Layer 7 blocking issue

SOLVED
Troyee
Getting noticed

Layer 7 blocking issue

Hi Team,

 

I have a problem on allowing Workplace Facebook and the Facebook Application itself must be blocked. I have put certain domains in the whitelist section on the Web Blocking. These were the domains that i have put in the whitelist section:

 

*.facebook.com

*.akamaihd.net 

*.fbcdn.net

*.fb.me

*.fbsbx.com

 

As i troubleshoot and checked the logs, the traffic was coming from the Layer 7 filter. It was the Facebook Signature that caused the blocking. Is it possible to separate the Facebook Signature and the Workplace Facebook?

 

Thank you.

1 ACCEPTED SOLUTION
Troyee
Getting noticed

Hi Coen,

 

These were the things to check:

 

1. Do you have a Layer 7 Policy on the firewall rule which contains DENY Social Web & Photo Sharing? If none, proceed to number 3.

2. If yes, erase that firewall rule or allow the Layer 7 traffic. We'll be blocking the traffic by using the content filtering.

3. On the Content Filtering, blocked category websites should have the Social Networking.

4. On the White listed URL Section, I have attached a screenshot for the domains i white listed to allow the Workplace Facebook but blocked the Facebook itself. 

 

Then it's done.

 

Please do note that i didn't used wildcard to whitelist the URL's. For the scontent domain, it is always changing. Please check your event logs for this one.

 

I hope this guide helps.

 

Workplace Facebook Whitelisting.JPG

 

View solution in original post

11 REPLIES 11
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer, but I would guess no because they use the same domain names.

 

Perhaps time for something more sophistocated?

https://www.webex.com/team-collaboration.html

Ben
A model citizen

It's quite hard to seperate the facebook and facebook workplace applications.
As mentioned above perhaps it's time to look at something more enterprise grade software for collaboration.

Cheers,
Ben
Aaron_Wilson
A model citizen

 

I'm guessing FB doesn't host work and personal on different domains, do they?

 

The two options I see are:

 

1) Block FB and use a real collab tool

2) Realize blocking FB does nothing for productivity (people have phones) and allow it.

 

The real win is to get people to stop using FB period.

Troyee
Getting noticed

Hi Everyone,

 

Upon troubleshooting, the best way we came up for this issue is that we turned off the Layer 7 blocking on the Firewall Tab and just blocked the Facebook Application on the content filtering while whitelisting the certain domains that the Workplace Facebook was using. 

 

I thank you all who replied and assist me on this issue. Appreciate it.

 

Thank you.

 

Output: Facebook Application was blocked and the Workplace Facebook is working.

Coen
Conversationalist

Hello Troyee,

 

Thanks for raising this issue. I've tried to apply the steps you describe, but it doesn't work. Could you please specify the URL patterns that you are using to block facebook?

 

Do you block these on the group policy level or the content filter level. So far I found that facebook url patterns are the same as workplace, so I'm not sure how it will work.

 

Thank you for your help with this.

 

Best, Coen

 

Troyee
Getting noticed

Hi Coen,

 

These were the things to check:

 

1. Do you have a Layer 7 Policy on the firewall rule which contains DENY Social Web & Photo Sharing? If none, proceed to number 3.

2. If yes, erase that firewall rule or allow the Layer 7 traffic. We'll be blocking the traffic by using the content filtering.

3. On the Content Filtering, blocked category websites should have the Social Networking.

4. On the White listed URL Section, I have attached a screenshot for the domains i white listed to allow the Workplace Facebook but blocked the Facebook itself. 

 

Then it's done.

 

Please do note that i didn't used wildcard to whitelist the URL's. For the scontent domain, it is always changing. Please check your event logs for this one.

 

I hope this guide helps.

 

Workplace Facebook Whitelisting.JPG

 

Coen
Conversationalist

Thank you for your quick response. It worked almost 90% with your soution. However, it was not showing all elements (status indicator/image of contactperson/etc). I've resolved some of them by adding a couple of lines to the whitelist:

 

workplace.com
pixel.facebook.com
fbsbx.com
fna.fbcdn.net
akamaihd.net
work.facebook.com
workplace.facebook.com
static.xx.fbcdn.net
fbsbx.com
fb.com
scontent.fcrk1-1.fna.fbcdn.net
scontent.xx.fbcdn.net
*chat.facebook.com
*mqtt.facebook.com
edge-mqtt.facebook.com
graph.facebook.com

 

This is the complete list I'm using now. Some may be redundant, but I'm still testing. The one problem is that when you use fb.com in your browser, it redirects you to facebook.com showing the page. I didn't test to log in as I don't have a facebook account. The url facebook.com works after. When you remove the cache and try facebook.com it will be blocked again.

 

Do you know if login is possible or will it be blocked when a user tries to log in?

 

Coen

 

Troyee
Getting noticed

Hi Coen,

 

I'm deeply sorry for the late response. I have been away for a couple of days. To answer your question, what i've done was i checked the event logs for what must be whitelisted to allow what was needed on the workplace. Regarding the fb.com issue, mine was blocked. On my point of view maybe it's just a cache for the browser after you applied your newly configured policy.

 

I hope this helps.

KMNEP
Getting noticed

hi @Coen 

 

Appreciate your hard work.

 

But this method is only applicable for browsing. It doesn't block Facebook and Messenger App in mobile phones.

 

 

Troyee
Getting noticed

Hi KMNEP,

 

You're right. I think there are no other work around to block the signature using Layer 7 and allow the Workplace Facebook.

 

Coen
Conversationalist

@KMNEP thanks! 

 

I did not test that. However, in our network configuration, mobile phones connect to a different VLAN with a different rule-set. I've asked the Meraki team to create a clear split on layer-7 for the two different services (Facebook, Workplace). The problem is that most addresses are the same/similar, but the IP ranges are different. I'm not sure how soon and if they pick this up.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels