MX67 and MX84 content filtering

jwinters99
Comes here often

MX67 and MX84 content filtering

I am a bit confused about how to setup content filtering correctly.  If I set up a blocked website list it doesnt work.  I do not have AD integration or group policies set.  Do these need to be used and setup for content filtering to work or can it work without them?  Below is how its setup and nothing beyond this has been done.  What am I missing?

 

jwinters99_0-1583337138475.png

 

13 REPLIES 13
ww
Kind of a big deal
Kind of a big deal

The firewall  config status is up to date?

Try reconnect the client to the network. 

 

Check the url in the lookup  tool under  the  categories

 

jwinters99
Comes here often

That really didnt answer my question.  Beyond what is in the picture provided, is there anything else that has to be setup?  Do I need some sort of AD or Group polices set in order for Content Filtering to work?

ww
Kind of a big deal
Kind of a big deal

This  should work fine. 

Richard_W
A model citizen

When you say "If I set up a blocked website list it doesn't work." can you clarify what you did and what you hope to achieve, with say, an example or two.

Sorry, i thought the picture was self explanatory.  I added the categories that i want to block to the blocked website list, and then looked up a site using the category lookup tool and it fell into the category that is supposed to be blocked.  When im connected to the network and go to the same website it is allowed instead of being blocked.  what is missing? what other config is needed to properly enable?

It should be enough. The advice @ww gave you is good advice. You need to wait a bit until the cloud pushes the config change to the MX, and then it can still take reconnecting the client to the network to apply the new filtering rules due to cached data.

 

I suppose you've already gone through these steps:

Why is a site NOT being blocked when it should be?

There are several factors that can contribute to a website not being blocked when it should be. Consider the following factors:

  • When Content Filtering rules are configured/changed, it can take a while for them to fully take effect. This goes for both blocking and unblocking content. This process can sometimes take up to 10 minutes.
  • Make sure that the client you are configuring is not whitelisted. Try finding the client you are testing with by navigating to Network-wide > Monitor > Clients, opening their client page, and making sure their 'Policy' is not set to 'Whitelisted.'
  • Additionally, clients can also be unintentionally whitelisted by having Group Policies applied to them. ALL Group Policy rules take priority over default network rules unless set to 'Use network default' settings.
  • Check to make sure that the URL is not in the URL whitelist on the Content Filtering page.
  • It is possible that the site does not actually have a good reputation, or may be in a different category than it should be. Be sure to check the IP/URL reputation on BrightCloud.
  • In the latest stable firmware version, URL reputation is prioritized over IP reputation, as opposed to IP reputation being the deciding factor on previous firmware versions. If for some reason the IP has a different categorization then the URL, the client could be allowed through. Firmware can be upgraded by navigating to Organization > Monitor > Firmware upgrades.

Source: https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering/Conten...

This is has been setup for weeks and it still doesn't work.  And it appears that no one is reading the original post.  If its not in that picture provided it hasn't been setup.  There are no policies setup.  There is no AD setup. There are no URLs added to the whitelist.  Using the Tool the website shows up in the correct category and it should be blocked.  Firmware is 14.4  

 

Again.  Beyond what is in the pic provided, what if anything needs to be configured?  Do group policies have to be used?  Does AD have to be used?  

Well the fact that you initially talked about Content Filtering (a feature) and then mentioned Blocked Websites (which I took to mean URL Blocking (also a feature) your picture only really addresses the former not the latter.

So my supposition was that you had attempted URL Blocking and that had not worked so you were now looking at Content Filtering.

 

Hence my question, which still remains somewhat valid. ie what websites are you trying to block, maybe an example will elicit a meaningful response from the community and help reduce your concerns of an apparent lack of understanding of your problem.

I sense a bit of frustration in your tone. I understand that. However, both @ww  ("It should work") and I ("It should be enough") already confirmed that nothing else needs to be configured.

 

I'm with @Richard_W here. If you share the example you're testing we can try and reproduce it and help debug.

Ive now tried this on 9 different sites and i get the same result on all 9.  Pick a pornography site, any one and it doesnt stop/block it.  Pornhub.com or Youporn.com.  I even tried Ebay.com as an auction site and meraki doesnt stop any of it.  "It should work" doesnt work......  

 

Every site i have tried to block shows up in the tool under the category that i have blocked but it doesnt seem to care.  Meraki just lets if right on past.

 

what is missing?

ww
Kind of a big deal
Kind of a big deal

You are running fw 14.40 and not 14.4?

Is your mx wan port the route to the internet for lan clients?

How Is traffic analysis configured  on your network?

 

As a thought what do you see in the Event log as per:

 

Screen Shot 2020-03-09 at 11.25.03 AM.png

I just tried this myself with the auction category and got the correct result on eBay.com and auction.com "This site can not be reached." I was just using the quicker "Top sites only" option. From setting the filter to observing the response was pretty quick (under 5 minutes.)

 

And below here are the Event log results:

 

Screen Shot 2020-03-09 at 11.41.25 AM.png

 

So are your clients whitelisted?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels