Meraki

Community

MX100 Strange issues regarding URL Filtering (Windows Updates)

Maikel
Comes here often
‎Sep 4 2020 8:03 AM
‎Sep 4 2020 8:03 AM

MX100 Strange issues regarding URL Filtering (Windows Updates)

Hi Fellow Meraki friends,

 

We are experiencing an issue that we cannot explain. We block all outgoing access unless specified. To allow windows updates we created a L3 rule to allow traffic from any source, on any source or destination port to the following three destinations: microsoft.com, windowsupdate.com and windows.com (based on this article)

 

We also notice that the hit count does not show any traffic. We use a MX100 (Current version: MX 14.40) If we whitelist a machine everything is working as expected, so this gives us the impression that URL filtering in L3 rules are failing. We have the content filtering URL category list size setting set to "Top sites only (Higher performance)" could that have anything to do with this?

 

Support is not really helpful at this state so hoping you guys have experienced this issue or similar and can help us with a possible solution. 

0 Kudos
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 4 2020 12:48 PM
‎Sep 4 2020 12:48 PM

My guess is you are not allowing enough URLs.  Whitelist the host.  Start a packet capture going on port 53, and then reboot it.  Then start a manual windows update.

 

Take note of all the DNS queries it makes.  You'll probably find it trying to access a lot of additional sites.

In response to PhilipDAth
Maikel
Comes here often
‎Sep 4 2020 2:05 PM
‎Sep 4 2020 2:05 PM

Did what you suggested while if found many url's all belong to the three toplevel domains that are set in the rule above. According to the article i can allow toplevel in the layer3 policy right? 

 

i did some more research and based on DNS filtering on windows 7, windows 8.1 and windows 10 machine i came to the following urls'

 

microsoft.com
windowsupdate.com
nsatc.net
phicdn.net
windows.com

 

0 Kudos
In response to Maikel
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 4 2020 6:16 PM
‎Sep 4 2020 6:16 PM

For FQDN rules to work the DNS queries have to flow through the MX for it to intercept them.  Is this the case?

 

Also check out this article on the order that rules are processed in.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Layer_3_and_7_Firewa... 

0 Kudos
In response to PhilipDAth
Maikel
Comes here often
‎Sep 4 2020 10:27 PM
‎Sep 4 2020 10:27 PM

Yes all traffic is routed towards the firewall or do you mean that the meraki itself needs to be the primary dns server? 

 

we are making some changes on the rules today because or the new insights and found url’s will keep this topic updated. 

 

Thanks for all the help so far, much appreciated! 

0 Kudos
In response to Maikel
Maikel
Comes here often
‎Sep 7 2020 10:26 PM
‎Sep 7 2020 10:26 PM

So we are a little closer to a solution, we have it working now but it's not reliable. One moment everything works as expected and ten minutes later connections are blocked by Meraki. Does anyone have similar experience?

0 Kudos
Ashish312
Just browsing
‎Oct 8 2020 2:07 PM
‎Oct 8 2020 2:07 PM

I had similar issue and resolved by below steps - 

Threat protection > Advanced Malware Protection (AMP) > 

 

whitelist below site - 

 

windowsupdate.com/*

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.