Hello everyone,
I did search this forum and all of Google and Youtube and still cannot get content filtering working.
I have a pretty basic site to site VPN between two Meraki MX64s, one hub and one spoke. All web traffic is going through the VPN at site 1.
However, when I enable content filtering, I choose the gambling category and the full list. At site 1, powerball.com is blocked but not at site 2 which is in fact using site 1's web access (verified by whatismyip). If I block it at both sites on the content filtering page, then it gets blocked.
Can I really not centrally manage the sites I want blocked at my hub firewall? We are planning to add many more sites and this is our proof-of-concept effort... really hope I am missing something stupid and obvious.
Thanks for the help fellas.
If you're planning to add many sites, have you looked at using templates for centralized management of a variety of settings?
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings
"Security features over full-tunnel VPN
In a full tunnel topology, all security and content filtering must be performed on the full tunnel client. The Exit hub will not apply Content Filtering, IPS blocking, or Malware Scanning to traffic coming in over the VPN. However, IDS scanning will be performed for this traffic."
As suggested, look at using templates to get a consistent policy.
Wow, so you cannot setup content filtering at a central location even with the advanced security license? I have to build a template to apply to all spoke nodes... This seems silly and counter to a server/client relationship.
@jthunderbird wrote:Wow, so you cannot setup content filtering at a central location even with the advanced security license? I have to build a template to apply to all spoke nodes... This seems silly and counter to a server/client relationship.
I have a specific question regarding this setup but with an split-tunnel. So local-breakout but content-filtering (URL-Block and allow-list) on the remote site. Does this Content-Filtering apply only to traffic to the wan-interface or also on the vpn to the central-site? Do i need to allow specific internal urls which are reachable through the auto-vpn to the central site also?
Only on the WAN interface.