Group Policies and Whitelistings

SOLVED
MichaelR
New here

Group Policies and Whitelistings

I am trying to create a security environment for a device to block all internet traffic except for the X amount of websites I have specified.  I created a group policy for this device and I have tried varying configuration settings. 

 

I have denied all HTTP/S traffic in the firewall rules, but listed all the whitelisted websites and it doesn't work nor was I expecting this to work. 

 

I have allowed all HTTP/S traffic outbound in the firewall rules, used an * in the Blocked URL Patterns, and added all the whitelist sites and I can't get anywhere.  I get a denied message at all HTTP sites and HTTPS websites won't even load.   

 

Lastly, I have allowed all HTTP/S traffic in the firewall rules, put nothing in the Blocked URL Patterns, all the same whitelisted pages, and I can go anywhere on the internet, which I expected.

 

I want to say that my second configuration is how it's supposed to work, but I'm rather new using this device.  Any and all help is appreciated. 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

The whitelist is not correct.  For example, Adobe should just be:

adobe.com

No *, no /, no nothing else.

View solution in original post

9 REPLIES 9
PhilipDAth
Kind of a big deal
Kind of a big deal

It is best to use content filtering.

 

Block everything with a * and then add in what is allowed.  Here is a screenshot only allowing access to *.google.com domains.

 

Note after making a change allow a good 5 minutes for it to take effect.

 

Screenshot from 2018-03-21 09-48-16.png

That is exactly what I have set up, but it blocks everything, including what's in the whitelist. 

PhilipDAth
Kind of a big deal
Kind of a big deal

What firmware version are you using?

14.24

PhilipDAth
Kind of a big deal
Kind of a big deal

If you go Network-Wide/Clients and click on the client, and under Policy in the bottom left you click "Show Details" - is it showing the group policy to be applied as expected?

 

Failing that; make sure you have quit the web browser and restarted.

Failing that; reboot the MX.  Note the content filtering wont kick in straight away.

I have checked the clients and it does appear the policy is applied to the client.

 

I have rebooted the firewall and restarted the browser, as well.  Below is a picture of what I have in the Group Policies window.  For every *.url.com/* there is a url.com/*.  Am I using the wildcards incorrectly?  I manage another different kind of firewall that uses this type of URL whitelisting.   

 

HTTP Traffic.JPG

PhilipDAth
Kind of a big deal
Kind of a big deal

The whitelist is not correct.  For example, Adobe should just be:

adobe.com

No *, no /, no nothing else.

Is that going to catch something like, www.adobe.com/login/user/kjkcj?  

Ok live tested and it's working.  Thank you all for the assistance.  I guess I misunderstood how this device uses the wildcard.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels