They are only applied when the client reconnects, have you tried that?

 

More troubleshooting tips are here:

https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Troubleshooting_G...

Thanks... are you saying that I have to physically disconnect the computer from the LAN (unplug the ethernet cable) and reconnect? Or is there some other disconnect you're referring to? This PC is always hard-wired in today... That's going to be a real pain if I have to do that for every PC I need to apply group policies for. 

 

 

Well it's a sure way to get the policy to apply immediately. The problem is that otherwise flows could be kept open. Can you try cycling the port the client is connected to?

So I unplugged the machine this morning, replugged it, and the restrictions still aren't taking effect. This seems like such a simple thing but I can't figure out why it's not working.

What are you using to test? I'll have a try here to see if it works for me.

I'm looking purely at the Meraki dashboard and our SIEM tool that is pulling logs from the Meraki. Given the rules specified in the group policy I screenshotted in my post, I would expect an IP like 81.161.59.85 to be blocked, for example. But both tools show me there is still traffic flowing to that IP.

I'll add that this is an employee's computer and I haven't gotten around to actually monitoring the traffic _on_ the machine (for example, using Wireshark), but I felt the tools I listed above are evidence enough. And I'd prefer to block this kind of traffic on the network side anyway, rather than trying to fix individual computers.

Thanks a ton for your help!

Another data point - in the group policy we have all file sharing sites blocked in layer 7, including dropbox. I just confirmed that dropbox was indeed blocked from the computer. I tweaked that layer 7 rule to allow dropbox, and now it's accessible from that computer.

So it seems like it's working, sort of. But my layer 3 IP rules and my layer 7 country rules are not.