Content Filter vs L7 rules

Solved
Adrian4
Head in the Cloud

Content Filter vs L7 rules

Hello,

I am looking to standardize filtering throughout our organization as we currently have a mish-mash of rules and methods.

There appears to be multiple ways to do it and I'm not sure whats best.


Theres the Content filter and L7 firewall rules.

Theres L7 firewall rules on each WiFi SSID

Theres L7 rules in Group Policy
Not sure if im missing one.


I read something that gave this priority order;

"There are a number of different ways on the MX to use content filtering to block or allow access to websites. In circumstances where different filtering options contradict one another, the following priority applies (from highest to lowest priority):

  1. Blocked and allow listed URL patterns.
  2. Content filtering rules applied via Group Policy (using Active Directory or otherwise).
  3. Global content filtering rules."


But what about the firewall? It sounds like content filter has least priority but im not sure. If I have content filter rules, do they override SSID firewall? or just the MX L7 rules?

What if I have a mess of rules in group policy, both L7 firewalls AND content filter? (I don't, but I just want to know how it works).

Thanks!

1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal

In regard to the order of which ruleset is applied first, take a look at this doc

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

As it states in the doc, content filtering is a separate feature and so if it's allowed in a l3 or l7 rule but denied in content filtering, it is still denied overall (and vice versa).

 

As for the best place to apply these policies and config, it really comes down to how you logically want to apply and manage it.

 

Once you get an idea of how/where it's applied across your networks, I recommend using the API (assuming you don't already have templates) to standardize the content filter and firewall rules.

View solution in original post

7 Replies 7
Brash
Kind of a big deal
Kind of a big deal

In regard to the order of which ruleset is applied first, take a look at this doc

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

As it states in the doc, content filtering is a separate feature and so if it's allowed in a l3 or l7 rule but denied in content filtering, it is still denied overall (and vice versa).

 

As for the best place to apply these policies and config, it really comes down to how you logically want to apply and manage it.

 

Once you get an idea of how/where it's applied across your networks, I recommend using the API (assuming you don't already have templates) to standardize the content filter and firewall rules.

Adrian4
Head in the Cloud

Thanks!

One more question....is there any practical difference between the content filter and L7 rules? - Why does the content filter exist?

Brash
Kind of a big deal
Kind of a big deal

L7 firewall inspects packets including payloads to determine the type of application traffic.

Content filtering simply blocks websites based on categorisation. It's completely unrelated to the type of network traffic or application.

Adrian4
Head in the Cloud

I see.

In L7 firewall, I can add a rule to just block "all gaming" or a specific web address if I want.

In the content filter I can block gaming category or a specific web address.

I understand that the firewall is inspecting the traffic rather than just the destination, but why would anyone want to use the content filter instead of the firewall?

Is it just to lighten the CPU load ?

CptnCrnch
Kind of a big deal
Kind of a big deal

Simply because using the firewall itself, you‘d have to manually configure the destination behind „Gaming“ (to stick to your example).

Brash
Kind of a big deal
Kind of a big deal

They function differently and have different use cases.

If you look at the sub-categories of "gaming" they're all types of application traffic which would be analyzed based off ports used of payload inspection.

 

Content filtering doesn't look at ports or payload at all. It simply looks at the URL that a user is attempting to reach and checks a database to see what the website is classified as.

For example, you might want to block access to Gambling websites within your organisation. Through content filtering, you configure that category in the block, and all websites that match that classification will be blocked.

The only way to achieve this via L7 rules would be to start manually blocking individual HTTP hostnames.

Adrian4
Head in the Cloud

nice, thanks very much!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels