BLOCK ALL and ALLOW SOME

Ritchie
Getting noticed

BLOCK ALL and ALLOW SOME

Hi guys,

 

Did you already try to setup the MX to block all traffic going to internet and then allow some ip addresses to specific ip address on the cloud?

 

Thanks.

22 Replies 22
MilesMeraki
Head in the Cloud

Hello @Ritchie, can you please supply some more information on what you're trying to achieve? Best practice design is to block all outbound traffic and only allow through services which are required. It would be great to understand more about what services you're trying to allow cloud connectivity?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Ritchie
Getting noticed

Hi @MilesMeraki ,

Let say i want to allow my local network to access specific website such as google.com, cisco.com and office365. The rest will be block.

 

Thanks in advance.

Ritchie
Getting noticed

especially allow to access to meraki dashboard.
MerakiDave
Meraki Employee
Meraki Employee

Hi Ritchie, Not sure if I follow the question exactly, but you certainly have the ability to add firewall rules to allow whatever specific traffic needs to get out, followed by a deny any/any/any rule, which would drop everything else.  But you also mentioned allowing access to specific IP addresses in the Meraki cloud.  If you happened to be looking at the Help > Firewall Rules page, you do not need to configure the MX itself with any of those firewall rules to allow cloud connectivity.

 

That's usually not something you need to worry about unless you're equipment is behind a more restrictive perimeter firewall or proxy that blocks all outbound connections by default, in which case you would refer to the Help > Firewall Rules page.  That page shows you a snapshot of any/all FW rule info the Meraki equipment is expecting to have for all of the Dashboard comms, live tools, etc.  

 

Let me know if I misunderstood the question.

Ritchie
Getting noticed

@MerakiDavehow about websites like youtube, google, facebook or even categorize url. Since in the firewall rules, it cannot be done because it used ip addresses for the policy.


Anyway, i was trying to use content filtering here, blocking all the category and then i use whitelisting to allow google.com but suddenly it didn't work.

 

Do you have a suggestion?

PhilipDAth
Kind of a big deal
Kind of a big deal

I would use a content filtering rule and a layer 3 firewall rule.

 

Under Security "Appliance/Content Filtering" you could block all URLs and only allow the ones you want.  Something like:

Screenshot from 2018-02-20 18-15-15.png

Then create a layer 3 rule only allow http and https to the Internet for the hosts that are allowed (which will be restricted by the content filtering rules).  Something like:

 

Screenshot from 2018-02-20 18-18-14.png

Ritchie
Getting noticed

I will try this one. Get back to you once done. @PhilipDAth

Ritchie
Getting noticed

@PhilipDAthit works but some of the graphics of website are not visible. Like for example the facebook.com, most of the CSS style are not visible.

fb error.PNG

PhilipDAth
Kind of a big deal
Kind of a big deal

Try adding:

fbcdn.net

 

Ritchie
Getting noticed

@PhilipDAthit works now.

Is there a way to put 1 URL to cover all domain of Facebook?

Just like now you are recommending to add fbcdn.net for the facebook.

 

How about in the Google, since google has many sub domain like mail.google.com and more.

 

How can i address that?

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Separate your domain names with a comma.

 

If you specify "google.com" it also covers mail.google.com, maps.google.com, etc.

Ritchie
Getting noticed

I have done doing that but it didn't work on my side.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Changes only take affect on new client connections.  If it is only you on the network then give the MX a reboot to force it to happen.  Otherwise you probably just need to wait longer (like 10 minutes).

Ritchie
Getting noticed

@PhilipDAthi tried to whitelist only "google.com" and then save it and i also restart the appliance but it seems it didn't take effect.

But it work on the other sites like facebook, cisco.com, youtube.com but only in google site.


Did you try it already on your side?

 

PhilipDAth
Kind of a big deal
Kind of a big deal

What specific Google URL is not working?

Ritchie
Getting noticed

 

The whitelisting for google.com wasn't effective.

 

 

 

google block.PNG

Ritchie
Getting noticed

@PhilipDAthi just type google.com

PhilipDAth
Kind of a big deal
Kind of a big deal

If you look at your screenshot you are not accessing google.com, but google.com.ph.  Added google.com.ph to your whitelist.

Ritchie
Getting noticed

Ive added it too "google.com.ph" and then it can access but still of those sub domains are necessary to add in the whitelisting.
I am trying here both my mx64 and mx65w.

 

Adam
Kind of a big deal

This is somewhat difficult in practice since many websites access secondary resources and CDNs.  May take you a while to get all of the things you need whitelisted. You can go to Network Wide>Event Log then filter for 'Content Filtering blocked URL'.  This will help you identify other things you may need to whitelist. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Coupe2112
Getting noticed

I'm going through the same thing now, in particular with Facebook (what a PIA) and had to whitelist the following to finally get it to work fully (for now)...

 

facebook.com
doubleclick.net
fbcdn.net
l.facebook.com
external-ams3-1.xx.fbcdn.net
static.xx.fbcnd.net
scontent-ams3-1.xx.fbcdn.net

Adam
Kind of a big deal


@Coupe2112 wrote:

I'm going through the same thing now, in particular with Facebook (what a PIA) and had to whitelist the following to finally get it to work fully (for now)...

 

facebook.com
doubleclick.net
fbcdn.net
l.facebook.com
external-ams3-1.xx.fbcdn.net
static.xx.fbcnd.net
scontent-ams3-1.xx.fbcdn.net


Did the fbcdn.net not capture the bottom three? or maybe *.fbcdn.net

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels