iPad jumps blocked category

Solved
EnriquePeSa
Here to help

iPad jumps blocked category

Hello, today I discovered that the iPad devices on my Meraki wlan network skip the blocked category (adult content) configured globally on my MX250, however, for the rest of the devices the MX is capable of blocking traffic of interest

It is important to mention that iPad devices are not on a white list or any group policy that allows them access.

1 Accepted Solution
EnriquePeSa
Here to help

We have managed to solve it! We identified that the IOS versions were different (15.x, 16.x).

 

We found that version 16 uses the quic protocol to encrypt the traffic, so the MX is not capable of identifying traffic with adult content, for this reason we did not obtain the desired result.

 

We managed to block the traffic of version 16 by adding 2 layer 3 rules in the MX to block UDP traffic through port 80 and 443 through which quic travels.

View solution in original post

4 Replies 4
cmr
Kind of a big deal
Kind of a big deal

Are you allowing DNS or DNS over HTTPS out of the network?  They might be using that to get there.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
EnriquePeSa
Here to help

Hello cmr, the dns are assigned through dhcp, which are used in devices that do block traffic of interest
CptnCrnch
Kind of a big deal
Kind of a big deal

Could you provide us with a screenshot of one of the affected clients?

EnriquePeSa
Here to help

We have managed to solve it! We identified that the IOS versions were different (15.x, 16.x).

 

We found that version 16 uses the quic protocol to encrypt the traffic, so the MX is not capable of identifying traffic with adult content, for this reason we did not obtain the desired result.

 

We managed to block the traffic of version 16 by adding 2 layer 3 rules in the MX to block UDP traffic through port 80 and 443 through which quic travels.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels