Meraki

Community

Blocking all internet traffic - MX250

FCFC
Here to help
‎May 15 2025 9:05 AM
‎May 15 2025 9:05 AM

Blocking all internet traffic - MX250

Hi all

 

Im using group policy to attempt to block all internet traffic. To do so I have applied deny all 21 of the categories in Layer 7 and have also added the *, wildcard to the Block list URL patterns.

 

On the face of it, all internet traffic is blocked, however there are some websites which pass all traffic. Into sure why or what other steps I can take to block ALL internet traffic.


Any advice greatly appreciated

 

Thanks 

0 Kudos
15 Replies 15
alemabrahao
Kind of a big deal
‎May 15 2025 9:08 AM
‎May 15 2025 9:08 AM

You can use an asterisk "*" in URL blocking.

 

alemabrahao_0-1747325423240.png

 

Now I read that you've already done this, so it's probably a browser cache. Try clearing your cache.

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
FCFC
Here to help
‎May 15 2025 9:12 AM
‎May 15 2025 9:12 AM

Hi there and thanks so much for replying

 

I already have the asterisk added in that section, still some traffic is passing?

0 Kudos
In response to FCFC
alemabrahao
Kind of a big deal
‎May 15 2025 9:14 AM
‎May 15 2025 9:14 AM

Now I read that you've already done this, so it's probably a browser cache. Try clearing your cache.

 

But just to make sure you selected the override, right?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
FCFC
Here to help
‎May 15 2025 9:17 AM
‎May 15 2025 9:17 AM

My browser is constantly cleared of all cached files, for whatever reason its one a hand full of sites, using a private browser also has the same effect

 

Screenshot 2025-05-15 at 17.16.00.png

0 Kudos
In response to FCFC
alemabrahao
Kind of a big deal
‎May 15 2025 9:25 AM
‎May 15 2025 9:25 AM

It can be tricky because some traffic can bypass the filters. Have you tried blocking all categories as well? What if you create an L3 rule denying everything?

 

alemabrahao_0-1747326299789.png

Otherwise I suggest you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
FCFC
Here to help
‎May 15 2025 9:27 AM
‎May 15 2025 9:27 AM

Thanks 

 

Everything that can be blocked is pretty much blocked, I agree, support ticket it is

0 Kudos
In response to FCFC
ww
Kind of a big deal
Kind of a big deal
‎May 15 2025 9:53 AM
‎May 15 2025 9:53 AM

You could also use layer3 firewall to block all traffic to public IP's

1 allow rfc 1918 ranges

2 deny any

 

Using content filter only blocks dns based. For example Apps using direct ip address to services will still be allowed

In response to ww
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 15 2025 1:51 PM
‎May 15 2025 1:51 PM

I would use @ww approach.  It is far more bullet proof.

 

When using L7 - you are relying on the web site/app have a L7 classification.  What if it is not classified?

 

Layer 3 rules also allow FQDNs.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

 

You could also use a group policy to override the L3 rules, and then apply L7 rules.

PhilipDAth_0-1747342379021.png

 

In response to ww
Brash
Kind of a big deal
Kind of a big deal
‎May 15 2025 5:34 PM
‎May 15 2025 5:34 PM

100% agree with this.

I do this for some of my networks and it works great.

Using L3 firewall rules is a far more resilient approach than relying on L7 rules and classifications.

 

In response to Brash
FCFC
Here to help
‎May 16 2025 12:54 AM
‎May 16 2025 12:54 AM

Thank you all so much for your reply and advice.

Below is the make up of the GP I have applied to the device. 

 

This should block all internet traffic correct?

 

Screenshot 2025-05-16 at 08.52.21.png

Screenshot 2025-05-16 at 08.52.30.png

Screenshot 2025-05-16 at 08.52.41.png

0 Kudos
In response to FCFC
alemabrahao
Kind of a big deal
‎May 16 2025 4:41 AM
‎May 16 2025 4:41 AM

Theoretically yes.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
FCFC
Here to help
‎May 16 2025 7:56 AM
‎May 16 2025 7:56 AM

Hi

 

By way of an update, I got this to work in the end using one layer 3 rule.

 

Screenshot 2025-05-16 at 15.55.11.png

No need for nay Layer 7 rules.

 

Not sure if this is the right way to do what I want but its working.

 

Thanks for all the input

0 Kudos
In response to FCFC
alemabrahao
Kind of a big deal
‎May 16 2025 8:02 AM
‎May 16 2025 8:02 AM

It was exactly what I had suggested before, but I ended up deleting the post. 😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
‎May 16 2025 8:03 AM
‎May 16 2025 8:03 AM

 

I didn't delete it. 😃

alemabrahao_0-1747407811929.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
FCFC
Here to help
‎May 16 2025 8:05 AM
‎May 16 2025 8:05 AM

Yep

 

Thats why tried it, thanks for your help.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.