cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Content Filtering over Site-to-Site VPN

Highlighted
Conversationalist

Content Filtering over Site-to-Site VPN

Hello everyone,

 

I did search this forum and all of Google and Youtube and still cannot get content filtering working.

 

I have a pretty basic site to site VPN between two Meraki MX64s, one hub and one spoke. All web traffic is going through the VPN at site 1.

 

However, when I enable content filtering, I choose the gambling category and the full list. At site 1, powerball.com is blocked but not at site 2 which is in fact using site 1's web access (verified by whatismyip). If I block it at both sites on the content filtering page, then it gets blocked.

 

Can I really not centrally manage the sites I want blocked at my hub firewall? We are planning to add many more sites and this is our proof-of-concept effort... really hope I am missing something stupid and obvious.

 

Thanks for the help fellas.

4 REPLIES 4
Highlighted
Kind of a big deal

Re: Content Filtering over Site-to-Site VPN

If you're planning to add many sites, have you looked at using templates for centralized management of a variety of settings?

Highlighted
Kind of a big deal

Re: Content Filtering over Site-to-Site VPN

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings 

"Security features over full-tunnel VPN

In a full tunnel topology, all security and content filtering must be performed on the full tunnel client. The Exit hub will not apply Content Filtering, IPS blocking, or Malware Scanning to traffic coming in over the VPN. However, IDS scanning will be performed for this traffic."

 

As suggested, look at using templates to get a consistent policy.

 https://documentation.meraki.com/zGeneral_Administration/Templates_and_Config_Sync/Managing_Multiple... 

Highlighted
Conversationalist

Re: Content Filtering over Site-to-Site VPN

Wow, so you cannot setup content filtering at a central location even with the advanced security license? I have to build a template to apply to all spoke nodes... This seems silly and counter to a server/client relationship.

Highlighted
Kind of a big deal

Re: Content Filtering over Site-to-Site VPN


@jthunderbird wrote:

Wow, so you cannot setup content filtering at a central location even with the advanced security license? I have to build a template to apply to all spoke nodes... This seems silly and counter to a server/client relationship.


Frustration understood.
 
I'm assuming there are two good reasons for this though:
 
  1. Processing overhead can be distributed vs condensed on a single appliance
  2. Its best practice (in general terms) to stop any unwanted traffic as close to the source as possible, at least from a security perspective (think ACLs etc.).
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.