cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Group Policies and Whitelistings

SOLVED
Highlighted
New here

Group Policies and Whitelistings

I am trying to create a security environment for a device to block all internet traffic except for the X amount of websites I have specified.  I created a group policy for this device and I have tried varying configuration settings. 

 

I have denied all HTTP/S traffic in the firewall rules, but listed all the whitelisted websites and it doesn't work nor was I expecting this to work. 

 

I have allowed all HTTP/S traffic outbound in the firewall rules, used an * in the Blocked URL Patterns, and added all the whitelist sites and I can't get anywhere.  I get a denied message at all HTTP sites and HTTPS websites won't even load.   

 

Lastly, I have allowed all HTTP/S traffic in the firewall rules, put nothing in the Blocked URL Patterns, all the same whitelisted pages, and I can go anywhere on the internet, which I expected.

 

I want to say that my second configuration is how it's supposed to work, but I'm rather new using this device.  Any and all help is appreciated. 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Group Policies and Whitelistings

The whitelist is not correct.  For example, Adobe should just be:

adobe.com

No *, no /, no nothing else.

View solution in original post

9 REPLIES 9
Highlighted
Kind of a big deal

Re: Group Policies and Whitelistings

It is best to use content filtering.

 

Block everything with a * and then add in what is allowed.  Here is a screenshot only allowing access to *.google.com domains.

 

Note after making a change allow a good 5 minutes for it to take effect.

 

Screenshot from 2018-03-21 09-48-16.png

Highlighted
New here

Re: Group Policies and Whitelistings

That is exactly what I have set up, but it blocks everything, including what's in the whitelist. 

Highlighted
Kind of a big deal

Re: Group Policies and Whitelistings

What firmware version are you using?

Highlighted
New here

Re: Group Policies and Whitelistings

14.24

Highlighted
Kind of a big deal

Re: Group Policies and Whitelistings

If you go Network-Wide/Clients and click on the client, and under Policy in the bottom left you click "Show Details" - is it showing the group policy to be applied as expected?

 

Failing that; make sure you have quit the web browser and restarted.

Failing that; reboot the MX.  Note the content filtering wont kick in straight away.

Highlighted
New here

Re: Group Policies and Whitelistings

I have checked the clients and it does appear the policy is applied to the client.

 

I have rebooted the firewall and restarted the browser, as well.  Below is a picture of what I have in the Group Policies window.  For every *.url.com/* there is a url.com/*.  Am I using the wildcards incorrectly?  I manage another different kind of firewall that uses this type of URL whitelisting.   

 

HTTP Traffic.JPG

Highlighted
Kind of a big deal

Re: Group Policies and Whitelistings

The whitelist is not correct.  For example, Adobe should just be:

adobe.com

No *, no /, no nothing else.

View solution in original post

Highlighted
New here

Re: Group Policies and Whitelistings

Is that going to catch something like, www.adobe.com/login/user/kjkcj?  

New here

Re: Group Policies and Whitelistings

Ok live tested and it's working.  Thank you all for the assistance.  I guess I misunderstood how this device uses the wildcard.  

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.