Meraki

Community

Help WEB Filter Firewall Meraki Block URL ALLOWED LIST GROUP POLICY

vagner_lima
Comes here often
‎Mar 5 2025 6:02 AM
‎Mar 5 2025 6:02 AM

Help WEB Filter Firewall Meraki Block URL ALLOWED LIST GROUP POLICY

I am encountering an issue while configuring content filtering on our Meraki. We have a Group Policy named "expedicao_internet", which applies category-based blocking.
Currently, we are blocking the "Education" category within this policy, but we need to allow specific URLs within that category without disabling the category-wide block.
The problem is as follows: when I add the site cieers.org.br to the Allow List within the Group Policy, it does not get unblocked. Even after adding various domain variations like:
 

vagner_lima_1-1741183216195.png

 

 

vagner_lima_2-1741183235398.png

 

The site continues to be blocked. However, if I remove the "Education" category from the policy, access to the site is correctly allowed.
after remove category education.
 
vagner_lima_3-1741183278123.png

 

 

Our goal is to keep the "Education" category blocked while still allowing access to cieers.org.br and other specific URLs that may be needed.
We would like to know if there are any additional settings or adjustments we can make to allow specific URLs within the blocked category without having to remove the category block altogether.

 

 

Labels:
0 Kudos
10 Replies 10
Mloraditch
Kind of a big deal
‎Mar 5 2025 6:12 AM
‎Mar 5 2025 6:12 AM

Based on the documentation (https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering) and my experience, you appear to have things setup correctly to do as you want. Allows are supposed to take precedence over blocks and the allow/block list are supposed to be processed before the category rules.

I would make sure you are on the latest firmware for your MX and contact support.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Mloraditch
vagner_lima
Comes here often
‎Mar 5 2025 6:55 AM
‎Mar 5 2025 6:55 AM

I opened a ticket with support and am waiting for a response. However, the situation is quite strange. The configuration appears to be correct, and the block is coming from the category itself because if I remove it, the site becomes accessible. But when I add the category back and put the site on the allowed list, it remains blocked. 😞

0 Kudos
RWelch
Kind of a big deal
Kind of a big deal
‎Mar 5 2025 6:16 AM
‎Mar 5 2025 6:16 AM

Content filtering allows you to block certain categories of websites based on your organizational policies. You can also block or allow list individual websites for additional customization. For example, if you block the "Internet Communications" category this also blocks gmail.com and facebook.com because both websites are communication platforms. You can allow list gmail.com and facebook.com to make sure that both websites are fully operational while all other websites providing chat functionality are blocked.

 

Content Filtering 

URL Block List and Allow List Patterns 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
vagner_lima
Comes here often
‎Mar 5 2025 6:57 AM
‎Mar 5 2025 6:57 AM

Yes, I understand that, and I've already read all the documentation, but it's not working as expected because the site is correctly listed. 😞

0 Kudos
In response to vagner_lima
RWelch
Kind of a big deal
Kind of a big deal
‎Mar 5 2025 7:06 AM
‎Mar 5 2025 7:06 AM

I had a similar issue in the past and putting all of the URLs in the allow list alphabetically helped resolve my issue.  Not sure if that is the case with your scenario.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
vagner_lima
Comes here often
‎Mar 5 2025 12:14 PM
‎Mar 5 2025 12:14 PM

I will try.

0 Kudos
In response to RWelch
vagner_lima
Comes here often
‎Mar 5 2025 6:03 PM
‎Mar 5 2025 6:03 PM

Do you add URLs like this:

facebook.com

*.facebook.com

? Is there any trick to this? In other firewalls, I have always used the asterisk, but in Meraki, this also seems to have some particularity.

0 Kudos
In response to vagner_lima
michalc
Meraki Employee
Meraki Employee
‎Mar 6 2025 5:51 AM
‎Mar 6 2025 5:51 AM

The asterisk symbol has two primary uses in URLs for content filtering.

  • Standalone Catch-All Wildcard
    • The " * " (asterisk) symbol when used on its own line is an all-inclusive wildcard which represents all possible entries
    • When used on its own line in allow listed URL patterns, ALL URL patterns are allow listed
    • When used on its own line in blocked URL patterns, ALL URL patterns are blocked, except those that are explicitly allow listed
  • In-URL Asterisk Character
    • The " * " (asterisk) symbol when used as part of a URL or in line with a URL is simply a regular asterisk symbol and is interpreted as part of the URL, NOT as a wildcard
    • Note that this is very rarely useful, except in URLs that actually require asterisk symbols, such as https://web.archive.org/web/*/meraki.com
If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 5 2025 11:40 AM
‎Mar 5 2025 11:40 AM

When you make changes like this, they only apply to NEW TCP flows being made by the client.  Existing flows keep the existing settings.  As a result, it can take 10 minutes for you to see the change if you use the same test machine.

0 Kudos
In response to PhilipDAth
vagner_lima
Comes here often
‎Mar 5 2025 12:16 PM
‎Mar 5 2025 12:16 PM

I understand, in this case, I have already waited but I continue trying new tests.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.