I'm curious about how the firewall rules are implemented. If I have APs distributed over several locations (basically: AP --> WAN/Router --> Internet; they don't come to a central location or a corporate firewall).
So, based on that, how will Meraki manage: content filtering (it sends a DNS request to a central location and it decides, or how? How much bandwidth does it consume? any other advantages/disadvantages?).
Also, regarding security, how does it manage it if its only the AP.
Adult Content Filtering on AP's relies on just a pre-populated list of sites that are loaded into the AP's when that config is selected - there are no active lookups performed or anything like that: https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Adult_Content_Filtering_Overview
Not sure what other security features you might be referring to unfortunately.
Hello Alex, thanks for your reply. I'm reading about FortiAP's and they claim to say that their devices do content filtering/firewall locally; and that differentiates them from other "cloud based solutions".
Thanks for your question, please note that most of vendors offer content filtering on the Access Points, they would require patch updates frequently to get a new list of websites plus most of them don't share the list with their customers. Best practices is to have the gateway to perform the content filtering as that will offer you a protection across the whole network for wired and wireless users. You can consider our MXs to perform content filtering at the edge of your network, at the end of the day Access Points are not firewalls so better to consider a proper firewall to protect your network.
Agree with using filtering and security on your network gateway, not on the AP's. What you could do, is using the firewall to open port as needed, say a guest network with just 80 and 443. But more makes it harder to troubleshoot.
On the ap content filtering is enabled only with nat mode so works on the edge of network only if ap manage the traffic and nat not as pass through. An MX with deeper controll over this kind of inspection also with vpn to the corporate is a good solution, but i think the use of a solution like Cisco Umbrella is the best protection not only for content but also for malware, botnet and so on... with no small regular update but with live data from cloud at dns/ip layer in real time.
Thanks all. We want to have several open hotspots, distributed over non-related locations that don't have to go to a central location. In that sense, we were looking at the competition's AP because it has some security functionalities that in a way, and for most cases, were enough to avoid having a dedicated firewall. Opinions?
The Meraki content filtering on the access points is pretty rudimentary and relies on a list of sites maintained by Meraki to prevent access to adult content. However, they do also offer the option to use 'Custom DNS' which would allow you the capability to use a much more full-featured solution such as Cisco Umbrella (previously OpenDNS) to achieve more dynamic control. It's also worth noting that beyond the content filtering the access points also offer capability around firewalling, application based traffic shaping, and user based traffic shaping.