Content Filtering Preferred Setup

Here to help

Content Filtering Preferred Setup

Use the standard global configuration locked down on all categories and very few sites with AD Groups providing less restrictive access? Or use the global/default network filtering for all Company/site wide URL access and categories with additional groups via AD for less or stronger restrictive access?

My thoughts was to use the initial setup of the global being most restrict to add another level of restrictions on anything that may try to get on the network that are not domain, then if you are domain you would filter into one of the other less restrictive policies.

I have inquired with Meraki support on this and informed me that both methods work, but I was still curious to see from other technicians that setup content filtering in their organization with method did they go with.?

Kind of a big deal
Kind of a big deal

There is no right or wrong but rather it depends on the customer's need. Many prefer to block everything globally and release what is more specific via Group Policy.
But it depends on what you need and what you like.
Kind of a big deal
Kind of a big deal

I tend to globally block all threat categories, as well as all categories that no one should be using.  I tend to base this list on things that could cause harm to the company, or could result in the company being prosecuted for facilitating a criminal act.



Then you could layer in additional restrictions using AD groups.  Note that using the AD approach sometimes the other restrictions take a little while to kick (say 10 minutes).  You should not expect someone will log in and immediately the additional list will be blocked.

Thats how I initially started out but then had concerns about unattended no domain users maybe getting connected somehow (ie say open wall ethernet jack) so if they are restricted with a lot of access then that "could" reduce potential threats. 

So you have social media, shopping, Freeware, Adult stuff etc blocked on the individual group policies?

Take a look at some considerations.



Content Filtering Rule Priority

There are a number of different ways on the MX to use content filtering to block or allow access to websites. In circumstances where different filtering options contradict one another, the following priority applies (from highest to lowest priority):

  1. Blocked and allow listed URL patterns.

  2. Content filtering rules applied via Group Policy (using Active Directory or otherwise).

  3. Global content filtering rules.


Practically speaking, with these rules in mind, consider the following best practices for content filtering design:

  • Global content filtering rules should be designed as the "default" network experience.
  • Group Policies should be used to create a "custom" network experience for users, which can be made either more or less restrictive than the default.
  • URL patterns should be used to append or allow list a specific URL from the configured blocked categories.
Kind of a big deal
Kind of a big deal

>So you have social media, shopping, Freeware, Adult stuff etc blocked on the individual group policies?


No.  We don't have any staff that we can't trust to use their own judgement as to what is appropriate for those categories.

100% with @PhilipDAth, unless this is a hospitality install block those, there is no reason to be on those sites on a corp network

So, with your recommendation do those users not tend to move around utilize one specific PC all the time? How do you compensate a user moving around with Group Policies that have to be applied at a VLAN or Client level and not able to restrict specifically by the user?

Kind of a big deal
Kind of a big deal

I agree with @PhilipDAth on his method. My thoughts are if you block everything all you are doing is creating a lot of work for yourself in the future having to unblock legitimate sites as they are needed. The internet is a constantly moving beast. 


We block anything illegal, adult content and anything that is a threat. 


We log all traffic so if someone is spending more time online shopping than working then it will get noticed overtime. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.