Meraki

Community

Blocking TikTok

workmen
Here to help
a week ago
a week ago

Blocking TikTok

HI Guys, 

 

I created a Layer 3 outbound rule to block TikTok. I created 2 policy object groups namely TikTok [collection of TikTok IP addresses] and TikTok Domain [collection of TikTok domains] and call it on the L3 rule destination but despite that I am still seeing usage of TikTok, as if it was not blocked but I am seeing that it has 26 hits though. iPolicy ObjectsPolicy ObjectsOutbound RuleOutbound RuleHosts contributing to ruleHosts contributing to rule

0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
a week ago
a week ago

According to the screenshot, it is being denied in the rule you created. Have you done any validation to make sure they are still able to access it?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
workmen
Here to help
a week ago
a week ago

Yep they are still able to access it.

0 Kudos
In response to workmen
michalc
Meraki Employee
Meraki Employee
a week ago
a week ago

Certain apps like YouTube and TikTok are very difficult to block these days. You might want to try and fully block UDP port 443 (QUIC) if your main priority on the network is to block the TikTok but please check for collateral damage. 

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
alemabrahao
Kind of a big deal
a week ago
a week ago

Take a look at this.

 

https://community.meraki.com/t5/Security-SD-WAN/Blocking-TIKTOK-in-2024/m-p/221020

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
RWelch
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Tiktok.png

TikTok is recognized by NBAR.

Can you set a L7 DENY rule using TikTok?

TikTok2.png

 

After making the policy change, verify it lists TikTok

 

TikTok3.png

 

Safari can't connect now so it appears that L7 (stateless) blocking works, or it did for me anyway.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
RWelch
Kind of a big deal
Kind of a big deal
a week ago
a week ago

You might continue to see Tiktok sessions that remain active sessions.

Firewall rules do not work on active sessions.

 

You'd need to wait like 10 minutes for the firewall to clear active session.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
michalc
Meraki Employee
Meraki Employee
a week ago
a week ago

From your screenshots It seems that the DENY rule is being triggered, which aligns with the objective of blocking TikTok traffic.

Please see the very helpful KB on Layer 3 and 7 Firewall Processing Order.

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
AlexL1
Meraki Employee
Meraki Employee
Thursday
Thursday

Hi workmen,

 

Please, provide more detail info:

  • When exactly the TikTok is still working - while using the browser or while using the Mobile app? (most likely a QUIC protocol is in use)
  • Have you taken packet capture on the MX Primary WAN interface?
  • When you filter for the client IP address, do you see a QUIC protocol in use while reaching to the TikTok Public IP address(es)?

 

STEP 1 - QUIC (Quick UDP Internet Connections) is a new encrypted transport layer protocol, designed to improve the performance and security of web applications by replacing TCP and TLS, and is built on top of UDP, offering features like faster connection establishment and reduced latency.

 

  • NOTE: It is not generally possible to block these features using firewall rules, because they work over TCP or UDP 443, which are shared with other web traffic (TLS and QUIC)


Option 1 - To prevent this, client devices can Disable QUIC at a browser level,

  • Google Chrome - In the browser address bar, type chrome://flags. Disable the Experimental QUIC protocol option.
  • Microsoft Edge - In the browser address bar, type edge://flags/. Disable the Experimental QUIC protocol option.
  • Mozilla Firefox - In the browser address bar, type about:config. Disable the network.http.http3.enable option.
  • Opera - In the browser address bar, type opera://flags/#enable-quic. From the Experimental QUIC protocol drop-down list, select Disabled.

 

OR

 

Option 2 - Firewall rules to block UDP 80 and UDP 443 should be configured to prevent end-user devices from being able to circumvent Content Filtering rules. 

 

STEP 2 - Clear the locally cached DNS record - Correcting this behavior depends on the device's OS:

  • For Windows: open up a command prompt and run ipconfig /flushdns
  • For MacOS: open a terminal and run sudo dscacheutil -flushcache
  • For iOS: reboot the device
  • For Android: Open the Chrome browser, navigate to the URL chrome://net-internals/#dns, choose the "DNS" option, and then click "Clear host cache"

 

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering/Conten...

 

For example, more details about WatchGuard Firewall and the explanation about QUIC Protocol and how it can be blocked - https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Endpoint-Security/manage-settin...

 

https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3dzSAA&lang=en_US#:%7E:text=Dis...

 

If you have more questions, please don't hesitate to contact us.

 

If you found this post helpful, please give it kudos.
If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.