cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Group Policy Blocked URL pattern with Whitelisted IP Addresses

SOLVED
Here to help

Group Policy Blocked URL pattern with Whitelisted IP Addresses

We use the Zscaler app on our desktops and we want to fall back to "block all" if Zscaler fails or is disabled.  We tried to set up a group policy that limits outbound access to the Zscaler IP addresses.

 

We want to block all URL patterns and allow a list of IP addresses in the Whitelist.  Is there a way to use CIDR IP addresses instead of URL patterns in the Whitelist.zscaler group policy.jpg

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: Group Policy Blocked URL pattern with Whitelisted IP Addresses

I've never looked into the Zscaler app before, but am i correct when I say that basically all your outgoing traffic gets tunneled to Zscaler via the app?

 

If only access to the IPs you listed is needed for that, why don't you use the L3 firewall to block all outgoing access except to those IPs? Seems to me that using the URL blocking feature is not meant for that?

 

Probably stating the obvious here but test on non-production first 🤣

4 REPLIES 4
Kind of a big deal

Re: Group Policy Blocked URL pattern with Whitelisted IP Addresses

It looks like their are DNS names you can use instead of IP addresses.

https://ips.zscaler.net/zscaler_app

Here to help

Re: Group Policy Blocked URL pattern with Whitelisted IP Addresses

Thanks for the suggestion. 

 

I will add zscaler.net to the whitelist and see if that works.

Kind of a big deal

Re: Group Policy Blocked URL pattern with Whitelisted IP Addresses

I've never looked into the Zscaler app before, but am i correct when I say that basically all your outgoing traffic gets tunneled to Zscaler via the app?

 

If only access to the IPs you listed is needed for that, why don't you use the L3 firewall to block all outgoing access except to those IPs? Seems to me that using the URL blocking feature is not meant for that?

 

Probably stating the obvious here but test on non-production first 🤣

Here to help

Re: Group Policy Blocked URL pattern with Whitelisted IP Addresses

My original assumption was faulty.  I assumed that I would be able to block everything except for Zscaler traffic.  This did not work.  Even though the traffic is bound for Zscaler, it still gets blocked by the MX.

The Meraki firewall must still see the url and blocks it.

 

I think that BrechtSchamp is right.  I would have to block traffic at the L3 firewall for this to work.

 

Thanks for the help.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.