Website blocking

Solved
Gordon
Getting noticed

Website blocking

I have been playing in the devnet sandbox in anticipation of getting our new firewalls next week.  One of the things I would like to do is block access to a website using the following pattern  www.website.com/login   so that only certain users can access that particular page.   When I try entering this in any of the different types of rules I get an invalid destination address.  Does anyone know if I can do this? 

 

Thanks

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

You can only block DNS entries.  So you can block www.website.com but not www.website.com/login.

View solution in original post

6 Replies 6
WadeAlsup
A model citizen

Hi @Gordon

 

Where have you been entering in the address to put the block in place? 

 

You should be able to use blacklists and whitelists on the Security Appliance > Content Filtering page. 

You can also override or append these using group policies assigned to individual clients. See Network-wide > Group policies.

 

Whenever a client fetches a web page on the network, the requested URL is checked against the lists configured to determine if the request will be allowed or blocked.

Pattern matching follows these steps: 

  1. Check if the full requested URL is on either list. e.g., http://www.foo.bar.com/qux/baz/lol?abc=123&true=false
  2. Cut off the protocol and leading "www" from the URL, and check if that is on either list: foo.bar.com/qux/baz/lol?abc=123&true=false
  3. Cut off any "GET parameters" (everything following a question mark) and check that: foo.bar.com/qux/baz/lol
  4. Cut off paths one by one, and check each: foo.bar.com/qux/baz, then foo.bar.com/qux, then foo.bar.com
  5. Cut off subdomains one by one and check those: bar.com, and then com
  6. Finally, check for the special catch-all wildcard, *, in either list.

If any of the above produces a match, then the request will be allowed through if it is in the whitelist and blocked otherwise. (That is, the whitelist takes precedence over the blacklist.)

If there is no match, the request is allowed, subject to the category filtering settings above.

HTTPS requests can also be blocked. Because the URL in an HTTPS request is encrypted, only the domain checks will be performed (www.foo.bar.comfoo.bar.combar.comcom, and the special catch-all *).


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
Gordon
Getting noticed

Thanks but not what I am looking for.  I want to be able to only allow certain people to access www.website.com/login   A blacklist blocks everyone.

PhilipDAth
Kind of a big deal
Kind of a big deal

You can only block DNS entries.  So you can block www.website.com but not www.website.com/login.

BlakeRichardson
Kind of a big deal
Kind of a big deal

@PhilipDAth Really there is no way is adding in a prefix or suffix wildcard?? I only ask because I haven't played around with our MX units much because our SonicWall takes care of most things. 

PhilipDAth
Kind of a big deal
Kind of a big deal

No. Consider https. That information is encrypted and can't be seen.
jbhehoman
Here to help

One option that may work is would be to use a Group Policy (network wide > configure > group policies) for the special users that should be able to access the site. Put website.com/login in the whitelisted URL section for that group policy, but also include website.com/login in the blocked URLs under the regular content filtering page. The whitelisted pattern in their group policy should take precedence over the blocked pattern.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels