Firewall group ... except...

Quimax
Getting noticed

Firewall group ... except...

Due to severe bandwidth limitations we use a lot of blocking and content filtering. As such, we block video & music as a Layer 7 firewall rule.

 

However...we're configuring an Apple Caching server. Idea is that the caching server has more bandwidth allocated to it, the clients sign-in with Apple on a throttled connection then are redirected to the caching server for the payload. However, we have to unblock iTunes everywhere for it to work. (Ug)

 

I'd like to block this category, but allow only iTunes. The only way I've seen so far is to add the individual items in the group separately. However, this also defeats the purpose of the Meraki magic of dynamically updated lists. I don't suppose anyone has other ideas.

 

2019-10-21 08_54_53-Firewall Configuration - Meraki Dashboard.png

6 REPLIES 6
Aaron_Wilson
A model citizen

Simple fix would be if the deny box was a drop-down so you could add "allow" rules, like the later 3 firewall. Another head scratcher from Meraki.

@Aaron_Wilson  - I'm so glad I'm not the only one thinking it's strange that you can't set an "Allow" in the layer 3.

Priesty
Building a reputation

Add a firewall exception for the local server in the device - white-list?

PhilipDAth
Kind of a big deal
Kind of a big deal

As @Priesty says, you can assign the whitelist group policy to the caching server.

 

Another option is to create a group policy for the caching server on a schedule.  So leave it limited during the day, and take away the restrictions at night time.

Quimax
Getting noticed

The caching server is on a whitelist already. The challenge is every client also has to get to iTunes to authenticate with Apple servers before pulling down payload. Since these systems constitute a dynamic list, assigning a special policy just to them isn't really feasible. So it's an all or nothing thing.

Priesty
Building a reputation

What about the switch level, add a group policy?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels