Block all websites and allow some on Z1 Firewall

SOLVED
mohamed_mashaal
Comes here often

Block all websites and allow some on Z1 Firewall

we are using Z1  in all our branches and i need to block all websites except some and we have MX100 @ HQ but our license is Enterprise so the content filtering is not allowed but even if  it's advanced also the Z1s @ the branches doesnt have this feature also i need to block all adult content ,

so kindly help me find any work around to overcome this annoying issue.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Lets assume you are not using full tunnel AutoVPN.

 

What you'll have to do is use layer 3 outbound firewall rules and FQDN.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support 

 

So the bottom rule needs to be a "deny any" and then you create rules above that allowing access to whatever web sites you want.

HOWEVER the tricky bit is many web sites need many other URLs to be allowed to work because they use shared components and modules.

 

So before you put in place restrictions, do a packet capture on port 53.  Access what you want to be allowed.  And then allow everyone of those URLs.

View solution in original post

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Lets assume you are not using full tunnel AutoVPN.

 

What you'll have to do is use layer 3 outbound firewall rules and FQDN.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support 

 

So the bottom rule needs to be a "deny any" and then you create rules above that allowing access to whatever web sites you want.

HOWEVER the tricky bit is many web sites need many other URLs to be allowed to work because they use shared components and modules.

 

So before you put in place restrictions, do a packet capture on port 53.  Access what you want to be allowed.  And then allow everyone of those URLs.

Thanks for your help and sorry for latency it's working well after testing

and  i am still collecting all our URLs and it's shared components .

but during testing the whats-app have a lag behavior not slowness but you feel like its buffering for one Minuit and after that all messages sent at the same time and this also in receiving messages

and what about "blocking adult content" without advanced license 

also i will feedback if i face any issue 

Uberseehandel
Kind of a big deal

"Block all adult content"

I think you mean porn.

Otherwise, an exclusive diet of children's programs will pall real soon now.

 

Trying to block adult content usually creates more problems than it solves.

 

For starters, the following regions, counties/cricket clubs are out:

  • Middlesex
  • Essex
  • Sussex
  • Wessex

Then you can add

  • dogging
  • p***y (common term for cat - not allowed here)
  • any of a number of other words with a double-entendre, such as .......

I think you get the picture.

One of the advantages of allowing anything is that it provides more ammunition when you wish to get rid of an employee.

 

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

 

 

Kindly can you explain little bit more how block it using my enterprise license "Without content filtering" did you mean i can use this words in the layer 3 like that or what

 

Annotation 2020-01-17 175534.png

 

 

I am trustworthy of this work in front of ALLAH. so i can't choose this one>>>>>

😉 😃"One of the advantages of allowing anything is that it provides more ammunition when you wish to get rid of an employee".   


@mohamed_mashaal wrote:

 

 

Kindly can you explain little bit more how block it using my enterprise license "Without content filtering" did you mean i can use this words in the layer 3 like that or what

 

I am trustworthy of this work in front of ALLAH. so i can't choose this one>>>>>

😉 😃"One of the advantages of allowing anything is that it provides more ammunition when you wish to get rid of an employee".   


Ahh, one of the complications of Christianity is the relative awfulness of sins of commission and omission. 😈👻😇😎 In your shoes, I'd consult Nasruddin on your dilemma, his take is sure to be instructive.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

>did you mean i can use this words in the layer 3 like that

 

Yes.  Except convert rules 7 and 8 to a "deny any" rather than "deny tcp" and "deny udp".

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels