Meraki

Messy

Hello,

I am trying to block open internet access from our domain controllers. I have created a group policy that allows private IP address ranges but has a DENY to "Any" destination rule at the bottom.

I applied the rule to the server client but it still has internet access 😞

I tried changing the destination to 0.0.0.0/0 but it didn't like it and told me to use "Any".

I have the same problem on multiple sites/clients. As I understand it group policy rules are applied first right? Its not a main MX firewall overriding it or something?

alemabrahao

I agree with you, maybe it's better to open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

alemabrahao

Try something like this.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Messy

is what i have atm

not sure what the block list override would do, if anything surely that increases its access?

alemabrahao

The blocklist will override what you have configured by default on the network and block anything (URLs) when you set the astrisk.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth

That should work. Note that it often takes 10 minutes to kick in after applying it (you need to wait for existing flows to time out).

Messy

that works thanks!

but i don't understand why lol - how is a url block stopping it from pinging IP addresses?

Also, is there a problem with the layer 3 firewall then? does it not work at all?

alemabrahao

Other MX filtering features, like Content Filtering, operate independently of Layer 3 and Layer 7 firewall rules. If traffic is allowed through one feature but denied on another, the traffic will still be denied.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Messy

I meant i don't understand why the url based content filter is able to block pings to ip addresses etc.

Also - really want to know what's going on with the layer 3 firewall - am I using it wrong or does it not work?

alemabrahao

Everything you did is correct, as I mentioned. Other MX filtering features, such as Content Filtering, operate independently of Layer 3 and Layer 7 firewall rules. If traffic is allowed by one feature but denied by another, the traffic will still be denied.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Messy

hi, sorry for being ignorant but I still don't get it. If what I did on the layer 3 was correct, and it works - why didn't it block internet access?

Deny any protocol to any destination - surely that should kill everything?

Our clients get directed to on-prem DNS servers (the domain controllers) - so the names will resolve to an IP which should then be blocked.

We don't have any proxies or anything like that.

alemabrahao

I agree with you, maybe it's better to open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ww

Sometimes it takes some time. https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Troubleshooting_Gr...

Why isn't my Group Policy applying?

It may appear that a client is not being affected by parts of a group policy, or the group policy is not being assigned to the client at all. To perform some preliminary troubleshooting, please follow these steps, checking whether or not the policy works after each step:

Make sure the client disconnects and reconnects to the network. A policy will not be applied until the device connects to the network.

alemabrahao

One more thing. Some system services (like DNS, NTP) may bypass group policy rules depending on how they're configured.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Messy

just as a follow up in case anyone's reading - support confirmed that the content filter supports IP addresses as well so * does indeed block everything (URL and IP).

Still working on why the layer 3 doesnt work

Meraki

Community

Group Policy firewall not working

Group Policy firewall not working