Content Filter and Group Policies

Daniel24
Here to help

Content Filter and Group Policies

I'm hoping to get some assistance on understanding Content Filtering and Group policies better from the community....

 

Most users will likely hit the standard content filter but in some situations more restrictive access or less restrictive access I need to have custom content filtering groups. So, I am using Group Policy in Meraki which ties back to an Active directory group. The problem is if I place a user in that active directory group they never show as a client being affected. I even have the group policy associated to the VLAN since I moved my interfaces from layer 3 at the switch up to the MX devices. But I know the user is getting associated to the correct group policy because if I move them out of the AD Group then they go back to the default content filter settings and cannot reach the webpage anymore. 

 

So what I am really needing is more of an understanding of utilizing Group Policies with content filtering. How do you tell for sure that user is applied to that Meraki Group Policy? How do you tell from logs that the user is affected by the default content filter or a specific group policy? Do you only apply the group policy at a client from the dashboard instead then a VLAN? Most importantly how with this content filter do you combat users that may roam between different VLANs and especially different PCs?

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

When a group policy is applied to a VLAN, that policy becomes the new "network default" for any other group policies applied to clients in that VLAN. Since this policy is the new "network default," the client devices will still show a "normal" policy applied under Network-wide > Monitor > Clients.

For example, a group policy named "Guest Network" with more restrictive layer 3 firewall rules than the network-wide configuration is applied to the guest VLAN, and a second group policy "Low Bandwidth" has a custom bandwidth limit, but is set to Use network firewall & shaping rules. If the Low Bandwidth group policy is applied to a client on the guest VLAN, the client will use the layer 3 firewall rules configured on the Guest Network group policy, not the network-wide layer 3 firewall rules configured on the Security & SD-WAN > Configure > Firewall page.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

The only way to see which group policy has been applied is via the Event log.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Daniel24
Here to help

So, in order to see which group policy for sure that client is associated to within the event logs which category of logs do you see that with? I would assume if I had this policy applied at the VLAN then I would see it in some Security Appliance log?

Secondly, I guess since that is the "normal" applied policy that is why when you look directly at the group policy within Network-Wide > Group Policy that is why it shows 0?GrpPolicy_Logs.jpg

Daniel24
Here to help

Even having an installed Syslog server doesn't even indicate the Meraki Group Policy being utilized. 

GrpPolicy-Syslog.jpg

alemabrahao
Kind of a big deal
Kind of a big deal

I'm not talking about syslog, I'm talking about event log on the dashboard when you're using Group policy via AD.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Just to remember.

 

When a group policy is applied to a VLAN, that policy becomes the new "network default" for any other group policies applied to clients in that VLAN. Since this policy is the new "network default," the client devices will still show a "normal" policy applied under Network-wide > Monitor > Clients.

 

For example, a group policy named "Guest Network" with more restrictive layer 3 firewall rules than the network-wide configuration is applied to the guest VLAN, and a second group policy "Low Bandwidth" has a custom bandwidth limit, but is set to Use network firewall & shaping rules. If the Low Bandwidth group policy is applied to a client on the guest VLAN, the client will use the layer 3 firewall rules configured on the Guest Network group policy, not the network-wide layer 3 firewall rules configured on the Security & SD-WAN > Configure > Firewall page.

 

 

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels