Layer3 Outbound Rules

glydeen
Comes here often

Layer3 Outbound Rules

Someone please clarify.

 

Using Layer3 outbound rules, I'm blocking all outbound traffic using with a catch all rule as my last rule.

I'll then be allowing access to certain sites by using allow rules with the site(s) FQDN.

 

Do I use an "*" asterisk as a wildcard such as *.google.com or do I drop the asterisk when defining a FQDN

I've seen conflicting information.

 

Another question:

 

In the list of required Google URLS is *.clients[N].google.com. Where "[N]" is a number, in this case 1-6.

ie. *.clients1.google.com, *.clients6.google.com etc., Is there a way to to easily catch this in a Wildcard.

In testing *.google.com didn't seem to catch this and allow traffic to these URL's to pass.

 

Any advice would help.

 

Thanks

3 Replies 3
Bruce
Kind of a big deal

If you haven’t looked at using firewall policy objects I would probably look at taking this path, it’s likely to make things easier in the long run given your description. Look through these documents, https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Network_Objects_Highlights https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Network_Objects_Configuration_Guide

A policy object can contain a FQDN or a wildcard FQDN, so *.google.com could be used to block all Google sites, whereas www.google.com would only block that site.

 

I could imagine that your confusion is with the Content Filtering engine where you don’t specify the *. The engine for Content Filtering progressively removes the sub-domains for testing against the block or allow lists. The firewall rules operate differently.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

For layer 3 rules, your deny rule should look like this:

PhilipDAth_0-1631419095336.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Reflecting on @Bruce's comment, you might be better off using content rules rather than L3 rules.  You block "*" and then just allow added sites.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Blocking_Websites_with_Content_Filt... 

 

But it can be painful.  When you create rules this way they don't kick in immediately.  This is because of caching.  So you can make a change, and really need to reboot to make sure.

 

Also note that a simple web site can load components from lots of web sites, and you have to allow all of those as well for it to work.  If you are in Chrome, go CTRL-SHIFT-I to enabled developer mode, click on the sources tab, load your web site, and then look at all of the sources referenced.  You need to allow all of them.

 

For example, to allow access to meraki.com, you need to allow about 30 (guestimate) additional URLs.  There are so many they don't even fit on one page in the developer tools.

 

PhilipDAth_0-1631419388094.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels