Meraki

Community

Content filtering not working at 2 schools

Aquatoes
Getting noticed
‎Feb 14 2025 5:04 PM
‎Feb 14 2025 5:04 PM

Content filtering not working at 2 schools

We have 2 schools with MX devices and content filtering. This has been working fine for years and suddenly started having intermittent issues.

 

SSID is tagged to VLAN for students with Group policy setup with content filtering.

 

Meraki support and engineers recommended blocking UDP 443 and 80 with a layer 3 outbound rule for QUIC protocol

 

This has not yielded and resolution and we are still seeing intermittent connectivity to multiple blocked websites.

 

Has anyone else experienced this and or have a potential solution?

0 Kudos
7 Replies 7
tnco
Getting noticed
‎Feb 14 2025 5:41 PM
‎Feb 14 2025 5:41 PM

@Aquatoes 

Regarding content filters, if you use the Quic protocol, it may not be possible to block it due to the nature of the protocol.

This is described in the Meraki documentation. Therefore, it is possible to block such communications by blocking UDP 443 with an L3 firewall, but in that case, if a client terminal uses Quic for web communication, it may affect the communication.

Therefore, it may be possible to avoid this by disabling Quic on the client terminal, but I thought that it would be difficult to do so easily if the scale is large.

Also, this may not work in the case of umbrella web policy, and the workaround was to disable Quic.

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering/Conten...

 

https://support.umbrella.com/hc/en-us/articles/360051232032-What-Are-the-Problems-with-Google-Servic...

 

0 Kudos
In response to tnco
Aquatoes
Getting noticed
‎Feb 14 2025 6:26 PM
‎Feb 14 2025 6:26 PM

No device is using QUIC and with the Layer 3 UDP rule to block port 443 and 80 in place content is still getting through. Meraki engineers think there is a bigger issue, however this is affecting multiple locations. So I believe it is a bug in recent firmware that just has not surfaced.

0 Kudos
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 15 2025 1:49 AM
‎Feb 15 2025 1:49 AM

Unfortunately this is why I’ve struggled with MXs in the edu space - filtering and real-time reporting.

 

The majority of my edu customers are using securely and comes highly rated.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 15 2025 12:18 PM
‎Feb 15 2025 12:18 PM

Are you using the latest firmware ? I have seen a bug about TLS fragmentation causing issues.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 16 2025 11:54 AM
‎Feb 16 2025 11:54 AM

I bet it is DNS over HTTPS.

 

Try blocking the category "DoH and DoT".

PhilipDAth_0-1739735642011.png

 

 

Are these machines managed?  If so, create you can create a group policy to disable this.

 

You can do this on individual machines by following these instructions:

https://techdocs.akamai.com/etp/docs/disable-doh-browsers

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 16 2025 11:55 AM
‎Feb 16 2025 11:55 AM

If they are Apple devices it could also be iCloud Private Relay.  You could try turning that off.

https://support.apple.com/en-nz/102602

 

VKE
New here
‎Feb 21 2025 8:55 PM
‎Feb 21 2025 8:55 PM

Same problem facing in school

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.