So we have (5) sites MX100 at the main site, MX84 at another site and (3) other MX64's. The main site had an older Barracuda Web filter and it has been working well. However, as we installed these Meraki devices in the enterprise we decided to upgrade from the Enterprise to Advanced licensing to use the IPS, Malware and content filtering in the cloud at all sites. Seemed logical to go this route. But as we are deploying this we have noticed some things that do not seem logical to us. We are likely missing something.
#1) AD integration: This was super easy to setup on the MX. However, it appears that you can only apply exceptions to "groups" as opposed to individual users in AD. For instance, on the cuda we could have content category rules defined for the location. And if a particular user comes up and says I need access to shopping sites we could setup an exclusion for that particular user via AD for that category. However, that function does not seem to exist on the Meraki. I would need to create a group and then add the user to that group to setup the exception. For various people who might want these exception at the user level this could prove to be a nightmare to manage. The closest thing I saw was to go to the clients page and select the client and apply a "group" rule to that client. However, that is by client machine and not user. We might have 2 users sharing one computer. One user would get the exception where the other would not. Am I missing something? With AD integrated it does not seem logical to only allow exceptions based on groups and not users.
#2) On the group definitions I can create a group called "shopping exception" which we were hoping to basically setup an exception so the members of this group could visit shopping sites and not be subnet to the default "network rule" that blocks all shopping sites. Seems logical. However, when I go to the Network-Wide/Group Policies and scroll down to blocked web site categories it seems a little odd. It gives me the option to override or append. Append does not seem applicable here since I want to allow a site not block one. Override seems to override all the network policies and forces me to recreate all the network wide category lists and omit shopping. Is that correct? That will be a ton of work. Is there any way to simply "whitelist" a category for a group?
#3) It seems like these content filter rules are based on each MX instead of organizationally as a whole. Is there any way to create an organization wide category filter that applies to all sites? I know there is the "configuration sync" at the organization level and if that is what we need to do then I guess it would work. But it seems odd that we can not have an organization wide content filter and then customize each site accordingly if needed.
We love the cloud management and reporting of the Meraki units. However, this content filtering setup (especially with AD) seems like a serious regression from the barracuda.
1. As I understand it - you are correct. Rules are applied by group. And as you have noted, you can use Meraki Group policy and apply it to a single individual to over ride/append settings.
2. You are correct, the intention is to start with a less restrictive policy and make it more restrictive, while you are working in the opposite direction. You would need to use the "Override" option and put in everything that is blocked.
You'll probably find life easier if you can flip your policy around, so the default is the less restrictive and you are simply appending to that policy for the bulk of users.
3. You want to be using bound templates. They if you change the template it changes it for everyone.
#1) I do not see the option to override / append an individual. It is only by AD group. This will require many many AD groups with one user as a member to tie into the group policy exception.
#2) It did seem like this would help be flip flopping the policy restrictions. However, due to the inability to have granular user level (as opposed to group) I am still required to add many groups with one member of each so the exception works properly.
#3) Thanks it seems like templates will fit the bill nicely. I will investigate that.