Umbrella Application Control - Allow vs Uncheck category item

Solved
from_afar
Building a reputation

Umbrella Application Control - Allow vs Uncheck category item

In the DNS Policies for Application Controls, in the list of applications you can check or uncheck categories and/or specific items. By default they are all set to "block" but you can click the gear icon for applications and change it to "Allow". What is the difference between unchecking an application vs checking it and changing it to "Allow"?

1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal

Out of the box, I believe there's essentially no difference. That's because unless you deny a destination somewhere, it is allowed through.

My understanding of when you might want to specifically set applications to allow is when you enable "Allow-Only Mode" on your DNS policy. This changes the policy to require explicit allowed destinations. 
If using that feature, you'd want to check specific applications in your Application Control policy and configure them for "Allow". Everything you leave unchecked would then be blocked by default.

View solution in original post

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer for sure.

 

When it is unchecked, it is not processed any further.

When checked, it enters the rule processing engine.  If your only rule is "Allow" then I guess their is no difference.

 

On the Umbrella side (I am not sure if this is exposed via this mechanism), some types of traffic allow more finegrained control.  For example, you can say allow access to Office 365 - but only "this" specific tennant and no other.

Brash
Kind of a big deal
Kind of a big deal

Out of the box, I believe there's essentially no difference. That's because unless you deny a destination somewhere, it is allowed through.

My understanding of when you might want to specifically set applications to allow is when you enable "Allow-Only Mode" on your DNS policy. This changes the policy to require explicit allowed destinations. 
If using that feature, you'd want to check specific applications in your Application Control policy and configure them for "Allow". Everything you leave unchecked would then be blocked by default.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels