Umbrella blocking employer.carefirst.com ?

Solved
from_afar
Building a reputation

Umbrella blocking employer.carefirst.com ?

Anyone else seeing employer.carefirst.com being blocked? Strange because member.carefirst.com works OK, but employer just sits there until it times out. I don't see anything being blocked in the Reports, but I don't have anything else that could be blocking it. 

 

I tried adding to the "allow list" destination list as well as the allow list in URL blocking in Meraki interface. 

 

I'm just wondering if they are blocking the proxy addresses or something because I don't see what else is blocking it (I can get to the site fine on WiFi which is on a different network that doesn't run on Meraki or have Umbrella). 

1 Accepted Solution
from_afar
Building a reputation

Adding the URL to the Bypass Umbrella, Domain Allow lists, URL filtering allow list and AMP bypass did not work. However, adding it to Domain Management > External Domains & IP's in Umbrella finally allowed it to load. I don't understand why it didn't show in any of the reporting as being blocked nor proxied, passed all Policy Testing tests and especially why the Bypass Umbrella "Specify one or more domain names below (one per row) to be excluded from being routed to Cisco Umbrella." entry did not work. 

View solution in original post

7 Replies 7
RWelch
Head in the Cloud

Reputation Lookup || Cisco Talos Intelligence  doesn't show it's a threat.  I would look to see if you happen to have certain countries allowed/prohibited (maybe)?

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
from_afar
Building a reputation

Thanks. No countries being blocked. Finally got it working via Umbrella External Domain and IP list. 😤

from_afar
Building a reputation

Adding the URL to the Bypass Umbrella, Domain Allow lists, URL filtering allow list and AMP bypass did not work. However, adding it to Domain Management > External Domains & IP's in Umbrella finally allowed it to load. I don't understand why it didn't show in any of the reporting as being blocked nor proxied, passed all Policy Testing tests and especially why the Bypass Umbrella "Specify one or more domain names below (one per row) to be excluded from being routed to Cisco Umbrella." entry did not work. 

Brash
Kind of a big deal
Kind of a big deal

Adding the domain to "External Domains & IP's" essentially completely bypasses Umbrella for requests to this domain. Given adding it to the whitelist didn't resolve it, it's most likely it was being impacted by:
 - Intelligent Proxy

 - SSL decryption (if you're using SWG)

 - File Analysis

from_afar
Building a reputation

Possibly. I added it to every bypass/whitelist I could find and only the final step actually worked. Maybe I missed one? I have Health and Fitness (it is an insurance website so should fall in there) selected as Exempt in Intelligent Proxy/SSL selective decryption exemptions. File analysis is not enabled. 

 

I also thought that adding the domain to Meraki UI > Security & SD-Wan > Threat protection > Umbrella protection > "Specify one or more domain names below (one per row) to be excluded from being routed to Cisco Umbrella." would completely bypass Umbrella but that didn't seem to work...

Brash
Kind of a big deal
Kind of a big deal

It appears to fall under the Health and Medicine category

Brash_0-1733376708446.png

 

 

Adding the domain on the MX Threat Protection Umbrella routing bypass should work for DNS - it should resolve by whatever resolver is set on the MX rather than proxying to Umbrella.

However if you use SWG, those policies will still apply to the web traffic.

from_afar
Building a reputation

Thanks. I have and had that exempted as well (I haven't made any changes there in weeks) but something was still blocking it. I searched for the domain in the Reporting > Core reports > Activity Search and it always showed as "allowed" not blocked nor selectively proxied. This is what confuses me the most; it seems to consistently not report in Activity Search what is actually happening to the clients. Not sure why, but that has been the case multiple times.  

 

Screenshot 2024-12-05 at 8.28.20 AM.png

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels