Meraki

Community

Content Filter vs L7 rules

Solved
Adrian4
Head in the Cloud
‎Feb 14 2024 12:57 AM
‎Feb 14 2024 12:57 AM

Content Filter vs L7 rules

Hello,

I am looking to standardize filtering throughout our organization as we currently have a mish-mash of rules and methods.

There appears to be multiple ways to do it and I'm not sure whats best.


Theres the Content filter and L7 firewall rules.

Theres L7 firewall rules on each WiFi SSID

Theres L7 rules in Group Policy
Not sure if im missing one.


I read something that gave this priority order;

"There are a number of different ways on the MX to use content filtering to block or allow access to websites. In circumstances where different filtering options contradict one another, the following priority applies (from highest to lowest priority):

  1. Blocked and allow listed URL patterns.
  2. Content filtering rules applied via Group Policy (using Active Directory or otherwise).
  3. Global content filtering rules."


But what about the firewall? It sounds like content filter has least priority but im not sure. If I have content filter rules, do they override SSID firewall? or just the MX L7 rules?

What if I have a mess of rules in group policy, both L7 firewalls AND content filter? (I don't, but I just want to know how it works).

Thanks!

0 Kudos
1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal
‎Feb 14 2024 1:17 AM
‎Feb 14 2024 1:17 AM

In regard to the order of which ruleset is applied first, take a look at this doc

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

As it states in the doc, content filtering is a separate feature and so if it's allowed in a l3 or l7 rule but denied in content filtering, it is still denied overall (and vice versa).

 

As for the best place to apply these policies and config, it really comes down to how you logically want to apply and manage it.

 

Once you get an idea of how/where it's applied across your networks, I recommend using the API (assuming you don't already have templates) to standardize the content filter and firewall rules.

View solution in original post

7 Replies 7
Brash
Kind of a big deal
Kind of a big deal
‎Feb 14 2024 1:17 AM
‎Feb 14 2024 1:17 AM

In regard to the order of which ruleset is applied first, take a look at this doc

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

As it states in the doc, content filtering is a separate feature and so if it's allowed in a l3 or l7 rule but denied in content filtering, it is still denied overall (and vice versa).

 

As for the best place to apply these policies and config, it really comes down to how you logically want to apply and manage it.

 

Once you get an idea of how/where it's applied across your networks, I recommend using the API (assuming you don't already have templates) to standardize the content filter and firewall rules.

In response to Brash
Adrian4
Head in the Cloud
‎Feb 14 2024 3:11 AM
‎Feb 14 2024 3:11 AM

Thanks!

One more question....is there any practical difference between the content filter and L7 rules? - Why does the content filter exist?

0 Kudos
In response to Adrian4
Brash
Kind of a big deal
Kind of a big deal
‎Feb 14 2024 4:54 AM
‎Feb 14 2024 4:54 AM

L7 firewall inspects packets including payloads to determine the type of application traffic.

Content filtering simply blocks websites based on categorisation. It's completely unrelated to the type of network traffic or application.

In response to Brash
Adrian4
Head in the Cloud
‎Feb 14 2024 5:11 AM
‎Feb 14 2024 5:11 AM

I see.

In L7 firewall, I can add a rule to just block "all gaming" or a specific web address if I want.

In the content filter I can block gaming category or a specific web address.

I understand that the firewall is inspecting the traffic rather than just the destination, but why would anyone want to use the content filter instead of the firewall?

Is it just to lighten the CPU load ?

0 Kudos
In response to Adrian4
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Feb 14 2024 12:43 PM
‎Feb 14 2024 12:43 PM

Simply because using the firewall itself, you‘d have to manually configure the destination behind „Gaming“ (to stick to your example).

In response to Adrian4
Brash
Kind of a big deal
Kind of a big deal
‎Feb 14 2024 3:16 PM
‎Feb 14 2024 3:16 PM

They function differently and have different use cases.

If you look at the sub-categories of "gaming" they're all types of application traffic which would be analyzed based off ports used of payload inspection.

 

Content filtering doesn't look at ports or payload at all. It simply looks at the URL that a user is attempting to reach and checks a database to see what the website is classified as.

For example, you might want to block access to Gambling websites within your organisation. Through content filtering, you configure that category in the block, and all websites that match that classification will be blocked.

The only way to achieve this via L7 rules would be to start manually blocking individual HTTP hostnames.

Adrian4
Head in the Cloud
‎Feb 15 2024 12:19 AM
‎Feb 15 2024 12:19 AM

nice, thanks very much!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.