Which Layer 7 category would block privacy VPNs? I need this for my public wireless network SSID. The privacy VPNs circumvent policy that I have in place for blocking certain sites/services. Is it the "Security" category that I see in the list?
I could do this elsewhere in my network for example in my NGFW platform, but it would be a quick easy win if I could just do it in the Meraki interface. Doing it elsewhere would require more work on my part.
I'm not sure if it's in that category. Give it a try. You could also try blocking some specific ports.
I know there is a content filtering category for it too: "Proxy avoidance and Anonymizers". Try that as well.
I'd definitely try the Proxy Avoidance and Anonymizers category in content filtering. Umbrella's got a category of the same name that is fairly effective at even blocking the websites for these services.
If you're not sure what category something falls into and you have a specific URL, there's a URL category lookup tool on the Content Filtering page:
I don't have the content filtering feature shown in your screenshot and in fact looking at this documentation:
https://n38.meraki.com/THECB-Meraki-Net/n/ezZOJcM/manage/support?kb_article=4170
an "Advanced Security Edition" license is required to use it. I assume this might require the MX platform as well, which we do not have. We have the MS and MR platforms, but not the MX.
Maybe I wasn't clear enough in my post. I am looking to block this traffic with the Layer 3/Layer 7 functionality built into the "Firewall and Traffic Shaping" part of the Wireless management category in the portal. These are the categories that I have available:
I don't think you'll be able to block this using a simple layer 7 firewall rule. Those rules generally block static well defined endpoints.
Content filtering allows the blocking of dynamic categorires.
You could subscribe to Umbrella and use this with your MR's to get greater controll.
That's ok I'll just replumb it behind the non-cisco NGFW. I just thought maybe I could get a quick win in the interface but it's probably just as well, I can put a lot more controls on the traffic if I put in through NGFW, it's just going to be a larger investment of time to create new network and security zones, policy and so forth. But thinking about it more it's the better way to do it anyway.