cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Content Filtering and Threat Protection

Here to help

Content Filtering and Threat Protection

I have nine locations each with a Meraki MX security appliance.  All of the locations use content filtering and group policies to restrict access to certain websites.

 

I am having an issue with internal intranet sites being blocked on a shopfloor policy that blocks all url patterns (*) and only allows patterns on the matching whitelist.  I am having to white list are internal URL patterns.

 

Further, AMP is causing issues with our internal sharepoint site at one of our locations, and in AMPs case, the whitelists are not at all reliable (many issues where whitelisting has no affect, and disabling AMP does).

 

Is there a way to tell the MX to not apply content filtering and threat protection to Site-to-Site VPN traffic?

 

10 REPLIES 10
A model citizen

Re: Content Filtering and Threat Protection

I don't think there is away to disable content filtering for Site-to-site VPN traffic, you would need to make content filtering tweaks for all traffic.

 

For the shop floor instead of using content filtering to block all URL patterns I would recommend using the Layer 3 firewall settings to deny any traffic, and then have L3 firewall rules to allow traffic to either internal subnets, or specific IPs/FQDNs. I do something similar on a bunch of networks I manage and it works quite well.

 

As for your AMP issues, Meraki has mad a lot of improvements in the more recent firmware releases. What firmware version are you running on your MX appliances?

Here to help

Re: Content Filtering and Threat Protection

Thanks for the suggestions, MacuserJim.  I am at 13.33 on all of the appliances.  Still seeing frequent AMP issues related to whitelisting not having any affect.  Both on MX100 and MX84.

 
A model citizen

Re: Content Filtering and Threat Protection

It may be worth trying the MX 14.34 beta firmware on one of your sites and see if that helps with the AMP issues. I know a lot has been done to address AMP in the 14.x firmware revisions, specifically around the whitelisting issues for AMP.

Here to help

Re: Content Filtering and Threat Protection

Thanks, again MacUserJim for the suggestion.  I have stayed away from beta versions as that has always implied "not ready for prime time" to me. But I may have to put that bias away, as it pertains to MX software.   

A model citizen

Re: Content Filtering and Threat Protection

I feel ya. Past experience with Meraki's beta firmware has been pretty good so hopefully you don't have any issues with testing out this beta.

Here to help

Re: Content Filtering and Threat Protection

Update on this  -- Meraki support says I should "try" 15.10.  Anyone tried a version of firmware that requires Meraki Support to push? 

A model citizen

Re: Content Filtering and Threat Protection

I have previously and have never had major issues with them. I actually can't really think of any specific bugs running a firmware like that either.

Here to help

Re: Content Filtering and Threat Protection

Upgraded to 15.10, today.  After the upgrade, I have no WAN2 connection.  Support has verified this happened as a result of the upgrade and is advising to either reset the appliance or roll back the firmware.  Just wanted to share are bad experience with beta.

Here to help

Re: Content Filtering and Threat Protection

Our bad experience.  I apologize for the poor grammar.

Highlighted
Here to help

Re: Content Filtering and Threat Protection

Another update.  15.10 did not fix the AMP issue that I am seeing, and broke port 2 on an MX100 that was configured to use that port as internet 2.  Rolled back to firmware 13.33 and port 2 works, again...AMP still has many issues, even with the latest beta, and the latest beta is not a good idea in a production environment.  All done now.  Thanks.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.