Group Policy Blocked URL pattern with Whitelisted IP Addresses

SOLVED
PaulHenry
Here to help

Group Policy Blocked URL pattern with Whitelisted IP Addresses

We use the Zscaler app on our desktops and we want to fall back to "block all" if Zscaler fails or is disabled.  We tried to set up a group policy that limits outbound access to the Zscaler IP addresses.

 

We want to block all URL patterns and allow a list of IP addresses in the Whitelist.  Is there a way to use CIDR IP addresses instead of URL patterns in the Whitelist.zscaler group policy.jpg

 

 

1 ACCEPTED SOLUTION

I've never looked into the Zscaler app before, but am i correct when I say that basically all your outgoing traffic gets tunneled to Zscaler via the app?

 

If only access to the IPs you listed is needed for that, why don't you use the L3 firewall to block all outgoing access except to those IPs? Seems to me that using the URL blocking feature is not meant for that?

 

Probably stating the obvious here but test on non-production first 🤣

View solution in original post

4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal

It looks like their are DNS names you can use instead of IP addresses.

https://ips.zscaler.net/zscaler_app

Thanks for the suggestion. 

 

I will add zscaler.net to the whitelist and see if that works.

I've never looked into the Zscaler app before, but am i correct when I say that basically all your outgoing traffic gets tunneled to Zscaler via the app?

 

If only access to the IPs you listed is needed for that, why don't you use the L3 firewall to block all outgoing access except to those IPs? Seems to me that using the URL blocking feature is not meant for that?

 

Probably stating the obvious here but test on non-production first 🤣

My original assumption was faulty.  I assumed that I would be able to block everything except for Zscaler traffic.  This did not work.  Even though the traffic is bound for Zscaler, it still gets blocked by the MX.

The Meraki firewall must still see the url and blocks it.

 

I think that BrechtSchamp is right.  I would have to block traffic at the L3 firewall for this to work.

 

Thanks for the help.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels