Meraki content filtering missing reddit I feel like its just a check mark I'm missing or something. 9, acting as our firewall and content filter. At first I had some growing pains trying to learn what was blocking what, but after a few months it all runs rather smoothly. ) We enabled content filtering on our MX250s and it slowed some things down to a crawl and had to disable it. When I test the SSID against the RADIUS server. In particular our project management tool will load the header image then just hang while it tries for a full 5-10 seconds to load the ga. TL;DR: Computer is trying to reach a website, only text loads no images, Meraki is filtering the two URL’s it’s reaching out to grab the images, but it abbreviates them so I can’t see it fully to unblock it. Usually, if I have problems with content filtering, I just disable and enable the service and it "fixes" things. An IDS/IPS without SSL decryption is borderline worthless. We were blocking all kinds of apple CDNs and proxy’s with some of the content filtering and meraki security in addition to the problem created by the two privacy settings. There is no allow in L7, only block, so there is no way to add an exception to the rule. I don't have any crazy rules setup besides standard geo-filtering for russia, china, etc. I'm just hopeful that for management I won't need public IP's for each AP, or a VPN to the network, or something else. 56, with a 'spoke' site-to-site vpn back to the main office. Dec 12, 2024 · Hello all I have 2 questions. The Meraki dashboard doesn't give you options for this specific type of alerting outside of the scheduled email reports (which don't give exact 'this IP tried to browse this site' events) Nov 16, 2021 · While updating some content filtering I noticed that the MX breaks it down now between content and threat categories. Any domain/url added either on the Block or Allow url options not working as it should be. Meraki takes a 'allow all' approach, where everything is permitted by default. Global content filtering rules. I try to make all of their policies line up as much as possible. r/meraki /r/Meraki: Everything Related to Cisco Meraki Cloud Networking! Members Online • Littleboof18 . Meraki uses Brightcloud. SDWAN config may need to be brought manually. They have a fix but its beta firmware so I will stay away for now. I just upgraded to 14. , but they are not the same thing. Seriously overkill but whatever. However, we do this via group policy content filtering override instead of at the base MX level (e. Edit: figured out the sledgehammer approach to fix this. If you see Ran into this same problem but didn't know when it began; I was unable to view SCCM reports in a browser from my machine and a test VM. Some 80%+ of all internet traffic is TLS encrypted that means the viruses are encrypted just as much as your reddit posts and your Office 365 content. Turned out to be blocked by MX. I published a Python script to update Content Filtering URL blocking patterns on Meraki dashboard via API. com to catch urls like spam. I was going to sites like espn. I am trying to get a Z3C to block all access of social media sites, namely Facebook, Instagram, Twitter and trying to use the Layer 7 Firewall rules to deny applications and hostnames. Layer 7 applications are not just websites - they are all types of traffic. all 'gambling' sites are allocated to the one category). When I go under our Wireless network > wireless > Firewall & traffic shaping >Block applications and content categories (making sure im under the correct vlan up top) We never had content filtering until now, since its been few days we now have some good data. Our new 450 out of the box we have it load balancing two connections. For example- we would like to apply a pornography filter to all devices connected to our network at all 67 locations where we have MX65 Our CSR department wants to allow access to youtube for training videos. Meraki is happily doing it's thing now. If you have a syslog server, get that set up to capture the logs, it gives you way more info than the event viewer in the Meraki portal. com and… Right now I have a static route that connects my meraki networks to another one, but the content filtering is blocking some of those resources. I had my interfaces there to help with just dedicating the MX to Firewall duties only. Practically speaking, with these rules in mind, consider the following best practices for content filtering design: Global content filtering rules should be designed as the "default" network experience. I'm talking multiple devices and do not want to go org by org to find them. However, I think I found the answer PowerShell is a cross-platform (Windows, Linux, and macOS) automation tool and configuration framework optimized for dealing with structured data (e. com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering/Content_Filtering_Troubleshooting. This is different to a fixed IP address for a phone but rather a similar feature or setup seen on Windows Server, Would this be possible? Cheers Curious, i'm trying to do same as OP. non personal phones) yet I can apply whitelisting or group policies on various clients which can easily bypass the content filter. Hey all, I have recently integrated an MX into our network replacing a series of seriously aging routing, firewall, and content filtering equipment. It says policy should usually handle this as an uncategorized site but I am unable to find any documentation that states how it handles uncategorized by default. A big gotcha I got caught out with recently, group policy content filtering override will NOT replace anything that's set at the MX level. The only two things hanging up is that the host name and the user email are passing in my values literally and not passing in the host name or email associated to the device in Meraki. But I'm having a trouble allowing specific youtube videso through the filter, while continuing to block the rest of youtube. Some firewalls take a 'block everything' approach, where you need to explicitly start permitting traffic. However, I think I found the answer Dec 4, 2024 · To determine which possibility is occurring, I would first recommend checking whether the traffic is in fact being blocked by content filtering, which can be done by navigating to Network-wide > Event log and filtering for the affected client, setting the appropriate time, and including the Event type Content filtering blocked URL. Content filtering , block list and white list you can manage per site or synch those settings. However, I think I found the answer Now if you want to restrict/filter traffic between the networks, you need to add access-list/firewall rules to the MX. Made a dhcp reservation for the Meraki, and a outbound nat rule set to DO NOT NAT for this host and set to any/any for the ports. Mar 2, 2023 · Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Nov 9, 2017 · Unfortunately the content filter is always applied. The content filter is used on the LAN and other SSID's with L3 roaming to restrict approved devices (i. I use Meraki's content filtering, and Sophos Central AV web filtering as well. You'd need to be exporting your Meraki logs to syslog server and setup your alerting/query from there. Aug 2, 2023 · Sooo after working with Meraki be aware if you are working on implementing Content filtering you really need your VLAN Interfaces on the MX and not the Layer 3 Core switches. Edit: From your image, it looks like you do not have anything setup for content filtering anyway. We only have one two networks that an MX is present and couldn’t find the xxx blocked url event 🤦 It looks like the Content Filtering functions could do this (blacklist everything, and then whitelist the needed domains) - but it appears to be applied globally to the entire network. We are filtering Staff Devices, BYOD (Windows, Mac) and Managed Chromebooks. The event log is good but there aren't much options so that I can dig down into see the specific content that has been blocked. MX content filtering - what does it mean when it doesn't state what category it is being blocked under? I had tremendous problems as of Mar 2 afternoon. I called Meraki Support and they said that the values in the web content filter don’t appear to be able to pass variables. You can create a group policy in Meraki and only have it apply to either your AD user object or an AD group and set the group policy to exclude content filtering for your user/group. However, when I change to my guest SSID that is on NAT mode, the group policy content filters don't work, i. This is used to shape the bandwidth used by an application. js, and eventually gives up and keeps going. OpenDNS has its own database. The remote site has a Z1 running MX 14. Meraki MR and MS work fine as an access layer solution. One of my bigger frustrations with Meraki content filtering is that I cannot nip VPNs and DoH/DoT in the bud at the firewall with the Proxy and Avoiders Category - I would have to use the "Computer and Internet Security" category which blocks a boat load of legitimate academic sites (I also teach the tech classes). Security Appliance -> Content Filtering). Meraki states that they design the MX filtering for K-12. g. Has anyone experienced that as well? I’ve tried to resolve it, with obvious troubleshooting tips as seen here to no result. Thanks. Am I able to apply web content filtering per SSID? For example, I want to block web-based email for our main wifi but allow it for our guest wifi. We have an MX100 at the main office running MX 16. I will warn you though that both application recognition and web filtering across the board is worse with IPv6 than IPv4 with most of the vendors I’ve tried. Jan 17, 2024 · We've confirmed most reports of this bug are purely that the URL Checker doesn't work and there's no impact. There's literally just a simple MAC Filtering option where I can toss in my known list and ensure that even if someone in the office gives out the key, unknown devices can't connect. Specifically they state CIPA compliance based on safe search. Other than that though, I love my MX600! Hi guys, quick one on Content Filtering, can you use expressions like *dodgy-url. Don't know which one is faster, but content filter allows you to add allowed URLs if