Meraki

Community

Group Policies and Whitelistings

Solved
MichaelR
New here
‎Mar 20 2018 8:54 AM
‎Mar 20 2018 8:54 AM

Group Policies and Whitelistings

I am trying to create a security environment for a device to block all internet traffic except for the X amount of websites I have specified.  I created a group policy for this device and I have tried varying configuration settings. 

 

I have denied all HTTP/S traffic in the firewall rules, but listed all the whitelisted websites and it doesn't work nor was I expecting this to work. 

 

I have allowed all HTTP/S traffic outbound in the firewall rules, used an * in the Blocked URL Patterns, and added all the whitelist sites and I can't get anywhere.  I get a denied message at all HTTP sites and HTTPS websites won't even load.   

 

Lastly, I have allowed all HTTP/S traffic in the firewall rules, put nothing in the Blocked URL Patterns, all the same whitelisted pages, and I can go anywhere on the internet, which I expected.

 

I want to say that my second configuration is how it's supposed to work, but I'm rather new using this device.  Any and all help is appreciated. 

0 Kudos
1 Accepted Solution
In response to MichaelR
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 20 2018 2:20 PM
‎Mar 20 2018 2:20 PM

The whitelist is not correct.  For example, Adobe should just be:

adobe.com

No *, no /, no nothing else.

View solution in original post

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 20 2018 1:49 PM
‎Mar 20 2018 1:49 PM

It is best to use content filtering.

 

Block everything with a * and then add in what is allowed.  Here is a screenshot only allowing access to *.google.com domains.

 

Note after making a change allow a good 5 minutes for it to take effect.

 

Screenshot from 2018-03-21 09-48-16.png

0 Kudos
In response to PhilipDAth
MichaelR
New here
‎Mar 20 2018 1:55 PM
‎Mar 20 2018 1:55 PM

That is exactly what I have set up, but it blocks everything, including what's in the whitelist. 

0 Kudos
In response to MichaelR
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 20 2018 2:01 PM
‎Mar 20 2018 2:01 PM

What firmware version are you using?

0 Kudos
In response to PhilipDAth
MichaelR
New here
‎Mar 20 2018 2:04 PM
‎Mar 20 2018 2:04 PM

14.24

0 Kudos
In response to MichaelR
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 20 2018 2:06 PM
‎Mar 20 2018 2:06 PM

If you go Network-Wide/Clients and click on the client, and under Policy in the bottom left you click "Show Details" - is it showing the group policy to be applied as expected?

 

Failing that; make sure you have quit the web browser and restarted.

Failing that; reboot the MX.  Note the content filtering wont kick in straight away.

0 Kudos
In response to PhilipDAth
MichaelR
New here
‎Mar 20 2018 2:14 PM
‎Mar 20 2018 2:14 PM

I have checked the clients and it does appear the policy is applied to the client.

 

I have rebooted the firewall and restarted the browser, as well.  Below is a picture of what I have in the Group Policies window.  For every *.url.com/* there is a url.com/*.  Am I using the wildcards incorrectly?  I manage another different kind of firewall that uses this type of URL whitelisting.   

 

HTTP Traffic.JPG

0 Kudos
In response to MichaelR
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 20 2018 2:20 PM
‎Mar 20 2018 2:20 PM

The whitelist is not correct.  For example, Adobe should just be:

adobe.com

No *, no /, no nothing else.

In response to PhilipDAth
MichaelR
New here
‎Mar 20 2018 2:21 PM
‎Mar 20 2018 2:21 PM

Is that going to catch something like, www.adobe.com/login/user/kjkcj?  

0 Kudos
In response to MichaelR
MichaelR
New here
‎Mar 20 2018 2:36 PM
‎Mar 20 2018 2:36 PM

Ok live tested and it's working.  Thank you all for the assistance.  I guess I misunderstood how this device uses the wildcard.  

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.