Block list URL patterns in Group Policy doesn't work for me

Solved
LakesideLion
Getting noticed

Block list URL patterns in Group Policy doesn't work for me

I'm trying to block some URLs in a group policy and it doesn't work for me.   Here is what I have.

 

1) I created a group policy called test_group_policy

2) Under wireless only, I specify Tag VLAN and 1100

3) Under Security Appliance Only under Block list URL Patterns, I selected "Append" and for the URL pattern, I put "*.*" so as an experiment, trying to block everything.

4) after saving it,  I Iooked for my client and under policy, for Device Policy, I selected "test_group_policy".

 

After waiting for 5 minutes,  I can still access any website from my laptop.

 

Is this not how it's supposed to work?   Interesting is if I click on "show details"  under "policy" for the client laptop there is a column showing "test_group_policy" with rules.   It doesn't show my URL pattern as part of the policy.

 

I did *.* because any single URL I put in wasn't getting blocked so I thought lets just try blocking everything.

 

What am I missing?  

1 Accepted Solution
LakesideLion
Getting noticed

After working for about a month on it was a few different support people, they've all seen it not work like they were expecting.  One even mentioned I might have stumbled across a known problem.  So it is being escalated up to the development team.

View solution in original post

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

Use override instead of append.

 

Override: Means that the settings of the group policy will take precedence over the existing network settings. If a group policy is set to override, it will replace the current settings with its own.


Append: Means that the settings of the group policy will be added to the existing network settings. If a group policy is set to append, it will add its settings to the current ones without removing or altering the existing settings.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks for the suggestion.  However, appending is really what I want. On the security appliance we have a base amount of stuff we want to block.   Then with the group policy we wanted to block a little more for a certain group of users.   I created this test_group_policy to try things out and I'm not getting any behavior that I would be expecting.  I've been working with Meraki support and they confirm it should work like I think it should.   It's been painful working with them.  It's been moving at a glacial pace.   After 3 weeks they've had me try 3 different things all of which has not worked.

I would try the way I'm suggesting in both allow and block, just to validate if it will work.
 
It may be that you have more specific rules releasing something and that's why it's not blocking it.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I just tested it and it worked perfectly.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
JJRiebeling
Meraki Employee
Meraki Employee

Since the question shows the catch-all as *.*, just confirming if you are indeed using the asterisk symbol "*" as catch-all? Also, how does your normal/default policy look for block and allow URLs?

I do have the asterisk symbol as a catchall.  I wanted to try it to see if that would really block everything.    We just installed all new Meraki devices this summer so things are really clean.   The only content filtering set so far are categories that are specified in the category blocking on our MX450.   Under the URL filtering we don't have anything in the blocked list or the allow list.

Ah.  I get the question now.  I was told by the support engineer I should have just used a '*'.  Fortunately for me he saw that it still didn't work after changing that.

LakesideLion
Getting noticed

After working for about a month on it was a few different support people, they've all seen it not work like they were expecting.  One even mentioned I might have stumbled across a known problem.  So it is being escalated up to the development team.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels