Content Filtering over Site-to-Site VPN

jthunderbird
Conversationalist

Content Filtering over Site-to-Site VPN

Hello everyone,

 

I did search this forum and all of Google and Youtube and still cannot get content filtering working.

 

I have a pretty basic site to site VPN between two Meraki MX64s, one hub and one spoke. All web traffic is going through the VPN at site 1.

 

However, when I enable content filtering, I choose the gambling category and the full list. At site 1, powerball.com is blocked but not at site 2 which is in fact using site 1's web access (verified by whatismyip). If I block it at both sites on the content filtering page, then it gets blocked.

 

Can I really not centrally manage the sites I want blocked at my hub firewall? We are planning to add many more sites and this is our proof-of-concept effort... really hope I am missing something stupid and obvious.

 

Thanks for the help fellas.

6 REPLIES 6
Nash
Kind of a big deal

If you're planning to add many sites, have you looked at using templates for centralized management of a variety of settings?

PhilipDAth
Kind of a big deal
Kind of a big deal

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings 

"Security features over full-tunnel VPN

In a full tunnel topology, all security and content filtering must be performed on the full tunnel client. The Exit hub will not apply Content Filtering, IPS blocking, or Malware Scanning to traffic coming in over the VPN. However, IDS scanning will be performed for this traffic."

 

As suggested, look at using templates to get a consistent policy.

 https://documentation.meraki.com/zGeneral_Administration/Templates_and_Config_Sync/Managing_Multiple... 

Wow, so you cannot setup content filtering at a central location even with the advanced security license? I have to build a template to apply to all spoke nodes... This seems silly and counter to a server/client relationship.


@jthunderbird wrote:

Wow, so you cannot setup content filtering at a central location even with the advanced security license? I have to build a template to apply to all spoke nodes... This seems silly and counter to a server/client relationship.


Frustration understood.
 
I'm assuming there are two good reasons for this though:
 
  1. Processing overhead can be distributed vs condensed on a single appliance
  2. Its best practice (in general terms) to stop any unwanted traffic as close to the source as possible, at least from a security perspective (think ACLs etc.).
Nolan Herring | nolanwifi.com
TwitterLinkedIn
ChristophW
Here to help

I have a specific question regarding this setup but with an split-tunnel. So local-breakout but content-filtering (URL-Block and allow-list) on the remote site. Does this Content-Filtering apply only to traffic to the wan-interface or also on the vpn to the central-site? Do i need to allow specific internal urls which are reachable through the auto-vpn to the central site also?

Only on the WAN interface.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels