Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Content Filtering and Threat Protection

TEAM-ind
Getting noticed
‎Oct 26 2018 9:04 AM
‎Oct 26 2018 9:04 AM

Content Filtering and Threat Protection

I have nine locations each with a Meraki MX security appliance.  All of the locations use content filtering and group policies to restrict access to certain websites.

 

I am having an issue with internal intranet sites being blocked on a shopfloor policy that blocks all url patterns (*) and only allows patterns on the matching whitelist.  I am having to white list are internal URL patterns.

 

Further, AMP is causing issues with our internal sharepoint site at one of our locations, and in AMPs case, the whitelists are not at all reliable (many issues where whitelisting has no affect, and disabling AMP does).

 

Is there a way to tell the MX to not apply content filtering and threat protection to Site-to-Site VPN traffic?

 

0 Kudos
Subscribe
10 Replies 10
MacuserJim
A model citizen
‎Oct 26 2018 9:18 AM
‎Oct 26 2018 9:18 AM

I don't think there is away to disable content filtering for Site-to-site VPN traffic, you would need to make content filtering tweaks for all traffic.

 

For the shop floor instead of using content filtering to block all URL patterns I would recommend using the Layer 3 firewall settings to deny any traffic, and then have L3 firewall rules to allow traffic to either internal subnets, or specific IPs/FQDNs. I do something similar on a bunch of networks I manage and it works quite well.

 

As for your AMP issues, Meraki has mad a lot of improvements in the more recent firmware releases. What firmware version are you running on your MX appliances?

0 Kudos
Subscribe
In response to MacuserJim
TEAM-ind
Getting noticed
‎Oct 26 2018 9:29 AM
‎Oct 26 2018 9:29 AM

Thanks for the suggestions, MacuserJim.  I am at 13.33 on all of the appliances.  Still seeing frequent AMP issues related to whitelisting not having any affect.  Both on MX100 and MX84.

 
0 Kudos
Subscribe
In response to TEAM-ind
MacuserJim
A model citizen
‎Oct 26 2018 9:36 AM
‎Oct 26 2018 9:36 AM

It may be worth trying the MX 14.34 beta firmware on one of your sites and see if that helps with the AMP issues. I know a lot has been done to address AMP in the 14.x firmware revisions, specifically around the whitelisting issues for AMP.

Subscribe
In response to MacuserJim
TEAM-ind
Getting noticed
‎Oct 26 2018 11:21 AM
‎Oct 26 2018 11:21 AM

Thanks, again MacUserJim for the suggestion.  I have stayed away from beta versions as that has always implied "not ready for prime time" to me. But I may have to put that bias away, as it pertains to MX software.   

0 Kudos
Subscribe
In response to TEAM-ind
MacuserJim
A model citizen
‎Oct 26 2018 11:24 AM
‎Oct 26 2018 11:24 AM

I feel ya. Past experience with Meraki's beta firmware has been pretty good so hopefully you don't have any issues with testing out this beta.

0 Kudos
Subscribe
In response to MacuserJim
TEAM-ind
Getting noticed
‎Nov 9 2018 2:37 PM
‎Nov 9 2018 2:37 PM

Update on this  -- Meraki support says I should "try" 15.10.  Anyone tried a version of firmware that requires Meraki Support to push? 

0 Kudos
Subscribe
In response to TEAM-ind
MacuserJim
A model citizen
‎Nov 9 2018 2:39 PM
‎Nov 9 2018 2:39 PM

I have previously and have never had major issues with them. I actually can't really think of any specific bugs running a firmware like that either.

0 Kudos
Subscribe
In response to MacuserJim
TEAM-ind
Getting noticed
‎Dec 11 2018 6:30 AM
‎Dec 11 2018 6:30 AM

Upgraded to 15.10, today.  After the upgrade, I have no WAN2 connection.  Support has verified this happened as a result of the upgrade and is advising to either reset the appliance or roll back the firmware.  Just wanted to share are bad experience with beta.

0 Kudos
Subscribe
In response to TEAM-ind
TEAM-ind
Getting noticed
‎Dec 11 2018 6:31 AM
‎Dec 11 2018 6:31 AM

Our bad experience.  I apologize for the poor grammar.

0 Kudos
Subscribe
In response to TEAM-ind
TEAM-ind
Getting noticed
‎Dec 11 2018 11:50 AM
‎Dec 11 2018 11:50 AM

Another update.  15.10 did not fix the AMP issue that I am seeing, and broke port 2 on an MX100 that was configured to use that port as internet 2.  Rolled back to firmware 13.33 and port 2 works, again...AMP still has many issues, even with the latest beta, and the latest beta is not a good idea in a production environment.  All done now.  Thanks.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.