Content Filtering Preferred Setup

Daniel24
Here to help

Content Filtering Preferred Setup

Use the standard global configuration locked down on all categories and very few sites with AD Groups providing less restrictive access? Or use the global/default network filtering for all Company/site wide URL access and categories with additional groups via AD for less or stronger restrictive access?

My thoughts was to use the initial setup of the global being most restrict to add another level of restrictions on anything that may try to get on the network that are not domain, then if you are domain you would filter into one of the other less restrictive policies.

I have inquired with Meraki support on this and informed me that both methods work, but I was still curious to see from other technicians that setup content filtering in their organization with method did they go with.?

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

There is no right or wrong but rather it depends on the customer's need. Many prefer to block everything globally and release what is more specific via Group Policy.
 
But it depends on what you need and what you like.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

I tend to globally block all threat categories, as well as all categories that no one should be using.  I tend to base this list on things that could cause harm to the company, or could result in the company being prosecuted for facilitating a criminal act.

PhilipDAth_0-1687382972511.png

 

Then you could layer in additional restrictions using AD groups.  Note that using the AD approach sometimes the other restrictions take a little while to kick (say 10 minutes).  You should not expect someone will log in and immediately the additional list will be blocked.

Daniel24
Here to help

Thats how I initially started out but then had concerns about unattended no domain users maybe getting connected somehow (ie say open wall ethernet jack) so if they are restricted with a lot of access then that "could" reduce potential threats. 

So you have social media, shopping, Freeware, Adult stuff etc blocked on the individual group policies?

alemabrahao
Kind of a big deal
Kind of a big deal

Take a look at some considerations.

 

 

Content Filtering Rule Priority

There are a number of different ways on the MX to use content filtering to block or allow access to websites. In circumstances where different filtering options contradict one another, the following priority applies (from highest to lowest priority):

  1. Blocked and allow listed URL patterns.

  2. Content filtering rules applied via Group Policy (using Active Directory or otherwise).

  3. Global content filtering rules.

 

Practically speaking, with these rules in mind, consider the following best practices for content filtering design:

  • Global content filtering rules should be designed as the "default" network experience.
  • Group Policies should be used to create a "custom" network experience for users, which can be made either more or less restrictive than the default.
  • URL patterns should be used to append or allow list a specific URL from the configured blocked categories.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

>So you have social media, shopping, Freeware, Adult stuff etc blocked on the individual group policies?

 

No.  We don't have any staff that we can't trust to use their own judgement as to what is appropriate for those categories.

van604
Building a reputation

100% with @PhilipDAth, unless this is a hospitality install block those, there is no reason to be on those sites on a corp network

Daniel24
Here to help

So, with your recommendation do those users not tend to move around utilize one specific PC all the time? How do you compensate a user moving around with Group Policies that have to be applied at a VLAN or Client level and not able to restrict specifically by the user?

BlakeRichardson
Kind of a big deal
Kind of a big deal

I agree with @PhilipDAth on his method. My thoughts are if you block everything all you are doing is creating a lot of work for yourself in the future having to unblock legitimate sites as they are needed. The internet is a constantly moving beast. 

 

We block anything illegal, adult content and anything that is a threat. 

 

We log all traffic so if someone is spending more time online shopping than working then it will get noticed overtime. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels