Content Filtering on Z3 with full tunnel

SOLVED
Grumples
Here to help

Content Filtering on Z3 with full tunnel

We have an HQ site with an MX100.  We are using a number of Content Filtering blocked website categories.  Today, one of our users at the HQ site complained about a website that was blocked by Meraki.  He sent a screenshot that proves Meraki blocked it.

 

Another of our workers, at home using a Z3 gateway, was able to bring up that very same website.  The Z3 gateway doesn't have built-in Content Filtering, but we do have the Z3 on full-tunnel.  What I mean is, on the Site-to-Site VPN settings, the HQ MX100 is the default route.  I had assumed that putting the Z3 in full tunnel mode would mean that the Content Filtering and Threat Protection capabilities of the MX100 at our HQ site would be leveraged to protect the remote worker on the Z3 gateway.  Did I make a faulty assumption?

 

Thanks for anyone that can help me understand how both Content Filtering and Threat Protection apply in this case.

1 ACCEPTED SOLUTION
Grumples
Here to help

I think I have the answer to my own question now that I read this:

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering_and_Th...

 

This bolded sentence says it all:

Since the Z1 and Z3 do not support content filtering, traffic from both the Z1 or Z3 local subnet will not be filtered.

View solution in original post

4 REPLIES 4
Grumples
Here to help

I think I have the answer to my own question now that I read this:

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering_and_Th...

 

This bolded sentence says it all:

Since the Z1 and Z3 do not support content filtering, traffic from both the Z1 or Z3 local subnet will not be filtered.

KarstenI
Kind of a big deal
Kind of a big deal

Yes, that was a faulty assumption. Content-filtering is not done when the traffic reaches the MX over the VPN-Tunnel.

Best solution (IMO): Deploy Cisco Umbrella to the branches and configure Content-filtering there.

cmr
Kind of a big deal
Kind of a big deal

Wow, that is a rather good reason to have the MX concentrator as a single arm one without advanced licensing and to use a different vendor's equipment on the Enterprise edge then apply the advanced filtering there, thus protecting both.  Either that or terminate the VPN as above and use MXs at the edge, but pay for Advanced licensing on both!!!

 

I am astonished that Meraki think it is acceptable for home-working users to be exposed in this way and glad that by chance we are set up like the first option...

Makes sense that adding an appliance upstream from the MX would solve my content filtering problem.  I dislike adding equipment and putting yet another device inbetween us an our ISP.  But it might be the only way.  Thanks.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels