cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block all websites and allow some on Z1 Firewall

SOLVED
Highlighted
Comes here often

Block all websites and allow some on Z1 Firewall

we are using Z1  in all our branches and i need to block all websites except some and we have MX100 @ HQ but our license is Enterprise so the content filtering is not allowed but even if  it's advanced also the Z1s @ the branches doesnt have this feature also i need to block all adult content ,

so kindly help me find any work around to overcome this annoying issue.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Block all websites and allow some on Z1 Firewall

Lets assume you are not using full tunnel AutoVPN.

 

What you'll have to do is use layer 3 outbound firewall rules and FQDN.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support 

 

So the bottom rule needs to be a "deny any" and then you create rules above that allowing access to whatever web sites you want.

HOWEVER the tricky bit is many web sites need many other URLs to be allowed to work because they use shared components and modules.

 

So before you put in place restrictions, do a packet capture on port 53.  Access what you want to be allowed.  And then allow everyone of those URLs.

View solution in original post

6 REPLIES 6
Highlighted
Kind of a big deal

Re: Block all websites and allow some on Z1 Firewall

Lets assume you are not using full tunnel AutoVPN.

 

What you'll have to do is use layer 3 outbound firewall rules and FQDN.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support 

 

So the bottom rule needs to be a "deny any" and then you create rules above that allowing access to whatever web sites you want.

HOWEVER the tricky bit is many web sites need many other URLs to be allowed to work because they use shared components and modules.

 

So before you put in place restrictions, do a packet capture on port 53.  Access what you want to be allowed.  And then allow everyone of those URLs.

View solution in original post

Highlighted
Comes here often

Re: Block all websites and allow some on Z1 Firewall

Thanks for your help and sorry for latency it's working well after testing

and  i am still collecting all our URLs and it's shared components .

but during testing the whats-app have a lag behavior not slowness but you feel like its buffering for one Minuit and after that all messages sent at the same time and this also in receiving messages

and what about "blocking adult content" without advanced license 

also i will feedback if i face any issue 

Highlighted
Kind of a big deal

Re: Block all websites and allow some on Z1 Firewall

"Block all adult content"

I think you mean porn.

Otherwise, an exclusive diet of children's programs will pall real soon now.

 

Trying to block adult content usually creates more problems than it solves.

 

For starters, the following regions, counties/cricket clubs are out:

  • Middlesex
  • Essex
  • Sussex
  • Wessex

Then you can add

  • dogging
  • p***y (common term for cat - not allowed here)
  • any of a number of other words with a double-entendre, such as .......

I think you get the picture.

One of the advantages of allowing anything is that it provides more ammunition when you wish to get rid of an employee.

 

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Highlighted
Comes here often

Re: Block all websites and allow some on Z1 Firewall

 

 

Kindly can you explain little bit more how block it using my enterprise license "Without content filtering" did you mean i can use this words in the layer 3 like that or what

 

Annotation 2020-01-17 175534.png

 

 

I am trustworthy of this work in front of ALLAH. so i can't choose this one>>>>>

😉 😃"One of the advantages of allowing anything is that it provides more ammunition when you wish to get rid of an employee".   

Highlighted
Kind of a big deal

Re: Block all websites and allow some on Z1 Firewall


@mohamed_mashaal wrote:

 

 

Kindly can you explain little bit more how block it using my enterprise license "Without content filtering" did you mean i can use this words in the layer 3 like that or what

 

I am trustworthy of this work in front of ALLAH. so i can't choose this one>>>>>

😉 😃"One of the advantages of allowing anything is that it provides more ammunition when you wish to get rid of an employee".   


Ahh, one of the complications of Christianity is the relative awfulness of sins of commission and omission. 😈👻😇😎 In your shoes, I'd consult Nasruddin on your dilemma, his take is sure to be instructive.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Highlighted
Kind of a big deal

Re: Block all websites and allow some on Z1 Firewall

>did you mean i can use this words in the layer 3 like that

 

Yes.  Except convert rules 7 and 8 to a "deny any" rather than "deny tcp" and "deny udp".

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.