Block Facebook app but allow Facebook Messenger

raffygo
Comes here often

Block Facebook app but allow Facebook Messenger

Hi!

I've been trying to block the Facebook app on mobile phones and allow Facebook Messenger by using Layer 7 and Content filtering rules but unfortunately the Facebook app still goes through however, it is already blocked on the web browser. Facebook Messenger app is also blocked but I want it to be allowed through.

I've already tried to put some of the known URLs of Facebook on the black list and Facebook Messenger on the white list but nothing works.

 

Anybody who has been successful in doing this setup?

 

Thanks a lot!

7 REPLIES 7
PhilipDAth
Kind of a big deal
Kind of a big deal

I doubt that it would work, as they are bound to use similar shared systems, such as a login system, api backend, etc.

 

If you still want to persist in the overwhelming odds of failure, do a packet capture on port 53, reboot the devices, and then access the two different systems.  Examine what DNS entries that are requested.

You might be able to come up with a set of DNS entries unique to one that you can block but still allow the other to work.

Okay. How about blocking the whole Facebook service? I can't seem to block the Facebook app. Any suggestions?

CptnCrnch
Kind of a big deal
Kind of a big deal

Security & SD-WAN -> Firewall -> Layer 7 Firewall rules:

Deny Social web & photo sharing -> Facebook

Hi. I've already denied Social web & photo sharing -> Facebook in Layer 7 and also Social Networking on Content Blocking. But only the web browser based and Messenger apps get blocked. The Facebook app still goes through these filters. Any suggestions? 

Trying using content filtering to block the following, make sure you are not type www. at the beginning. 

 

facebook.com

fbcdn.net

fbcdn.com

 

shakesh
Comes here often

HI raffygo,

 

Did you achieve your goal on this, as I have the same issue and wanted to know the solution for this.

Tadpole86
Getting noticed

To achieve this level of granular control you want you will struggle on the Meraki for the reasons previously outlined. You would need a firewall that supports HTTPS inspection, which basically decrypts the traffic to be able to differentiate between facebook messenger and regular Facebook. 

 

If you are having issues with blocking mobile apps it will likely be because of the quic protocol.

 

a lot of apps use the new-ish QUIC protocol which uses UDP ports 80 and 443 which does not get picked up by the content filtering rules. 

 

Once you have configured the recommended rules the QUIC traffic will get blocked by the Firewall, the app will then fall back to using traditional TLS/SSL which will be blocked by the Meraki content filtering rules.

 

Bedtime reading 🙂

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC#:~:text=Palo%20Alt...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels