cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Firewall group ... except...

Here to help

Firewall group ... except...

Due to severe bandwidth limitations we use a lot of blocking and content filtering. As such, we block video & music as a Layer 7 firewall rule.

 

However...we're configuring an Apple Caching server. Idea is that the caching server has more bandwidth allocated to it, the clients sign-in with Apple on a throttled connection then are redirected to the caching server for the payload. However, we have to unblock iTunes everywhere for it to work. (Ug)

 

I'd like to block this category, but allow only iTunes. The only way I've seen so far is to add the individual items in the group separately. However, this also defeats the purpose of the Meraki magic of dynamically updated lists. I don't suppose anyone has other ideas.

 

2019-10-21 08_54_53-Firewall Configuration - Meraki Dashboard.png

6 REPLIES 6
Building a reputation

Re: Firewall group ... except...

Simple fix would be if the deny box was a drop-down so you could add "allow" rules, like the later 3 firewall. Another head scratcher from Meraki.
Here to help

Re: Firewall group ... except...

@Aaron_Wilson  - I'm so glad I'm not the only one thinking it's strange that you can't set an "Allow" in the layer 3.

Building a reputation

Re: Firewall group ... except...

Add a firewall exception for the local server in the device - white-list?

Kind of a big deal

Re: Firewall group ... except...

As @Priesty says, you can assign the whitelist group policy to the caching server.

 

Another option is to create a group policy for the caching server on a schedule.  So leave it limited during the day, and take away the restrictions at night time.

Here to help

Re: Firewall group ... except...

The caching server is on a whitelist already. The challenge is every client also has to get to iTunes to authenticate with Apple servers before pulling down payload. Since these systems constitute a dynamic list, assigning a special policy just to them isn't really feasible. So it's an all or nothing thing.

Highlighted
Building a reputation

Re: Firewall group ... except...

What about the switch level, add a group policy?

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.