Since we replaced our ASA on saturday with an MX100, we've had a lot of issues and complaints about internet connectivity being slow and unreliable. As an example, someone would click a link to an article in the Guardian newspaper, it would spent 5-10 seconds thinking about it, flash up with an error saying the page can not be loaded and then the page would immediately pop up.
We can't see anything in the event logs that might be causing it but we do get a lot of urls blocked regarding spotify and something called offers-api-ghostery.net. The event log also doesn't allow us to pinpoint exactly which machine tried to access the blocked content.
AMX is enabled, content filtering is turned on and the IDP is enabled as well with the ruleset set to Security.
Could you tell us what content filtering categories you are using? Thank you.
Abortion, Abused Drugs, Adult and Pornography, Alcohol and Tobacco, Bot Nets, Cheating (Academic), Confirmed SPAM sources, Cult and Occult, Dating, Games, Hacking, Hate and Racism, Illegal, Keyloggers and monitoring, Malware Sites, Marijuana, Nudity, Online Greeting Cards, Open HTTP Proxies, Pay to Surf, Peer to Peer, Phishing and Other Frauds, SPAM Urls, Shareware and Freeware, Spyware and Adware, Streaming Media, Swimsuits and Intimate Apparel, Unconfirmed SPAM Sources, Violence and Weapons.
Okay, quite a few then. That may be the cause of the problem, depending on where people are going.
Ghostery is a browser add-on. Your end user computing staff may want to inspect the extensions people are using. I'd disable THAT first before doing anything else, then have a test user try browsing.
If you still have problems... You listed the Guardian as an example, right? Here's what I would do:
Thank you, we've removed some of the tamer categories, we also use Kaspersky Endpoint which does webfiltering as well, so will see how it goes. It does seem to be the first time that someone goes to a certain website, it causes the delay but any further visits to the site are fine.
Also, is there a way to trace the 'Content Filtering Blocked URL' back to a particular user or machine rather than just the mac address of a Meraki device?
@SimonOpenfield Yes but it depends on how your network is setup. I'd read the client tracking options document. It goes into detail on how the tracking is done. Are you running a combined network right now? What device types do you have in it?
If you've got L3 going on (multiple subnets for your devices) but only L2 Meraki switches, then you're going to see those clients kludged together under the L2 Meraki switch's mac address.
Also, I can tell you that my company prefers to have a single source of content filtering applied in any given environment. It simplifies troubleshooting. So I might create a group policy that overrides your MX content filter with no/minimal categories, and apply that to your devices that have Kaspersky on em. It's possible to integrate this with Active Directory and do it on a per-user basis.
What we've essentially done lastnight and this morning is change the Meraki filtering to the big things, we've got Kaspersky to restrict stuff like Facebook access, so we're now only blocking Adult & Pornography, Bot Nets, Confirmed SPAM sources, Hacking, Illegal, Keyloggers and Monitoring, Malware Sites, Open HTTP Proxies, Pay to Surf, Peer to Peer, Phishing and Other Frauds, SPAM Urls, Spyware and Adware, and Unconfirmed SPAM sources.
Our network is an MX100 > a stack of 2xMS250s (this has all the layer 3 and OSPF stuff on) > stack of 4xMS210s which is where the clients are plugged into.
edit: I've had a quick read through of the Client Tracking Options document, the only options i have for Client Tracking under 'Security and SDWAN' > Configure > Addressing & VLANs is MAC Address (what it's set to now) and IP address which is greyed out.
If track by IP is greyed out, that sounds like your MX is in a combined network, but just to verify...
In terms of Meraki dashboard setup, is that all one network within one organization?
I've got an org with two networks, Alpha and Bravo. Traffic to the internet flows clients -> Switch Alpha -> MPLS connection -> Switch Bravo -> Firewall Bravo.
When I look at the event log for it, devices that are directly on network Bravo show up as specific clients. Devices coming from network Alpha show up as Switch Bravo, since that's the first place Network Bravo sees them. The transition between networks 'breaks' the Meraki's ability to sense them as clients, as far as I can tell.
It's a dashboard that's configured with 2 networks, one has already been setup and is fully operational and the other is yet to be upgraded to Meraki and this is at another site.
The 2 sites are currently connected together through MPLS but both sites use their own internet connection. I've spoken to Meraki support who have enabled the Meraki Identifier which they've told me will help as i've got an MX that connects to layer 3 Meraki switches and then users connect to the MS210 stack which plugs into the layer 3 MS250 switches.
Oh good! Trying the identifier was my next thought. Thanks for the reminder.
I've got a couple clients I need to try it on.