Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Umbrella Application Control - Allow vs Uncheck category item

Solved
from_afar
Getting noticed
Thursday
Thursday

Umbrella Application Control - Allow vs Uncheck category item

In the DNS Policies for Application Controls, in the list of applications you can check or uncheck categories and/or specific items. By default they are all set to "block" but you can click the gear icon for applications and change it to "Allow". What is the difference between unchecking an application vs checking it and changing it to "Allow"?

Labels:
0 Kudos
Subscribe
1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal
Thursday
Thursday

Out of the box, I believe there's essentially no difference. That's because unless you deny a destination somewhere, it is allowed through.

My understanding of when you might want to specifically set applications to allow is when you enable "Allow-Only Mode" on your DNS policy. This changes the policy to require explicit allowed destinations. 
If using that feature, you'd want to check specific applications in your Application Control policy and configure them for "Allow". Everything you leave unchecked would then be blocked by default.

View solution in original post

Subscribe
2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
Thursday
Thursday

I don't know the answer for sure.

 

When it is unchecked, it is not processed any further.

When checked, it enters the rule processing engine.  If your only rule is "Allow" then I guess their is no difference.

 

On the Umbrella side (I am not sure if this is exposed via this mechanism), some types of traffic allow more finegrained control.  For example, you can say allow access to Office 365 - but only "this" specific tennant and no other.

Subscribe
Brash
Kind of a big deal
Kind of a big deal
Thursday
Thursday

Out of the box, I believe there's essentially no difference. That's because unless you deny a destination somewhere, it is allowed through.

My understanding of when you might want to specifically set applications to allow is when you enable "Allow-Only Mode" on your DNS policy. This changes the policy to require explicit allowed destinations. 
If using that feature, you'd want to check specific applications in your Application Control policy and configure them for "Allow". Everything you leave unchecked would then be blocked by default.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.