MX64 Content Filtering SERIOUSLY Lacking...

DunJer622
Building a reputation

MX64 Content Filtering SERIOUSLY Lacking...

I realize that I'm pretty new to Meraki, but is Meraki Content Filtering really poor, or am I just getting really lucky at finding issues?  Intentionally, I enable the blocking of a lot of categories, as I wanted to see what it classified correctly and how it handled it.  First problem identified was that playboy.com was NOT blocked as pornography.  At first, I thought that the filtering may have been really good, as playboy.com no longer has nudity (at least that is my understanding), but pornhub.com was blocked immediately.  Again, all seems good.  Then, a week later, playboy.com is blocked.  Not sure why the delay, but I'd like to know (as I don't need any of my employees going to porn).  Continuing on with testing, I find that www.powerball.com is block as 'gambling'.  OK, I get that.  However, as I'm testing at home, I want to open it up.  So, within 'Whitelisted URL patterns', I enter powerball.com and save.  Nope.  www.powerball.com.  Nope.  *.powerball.com.  Nope.  Http://www.powerball.com.  Nope.  Sometimes, it isn't even telling me the reason for the site to be block (no category listed).  I have more examples, but you get the idea.  This is not good.  For my users' own good (and for our company), I block a lot of categories with my SonicWALL firewall.  Should a site get block, it is crystal clear why a site is blocked and I was able to script (within SonicWALL) the ability for users to send us a snapshot of the blocked attempt.  With Meraki, the user is going to have to manually copy and paste (not the end of the world), but if I can't readily make exceptions for the user, that is going to be a major problem.  Is this a known issue, or am I overlooking something?  I'm seeing some other forums tearing Meraki content filtering apart, but I'm hoping they are wrong.

 

Thanks,

 

Jeremy

11 Replies 11
PhilipDAth
Kind of a big deal
Kind of a big deal

Upgrade to 13.28.

DunJer622
Building a reputation

 

FIRMWARE
Up to date
Current version: MX 13.28

 

MilesMeraki
Head in the Cloud

Firstly, I assume you've read over this article regarding content-filtering which may assist with some of your questions around URL string Whitelisting/Blacklisting. - https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/Content_Filtering.

 

If you're blocking all categories to try and find out what a particular blocked site is apart of, Meraki have already publically stated that they use "Brightcloud" for URL categorization, you can find a category for a particular site by using this lookup tool- https://www.brightcloud.com/tools/url-ip-lookup.php

 

Are you running the MX will full list or top sites only? 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
DunJer622
Building a reputation

Greetings, WANKiller.

 

I'm running the MX with the full list.

 

Yes, I have read all documentation associated with content filtering, and it states exactly how it should work (and how I would expect it to work).  However, my testing is showing otherwise.  I'm trying to determine if that is common or not.  I realize that this is a Meraki community, but I'm hoping that it is an honest community regarding Meraki products.  I'm not here to bash anything.  I just want to make sure that I set realistic expectations for management.  We are moving away from SonicWALL because their support generally sucks.  Overall, I think I've answered more questions for them then they have for me.  My understanding is that Meraki has very good support.  That is awesome, but I do need to have the products work as advertised.  If there are quirks, they are not necessarily showstoppers.  I just don't want to chase answers that aren't there. 

 

This particular issue should be pretty easy.  If I whitelist powerball.com, I expect to get to www.powerball.com and whatever.powerball.com.  I expect that to happen as soon as I save the config.  If that is an unrealistic expectation, I need to understand why.  I had to remove the 'gambling' category to be able to consistently access the site.  The only time I had any issues like this with SonicWALL, it was because of a redirect or HTTPS.  That is not the case here.

 

There are parts of Meraki that I greatly appreciate.  I just need to better understand the other parts.

 

Thanks,

 

Jeremy

MerakiDave
Meraki Employee
Meraki Employee

Good discussion so far on this thread and one item I haven't seen referenced yet is the time factor.  Meraki MX leverages BrightCloud website URL/IP categorization to determine if a web site should be blocked or not.  So especially if you're using "full list" instead of top sites only, it may take some time for the MX to download and process the full list into a set of MD5 digests for URLs/IPs that match given categories.  So initially trying to block Adult & Porn and then right away navigating to Playboy, it's likely going to let that traffic through for a little while until the full list is processed.  Once everything is status quo, I believe on subsequent lookups, it will also query BrightCloud directly if you have full list enabled and something is not present in the digest locally on the MX.  

 

I'd suggest checking with Meraki Support on the latest values for the timing of full list downloads.  They'll also be able to work with you in real time and see some of the content filtering operations on the Meraki back-end for troubleshooting and examine any false positives, true negatives, etc.  Also check with them on your specific config, make sure something isn't breaking down if you have almost every possible category blocked, along with lots of whitelist/blacklist entries, that can translate into tens of thousands of digests, and they can advise on an optimal configuration based on your requirements and if it can lead to performance limitations on the MX64 hardware.  For example I'm wondering if the MX84 could be a better choice depending on your configuration, as it may not only have more horsepower, but also has an internal hard drive which could perhaps scale better, perhaps store more digests that the MX64 could handle in memory.  But I'd suggest discussing that with Meraki Support also, they can also see CPU/memory utilization for example. 

Adam
Kind of a big deal

Agreed full list is key, and I hope eventually they use their OpenDNS product instead of BrightCloud. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
MerakiDave
Meraki Employee
Meraki Employee

@DunJer622 one other quick thought, there is a back-end feature that Meraki Support should be able to enable for you on your Dashboard to enable you to display custom block pages, for example with help desk information.  You'd have the ability to host your own local web server with your own block page you could customize however you wish.  The block URL that gets returned would have all of the info in it you would need to impart meaningful into into your custom block page like URL, IP, category, etc.  You could potentially customize block pages based on category, so based on which type of content gets blocked you could have different custom block pages to handle specific situations differently.  

RodrigoC
Meraki Employee
Meraki Employee

To Expand a bit on @MerakiDave's previous post, you can use THIS page to directly look up a URLs against Brightcloud's servers. If you see a site that is categorized there but is not getting picked up on your MX, call our support line and we'll take a look!

 

That being said, you should keep the following things in mind:

  1. Content filtering will only apply to new flows. This means that most changes will not take effect immediately. (KB suggests ~10 minutes)
  2. If the site you are trying to block is HTTPS, the MX will only be able to block that flow after the existing HTTPS session expires and the client attempts to renegotiate. 
  3. Make sure any clients you are testing with are not whitelisted or part of a separate group policy.

For more common issues with content filtering, feel free to check out the Content Filtering Troubleshooting KB

Maicon_Vieira
Here to help

We're having the oposite problem, we're having a bunch of cases where we Whitelist some urls and it is blocked by some categories, specially if it fits more than one category.


@RodrigoCwrote:

To Expand a bit on @MerakiDave's previous post, you can use THIS page to directly look up a URLs against Brightcloud's servers. If you see a site that is categorized there but is not getting picked up on your MX, call our support line and we'll take a look!

 

That being said, you should keep the following things in mind:

  1. Content filtering will only apply to new flows. This means that most changes will not take effect immediately. (KB suggests ~10 minutes)
  2. If the site you are trying to block is HTTPS, the MX will only be able to block that flow after the existing HTTPS session expires and the client attempts to renegotiate. 
  3. Make sure any clients you are testing with are not whitelisted or part of a separate group policy.

For more common issues with content filtering, feel free to check out the Content Filtering Troubleshooting KB


 We are having lots of problems like @DunJer622  we have quite big whitelists indeed, but the problems occours with new devices, that are suposed to have downloaded Full configs, but still some of the whitelisted patterns doesn't work. We use full list for sizing

It is being a headache, we are thinkink about removing the rules based on categories and useing just Black/whitelisting.

BlakeRichardson
Kind of a big deal
Kind of a big deal

As a SonicWall user myself Meraki is a wee way behind when it comes to content filtering and features. The main reason for this that I can think of is time, SonicWall have been around for a lot longer than Meraki and their ONLY product line is security appliances...

 

I wouldn't say its comparing Apples with Apples. I'm not being nasty to Meraki I'm simply saying give it time, building a single product line from scratch is a real feat let alone a whole range of products!

 

To Meraki's credit they do offer free trials of all their products which gives the user a chance to use the product before they purchase.

 

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Uberseehandel
Kind of a big deal


@DunJer622 wrote:

I realize that I'm pretty new to Meraki, but is Meraki Content Filtering really poor, or . . .


Some years ago I was working on fixing a large, complex and eye-wateringly expensive project, that the original management and development thought it would be a great idea to BOB everything; and then left before the near impossibility of a credible launch became general knowledge.

 

Amongst the seriously FUBAR curiosities, I do recall what happened when a semi-demented firewall specialist decided to "look after" the corporation, and the internal network users. Amongst a plethora of inanities I particularly recall that my surname got banned (apparently it is popular with professional dominatrices) and that anything with sex in the name was similarly treated; fair enough you might think. As it happens, one of the major partners in the project was running its involvement from a site close to London, adjacent to which are, amongst others, the counties of Essex, Sussex and Middlesex, so it became impossible to mention exactly where the office was located.

 

Whilst AI might be up to autonomously controlling automobiles, we are a few years away from deciding what is deviant, damaging or inappropriate. And then it is only one person's opinion. Should we ban women in hijabs, women not in hijabs, wrinkly old men in dressing gowns? This all gets complicated, not just technically and logically complicated, but morally and culturally complicated.

 

In the mean time, we can concentrate on discouraging such nuisances as peer-to-peer sharing and stopping users from mounting attacks on other network users. And curating mobile devices . . .

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels