I have searched and people seem to have asked a few times over the years but is there any chance that Cisco Meraki is going to add a layer 7 rule for TIKTOK blocking?
Or has Meraki come up with a simple way to block TIKTOK on the MX?
I know this is a hard application to block but I have schools with MX firewalls asking about blocking this and with how many other social sites you have layer 7 options for it would be nice if TIKTOK could be added.
Another option would Umbrella integration into the MX be a good way to block this?
What happens if you block everything to the DNS name *.tiktok.com?
Failing that, if you do a packet capture on port 53 as the app starts, what DNS names does it talk to? It must surely need to authenticate against something. You could try blocking access to those DNS names.
If you are using Umbrella, there is an application category for TikTok. You can block it from there. Otherwise, you could try range blocking the IP/hostname like PhillipDAth says above.
By doing a quick Google search a couple of the domains I found used are below however I suspect like most social media platforms this is just the tip of the iceberg.
tiktok.com
tiktokv.com
tiktokcn.com
haha nice, you are correct I just did a bit of searching and pulled this list from a r/sysadmin post on blocking TicTok. It's also over a year old so your mileage may vary. I had this same problem blocking WhatsApp. The IP range list was huge because of their integration with Facebook. This is why I suggested trying to use Umbrella first. Cheers!
v16a.tiktokcdn.com
ib.tiktokv.com
v16m.tiktokcdn.com
api.tiktokv.com
log.tiktokv.com
api2-16-h2.musical.ly
mon.musical.ly
p16-tiktokcdn-com.akamaized.net
api-h2.tiktokv.com
v19.tiktokcdn.com
api2.musical.ly
log2.musical.ly
api2-21-h2.musical.ly
abtest-sg-tiktok.byteoversea.com
abtest-va-tiktok.byteoversea.com
gts.byteoversea.net
isnssdk.com
lf1-ttcdn-tos.pstatp.com
muscdn.com
musemuse.cn
musical.ly
p1-tt-ipv6.byteimg.com
p1-tt.byteimg.com
p16-ad-sg.ibyteimg.com
p16-tiktok-sg.ibyteimg.com
p16-tiktok-sign-va-h2.ibyteimg.com
p16-tiktok-va-h2.ibyteimg.com
p16-tiktok-va.ibyteimg.com
p16-va-tiktok.ibyteimg.com
p26-tt.byteimg.com
p3-tt-ipv6.byteimg.com
p9-tt.byteimg.com
pull-f3-hs.pstatp.com
pull-f5-hs.flive.pstatp.com
pull-f5-hs.pstatp.com
pull-f5-mus.pstatp.com
pull-flv-f1-hs.pstatp.com
pull-flv-f6-hs.pstatp.com
pull-flv-l1-hs.pstatp.com
pull-flv-l1-mus.pstatp.com
pull-flv-l6-hs.pstatp.com
pull-hls-l1-mus.pstatp.com
pull-l3-hs.pstatp.com
pull-rtmp-f1-hs.pstatp.com
pull-rtmp-f6-hs.pstatp.com
pull-rtmp-l1-hs.pstatp.com
pull-rtmp-l1-mus.pstatp.com
pull-rtmp-l6-hs.pstatp.com
quic-tiktok-core-proxy-i18n-gcpva.byteoversea.net
quic-tiktok-proxy-i18n-gcpva.byteoversea.net
sf1-ttcdn-tos.pstatp.com
sf16-ttcdn-tos.ipstatp.com
sf6-ttcdn-tos.pstatp.com
sgsnssdk.com
tiktok-lb-alisg.byteoversea.net
tiktok-lb-maliva.byteoversea.net
tiktok-platform-lb-alisg.byteoversea.net
tiktok.com
tiktokcdn-in.com
tiktokcdn-us.com
tiktokcdn-us.com.atomile.com
tiktokcdn.com
tiktokcdn.com.atomile.com
tiktokcdn.com.c.bytetcdn.com
tiktokcdn.com.c.worldfcdn.com
tiktokcdn.com.rocket-cdn.com
tiktokd.org
tiktokv.com
tiktokv.com.c.worldfcdn.com
tiktokv.com.c.worldfcdn2.com
tlivecdn.com
ttlivecdn.com
ttlivecdn.com.c.worldfcdn.com
ttoversea.net
ttoverseaus.net
71.18.0.193 ByteDance Inc. AS396986 71.18.0.0/24 United States
71.18.0.194 ByteDance Inc. AS396986 71.18.0.0/24 United States
71.18.0.196 ByteDance Inc. AS396986 71.18.0.0/24 United States
71.18.1.224 ByteDance Inc. AS396986 71.18.1.0/24 United States
71.18.1.248 ByteDance Inc. AS396986 71.18.1.0/24 United States
5.8.92.62
161.117.70.145
161.117.71.36
161.117.71.33
161.117.70.136
161.117.71.74
216.58.207.0/24
47.89.136.0/24
47.252.50.0/24
205.251.194.210
205.251.193.184
205.251.198.38
205.251.197.195
185.127.16.0/24
182.176.156.0/24
I use Umbrella but not all the schools I work with do. I was looking for a 'simple' built in solution and thats kind of why I posted this message to see if I was missing something or perhaps Cisco Meraki would respond that something is in the works.
Try using the "make a wish" function in the dashboard, quote the NBAR web link I have given, and ask that TikTok be added as an option for layer 7 firewall rules.
Make sure you make this suggestion on the firewall page, so it gets routed to the right destination.
Here is a similar thread from 2022
https://community.meraki.com/t5/Security-SD-WAN/How-to-block-TikTok-in-2022/m-p/186482#M43696
It's amazing after 2 years it's still not a simple rule that we can use. Don't worry, you can block ICQ as I mentioned in the other thread 😀
I see that TikTok was added to NBAR August 2023.
Merkai uses NBAR, so the engine underhood can now do it. So I suspect this just needs some Dashboard changes to allow it to be selected ...
And that is really what I hope for is something simple. People are buying the MX because it's a simple to deploy product. Many of the IT people at these schools that I am dealing with a more Microsoft type IT people and they can find their way around the MX mostly. They don't want to call for every change they need to make.
Also if it's a built in solution I would hope that it's kept updated as TikTok makes changes to get around firewalls then Cisco Meraki would also make changes to keep the blocking working.