Block privacy VPNs using Meraki Layer 7 rules?

Brons2
Building a reputation

Block privacy VPNs using Meraki Layer 7 rules?

Which Layer 7 category would block privacy VPNs?  I need this for my public wireless network SSID.  The privacy VPNs circumvent policy that I have in place for blocking certain sites/services.  Is it the "Security" category that I see in the list?

 

I could do this elsewhere in my network for example in my NGFW platform, but it would be a quick easy win if I could just do it in the Meraki interface.  Doing it elsewhere would require more work on my part.

6 REPLIES 6
BrechtSchamp
Kind of a big deal

I'm not sure if it's in that category. Give it a try. You could also try blocking some specific ports.

 

I know there is a content filtering category for it too: "Proxy avoidance and Anonymizers". Try that as well.

Nash
Kind of a big deal

I'd definitely try the Proxy Avoidance and Anonymizers category in content filtering. Umbrella's got a category of the same name that is fairly effective at even blocking the websites for these services.

 

If you're not sure what category something falls into and you have a specific URL, there's a URL category lookup tool on the Content Filtering page:

contentfilter.png

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm with @Nash .  I'd go with "Proxy Avoidance and Anonymizers".

Brons2
Building a reputation

I don't have the content filtering feature shown in your screenshot and in fact looking at this documentation:

https://n38.meraki.com/THECB-Meraki-Net/n/ezZOJcM/manage/support?kb_article=4170

an "Advanced Security Edition" license is required to use it.  I assume this might require the MX platform as well, which we do not have.  We have the MS and MR platforms, but not the MX.

 

Maybe I wasn't clear enough in my post.  I am looking to block this traffic with the Layer 3/Layer 7 functionality built into the "Firewall and Traffic Shaping" part of the Wireless management category in the portal.  These are the categories that I have available:

 

not shown: 1 more category, "advertising"not shown: 1 more category, "advertising"

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't think you'll be able to block this using a simple layer 7 firewall rule.  Those rules generally block static well defined endpoints.

 

Content filtering allows the blocking of dynamic categorires.

 

 

You could subscribe to Umbrella and use this with your MR's to get greater controll.

Brons2
Building a reputation

That's ok I'll just replumb it behind the non-cisco NGFW.  I just thought maybe I could get a quick win in the interface but it's probably just as well, I can put a lot more controls on the traffic if I put in through NGFW, it's just going to be a larger investment of time to create new network and security zones, policy and so forth.  But thinking about it more it's the better way to do it anyway.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels