use a content filtering rule and a layer 3 firewall rule.

 

Under Security "Appliance/Content Filtering" you could block all URLs and only allow the ones you want.  Something like:

Screenshot from 2018-02-20 18-15-15.png

Then create a layer 3 rule only allow http and https to the Internet for the hosts that are allowed (which will be restricted by the content filtering rules).  Something like:

 

Screenshot from 2018-02-20 18-18-14.png

In response to PhilipDAth
Ritchie
Getting noticed
‎Feb 19 2018 9:22 PM
‎Feb 19 2018 9:22 PM

I will try this one. Get back to you once done. @PhilipDAth

0 Kudos
In response to PhilipDAth
Ritchie
Getting noticed
‎Feb 19 2018 10:13 PM
‎Feb 19 2018 10:13 PM

@PhilipDAthit works but some of the graphics of website are not visible. Like for example the facebook.com, most of the CSS style are not visible.

fb error.PNG

0 Kudos
In response to Ritchie
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 19 2018 10:21 PM
‎Feb 19 2018 10:21 PM

Try adding:

fbcdn.net

 

0 Kudos
In response to PhilipDAth
Ritchie
Getting noticed
‎Feb 19 2018 10:49 PM
‎Feb 19 2018 10:49 PM

@PhilipDAthit works now.

Is there a way to put 1 URL to cover all domain of Facebook?

Just like now you are recommending to add fbcdn.net for the facebook.

 

How about in the Google, since google has many sub domain like mail.google.com and more.

 

How can i address that?

 

0 Kudos
In response to Ritchie
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 19 2018 11:07 PM
‎Feb 19 2018 11:07 PM

Separate your domain names with a comma.

 

If you specify "google.com" it also covers mail.google.com, maps.google.com, etc.

0 Kudos
In response to PhilipDAth
Ritchie
Getting noticed
‎Feb 19 2018 11:18 PM
‎Feb 19 2018 11:18 PM

I have done doing that but it didn't work on my side.

 

0 Kudos
In response to Ritchie
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 19 2018 11:20 PM
‎Feb 19 2018 11:20 PM

Changes only take affect on new client connections.  If it is only you on the network then give the MX a reboot to force it to happen.  Otherwise you probably just need to wait longer (like 10 minutes).

0 Kudos
In response to PhilipDAth
Ritchie
Getting noticed
‎Feb 20 2018 12:49 AM
‎Feb 20 2018 12:49 AM

@PhilipDAthi tried to whitelist only "google.com" and then save it and i also restart the appliance but it seems it didn't take effect.

But it work on the other sites like facebook, cisco.com, youtube.com but only in google site.


Did you try it already on your side?

 

0 Kudos
In response to Ritchie
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 20 2018 12:55 AM
‎Feb 20 2018 12:55 AM

What specific Google URL is not working?

0 Kudos
In response to PhilipDAth
Ritchie
Getting noticed
‎Feb 20 2018 12:58 AM
‎Feb 20 2018 12:58 AM

 

The whitelisting for google.com wasn't effective.

 

 

 

google block.PNG

0 Kudos
In response to Ritchie
Ritchie
Getting noticed
‎Feb 20 2018 12:59 AM
‎Feb 20 2018 12:59 AM

@PhilipDAthi just type google.com

0 Kudos
In response to Ritchie
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 20 2018 12:59 AM
‎Feb 20 2018 12:59 AM

If you look at your screenshot you are not accessing google.com, but google.com.ph.  Added google.com.ph to your whitelist.

0 Kudos
In response to PhilipDAth
Ritchie
Getting noticed
‎Feb 20 2018 1:49 AM
‎Feb 20 2018 1:49 AM

Ive added it too "google.com.ph" and then it can access but still of those sub domains are necessary to add in the whitelisting.
I am trying here both my mx64 and mx65w.

 

0 Kudos
In response to Ritchie
Adam
Kind of a big deal
‎Feb 20 2018 7:46 AM
‎Feb 20 2018 7:46 AM

This is somewhat difficult in practice since many websites access secondary resources and CDNs.  May take you a while to get all of the things you need whitelisted. You can go to Network Wide>Event Log then filter for 'Content Filtering blocked URL'.  This will help you identify other things you may need to whitelist. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to Adam
Coupe2112
Getting noticed
‎Jun 19 2018 2:11 PM
‎Jun 19 2018 2:11 PM

I'm going through the same thing now, in particular with Facebook (what a PIA) and had to whitelist the following to finally get it to work fully (for now)...

 

facebook.com
doubleclick.net
fbcdn.net
l.facebook.com
external-ams3-1.xx.fbcdn.net
static.xx.fbcnd.net
scontent-ams3-1.xx.fbcdn.net

0 Kudos
In response to Coupe2112
Adam
Kind of a big deal
‎Jun 19 2018 2:13 PM
‎Jun 19 2018 2:13 PM

@Coupe2112 wrote:

I'm going through the same thing now, in particular with Facebook (what a PIA) and had to whitelist the following to finally get it to work fully (for now)...

 

facebook.com
doubleclick.net
fbcdn.net
l.facebook.com
external-ams3-1.xx.fbcdn.net
static.xx.fbcnd.net
scontent-ams3-1.xx.fbcdn.net

Did the fbcdn.net not capture the bottom three? or maybe *.fbcdn.net

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.