Block domain but not specific sub-domain

KMNEP
Getting noticed

Block domain but not specific sub-domain

Greetings!!

I know layer3 and layer7 firewall works perfect and have been in place. But is there anyway to block a specific domain but allow it's subdomain. 

 

I want to block facebook.com but allow workplace by facebook with url as https://work-xxxxxxx.facebook.com.

 

I tried playing with layer3 as well as layer7 but failed. Please suggest if we can achieve in any way.

5 Replies 5
kYutobi
Kind of a big deal

You can check here. They have whitelist patterns. Hope this helps 🙂

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/URL_Blocking_and_Whiteli...

Enthusiast
KMNEP
Getting noticed

Hi @kYutobi,

 

Thank you for your input. But this didnt work for me which i had already tested.

🙂

 

 

SoCalRacer
Kind of a big deal

URL blocking

 
Whenever a client fetches a web page on this network, the requested URL is checked against the lists configured below to determine if the request will be allowed or blocked.

Pattern matching follows these steps: 
  1. Check if the full requested URL is on either list. e.g., http://www.foo.bar.com/qux/baz/lol?abc=123&true=false
  2. Cut off the protocol and leading "www" from the URL, and check if that is on either list: foo.bar.com/qux/baz/lol?abc=123&true=false
  3. Cut off any "GET parameters" (everything following a question mark) and check that: foo.bar.com/qux/baz/lol
  4. Cut off paths one by one, and check each: foo.bar.com/qux/baz, then foo.bar.com/qux, then foo.bar.com
  5. Cut off subdomains one by one and check those: bar.com, and then com
  6. Finally, check for the special catch-all wildcard, *, in either list.
If any of the above produces a match, then the request will be allowed through if it is in the whitelist and blocked otherwise. (That is, the whitelist takes precedence over the blacklist.)

If there is no match, the request is allowed, subject to the category filtering settings above.

HTTPS requests can also be blocked. Because the URL in an HTTPS request is encrypted, only the domain checks will be performed (www.foo.bar.com, foo.bar.com, bar.com, com, and the special catch-all *).
 
 
So it doesn't sound like it will work, because Whitelist takes precedence. The only other option I can see is traffic shaping.
 
I am not using this service so I can't test, but I would create a rule limiting facebook.com bandwidth to 20kbps and then another rule with the sub domain with 5Mbps+ bandwidth.
Richard_W
A model citizen
KMNEP
Getting noticed

@Richard_W Thank you for pointing me to the link. 🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels