Meraki

FSaucedo

Using an MX105. So everything was working fine yesterday. This morning I am receiving reports that our Chromebooks (we're k-12) are able to access instagram and facebook. The filter correctly identifies the two as Social Networking. Our default filter settings block Social Networking categories. The device tells me that that they are being blocked

but our Chromebook devices are still able to access them. Is this just us?

I tried to use Access Control settings to apply a group policy by Device Type

but the devices are still showing the Normal and do not show the Student Policy under client details.

This seems to be affecting our Chromebooks. Our wired computer labs are properly blocking the sites.

Would any one be able to suggest some options?

deredu

You may want to see if traffic is bypassing it via the QUIC protocol. This was happening to us in the Chrome browser on Mac devices. We ended up blocking QUIC via Google Workspace Chrome Management profile and creating a QUIC blocking Firewall rule on the MX. You may also want to add things like the DNS over HTTPS/TLS category to your Firewall blocks.

View solution in original post

alemabrahao

These per-device policies are not reliable; I suggest you apply the policy directly to the MX VLAN interface.

When a group policy is applied to a VLAN, that policy becomes the new "network default" for any other group policies applied to clients in that VLAN. Since this policy is the new "network default," the client devices will still show a "normal" policy applied under Network-wide > Monitor > Clients.

For example, a group policy named "Guest Network" with more restrictive layer 3 firewall rules than the network-wide configuration is applied to the guest VLAN, and a second group policy "Low Bandwidth" has a custom bandwidth limit, but is set to Use network firewall & shaping rules. If the Low Bandwidth group policy is applied to a client on the guest VLAN, the client will use the layer 3 firewall rules configured on the Guest Network group policy, not the network-wide layer 3 firewall rules configured on the Security & SD-WAN > Configure > Firewall page.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

deredu

You may want to see if traffic is bypassing it via the QUIC protocol. This was happening to us in the Chrome browser on Mac devices. We ended up blocking QUIC via Google Workspace Chrome Management profile and creating a QUIC blocking Firewall rule on the MX. You may also want to add things like the DNS over HTTPS/TLS category to your Firewall blocks.

FSaucedo

This did the trick. We use chromebooks in our org so this was very helpful. I went ahead and created a firewall rule as well for our student devices. Thank you!!

mlefebvre1

The way that Meraki tries to identify what type of device it is for Group Policy is very finnicky these days, but what I would test first here is blocking outbound ports 80 and 443 for UDP to see if it is QUIC that is allowing them through.

AlexP

Device type by policy only applies that at the access point level, so any features on the MX you're trying to set, like content filtering policies would not apply. It's always behaved this way because there's no way for one device to communicate its policy mappings to another.

If the policy had been set by the AP, you'd see it showing up with "Different policies by connection and SSID"

If all of your clients are using an SSID bridged to the same VLAN(s), I agree with the other feedback in this thread

PhilipDAth

Make sure you also block:

DoH and DoT (this bypasses content filtering)

Filter Avoidance (programs that try to bypass content filtering)

It is also possible they are simply using a privacy VPN.

Meraki

Community

Content Filtering not blocking social sites

Content Filtering not blocking social sites