Meraki

Community

Group Policy Blocked URL pattern with Whitelisted IP Addresses

Solved
PaulHenry
Here to help
‎Jan 16 2019 11:15 AM
‎Jan 16 2019 11:15 AM

Group Policy Blocked URL pattern with Whitelisted IP Addresses

We use the Zscaler app on our desktops and we want to fall back to "block all" if Zscaler fails or is disabled.  We tried to set up a group policy that limits outbound access to the Zscaler IP addresses.

 

We want to block all URL patterns and allow a list of IP addresses in the Whitelist.  Is there a way to use CIDR IP addresses instead of URL patterns in the Whitelist.zscaler group policy.jpg

 

 

0 Kudos
1 Accepted Solution
In response to PaulHenry
BrechtSchamp
Kind of a big deal
‎Jan 16 2019 1:30 PM
‎Jan 16 2019 1:30 PM

I've never looked into the Zscaler app before, but am i correct when I say that basically all your outgoing traffic gets tunneled to Zscaler via the app?

 

If only access to the IPs you listed is needed for that, why don't you use the L3 firewall to block all outgoing access except to those IPs? Seems to me that using the URL blocking feature is not meant for that?

 

Probably stating the obvious here but test on non-production first 🤣

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 16 2019 11:37 AM
‎Jan 16 2019 11:37 AM

It looks like their are DNS names you can use instead of IP addresses.

https://ips.zscaler.net/zscaler_app

0 Kudos
In response to PhilipDAth
PaulHenry
Here to help
‎Jan 16 2019 12:57 PM
‎Jan 16 2019 12:57 PM

Thanks for the suggestion. 

 

I will add zscaler.net to the whitelist and see if that works.

0 Kudos
In response to PaulHenry
BrechtSchamp
Kind of a big deal
‎Jan 16 2019 1:30 PM
‎Jan 16 2019 1:30 PM

I've never looked into the Zscaler app before, but am i correct when I say that basically all your outgoing traffic gets tunneled to Zscaler via the app?

 

If only access to the IPs you listed is needed for that, why don't you use the L3 firewall to block all outgoing access except to those IPs? Seems to me that using the URL blocking feature is not meant for that?

 

Probably stating the obvious here but test on non-production first 🤣

In response to BrechtSchamp
PaulHenry
Here to help
‎Jan 16 2019 1:57 PM
‎Jan 16 2019 1:57 PM

My original assumption was faulty.  I assumed that I would be able to block everything except for Zscaler traffic.  This did not work.  Even though the traffic is bound for Zscaler, it still gets blocked by the MX.

The Meraki firewall must still see the url and blocks it.

 

I think that BrechtSchamp is right.  I would have to block traffic at the L3 firewall for this to work.

 

Thanks for the help.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.