Techniques for Restricting Outbound Traffic

jbparrish17
Conversationalist

Techniques for Restricting Outbound Traffic

Hello all,

 

I am interested in finding the best method to restrict outbound traffic for clients. I would like to prevent one of my network from reaching any internet destination, with a single exception for Microsoft Update. Microsoft gives the following URLs to which to allow HTTP or HTTPS traffic:

 

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
https://*.ws.microsoft.com
http://*.ws.microsoft.com

 

Layer 3 firewall rules won't work since Microsoft gives the * wildcard character in the URLs. Layer 7 firewall rules only allow denial, not permit. I suppose I could look into pairing a Layer 3 firewall rule allowing only TCP 80/443, then use content filtering perhaps? With what methods could this be achieved?

3 REPLIES 3
BlakeRichardson
Kind of a big deal
Kind of a big deal

Hmmm I've looked at the options and to be honest I am not sure you can do this.  If you could schedule access rules which you can't you could schedule HTTP and HTTPS traffic at out of office hours to allow windows update to work but right now I don't see any solution other than Windows server update services.

 

One of the others guys/girls might have a solution. 

PhilipDAth
Kind of a big deal
Kind of a big deal

Layer 3 firewall do support wildcards.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support 

 

So just allow what you want, and then deny everything else.

Hey that's awesome! That's just what I need. I appreciate your feedback!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels