Use the standard global configuration locked down on all categories and very few sites with AD Groups providing less restrictive access? Or use the global/default network filtering for all Company/site wide URL access and categories with additional groups via AD for less or stronger restrictive access?
My thoughts was to use the initial setup of the global being most restrict to add another level of restrictions on anything that may try to get on the network that are not domain, then if you are domain you would filter into one of the other less restrictive policies.
I have inquired with Meraki support on this and informed me that both methods work, but I was still curious to see from other technicians that setup content filtering in their organization with method did they go with.?
I tend to globally block all threat categories, as well as all categories that no one should be using. I tend to base this list on things that could cause harm to the company, or could result in the company being prosecuted for facilitating a criminal act.
Then you could layer in additional restrictions using AD groups. Note that using the AD approach sometimes the other restrictions take a little while to kick (say 10 minutes). You should not expect someone will log in and immediately the additional list will be blocked.
Thats how I initially started out but then had concerns about unattended no domain users maybe getting connected somehow (ie say open wall ethernet jack) so if they are restricted with a lot of access then that "could" reduce potential threats.
So you have social media, shopping, Freeware, Adult stuff etc blocked on the individual group policies?
There are a number of different ways on the MX to use content filtering to block or allow access to websites. In circumstances where different filtering options contradict one another, the following priority applies (from highest to lowest priority):
Blocked and allow listed URL patterns.
Content filtering rules applied via Group Policy (usingActive Directoryor otherwise).
Global content filtering rules.
Practically speaking, with these rules in mind, consider the following best practices for content filtering design:
Global content filtering rules should be designed as the "default" network experience.
Group Policies should be used to create a "custom" network experience for users, which can be made either more or less restrictive than the default.
URL patterns should be used to append or allow list a specific URL from the configured blocked categories.
So, with your recommendation do those users not tend to move around utilize one specific PC all the time? How do you compensate a user moving around with Group Policies that have to be applied at a VLAN or Client level and not able to restrict specifically by the user?
I agree with @PhilipDAth on his method. My thoughts are if you block everything all you are doing is creating a lot of work for yourself in the future having to unblock legitimate sites as they are needed. The internet is a constantly moving beast.
We block anything illegal, adult content and anything that is a threat.
We log all traffic so if someone is spending more time online shopping than working then it will get noticed overtime.