you need to override a single site. However, I think I found the answer Jan 8, 2025 · Content filtering rules applied via Group Policy (using Active Directory or otherwise). I’m running out of ideas why is that. js script. Also, am I able to check traffic logs to see application usage by devices including time and date? If so, can you tell So long as I can do category based content filtering in the Meraki environment, I won't need to place a security device between the AP's and the router. https://documentation. meraki. Hope that helps! - Caroline Oct 7, 2021 · Unfortunately the content filter is always applied. I'm setting up Radius to play with Meraki. Does Meraki filter enough for a K-12 We do both. Mar 14, 2023 · On the content filtering page, there is a link to lookup the category of a URL. On Meraki out of the 3 options, this method works best when we want to block a type of traffic/application. We have no problems with bandwidth and use all security services and content filtering. I know traffic shaping and SDWAN are under the same tab, but I don't know if config sync only brings over the actual traffic shaping rules. Content Keeper can do many things but we also purchased the application filtering package which allows us to isolate users from accessing websites for X amount of minutes if they try to run an application such as a VPN, proxy, Cryptomining, Instant Messaging, RDP, etc. Should be, there's 3 options under there - Traffic shaping, Security filtering, and Content filtering. You didn't specify your considered use case(s), but I'll specifically call out client VPN, which often breaks with Windows updates. Posted by u/JuanDanger - 1 vote and 2 comments In theory, Meraki content filtering is doing the same thing. Hey guys looking into potentially changing content filtering from Cisco Umbrella to either Meraki Content filtering or Barracuda Web Filter. (there are limitations with them) configuration sync Got a response from Meraki: Essentially the URL is fine, but the IP address associated with it is on the block list. They said to use managed app config. Opened a ticket with Meraki Support and still couldn't figure it out. However, when I check the networks that have an MX84, it's not broken down like this. Jan 8, 2025 · Content filtering settings can be found in the dashboard by navigating to Security & SD-WAN > Configure > Content filtering. When I'm at the office I can access Reddit (I work for the IT Dept and we need it for "research") but when I work at our remote office, Reddit is blocked. , the client can access sites that are supposed to be blocked. This is suitable f Merkai Content Filtering - Dead Sites I am trying to find out how Meraki handles the category "Dead Sites". This allows the MX’s Content Filtering feature to classify URLs based on web content and threat categories curated by Cisco Talos. dodgy-url. All of a sudden a number of sites weren't working. 8. Our default content filter policy blocks the category "Streaming Media", and I have youtube. Auto VPN is nice an easy for backhauling anything they need network access to internally then break out internet locally for stuff not internal. AMP is usually found under "Security Appliance" --> "Configure" / "Threat Protection". Apple really should have a different set of policies for corporate and enterprise used devices. Posted by u/Mvalpreda - 4 votes and 4 comments I was running into a similar issue where sites would hang for multiple seconds when trying to load the Google Analytics ga. com and they would just spin and sometimes start to load content. I think the only difference in your use case would be that things like content filtering rules will need to be maintained on all networks, instead of just the head office. What kind of traffic do you see in the Meraki event log for a typical iPad. May 22, 2018 · Unfortunately the content filter is always applied. Does anyone know a way to sync content filtering across the entire organization? I want to be able to make a change at one location and it sync to all my different locations. The clients started complaining about the firewall blocking some sites they need access to, double checked and Meraki wasn't configured to block those sites. com or cnn. it fails. It turned out they had recently renewed their Comcast internet contract, and SecurityEdge was added to the contract. We have an MX84, MX64, and an MX67W connecting along with 17 Non-Meraki peers soon to be 34 - these are all Cradlepoint devices in fleet trucks and a handful of client VPN users. Content filtering is "Security Appliance" --> "Configure" / "Content Filtering". Go to meraki r/meraki. Reply reply More replies More replies I have a Meraki mx deployment and the top application category used is "Other", I want to find out what type of traffic is inside that category. It does well. We can see one of the cases thats come from that thread. Documentation shows me that MR and MS Meraki devices have that and similar options. if I disable the RADIUS server domain firewall, it works. EDIT: To clarify, I mean one specific computer on a network. So if you wanted an executive segment with unlimited bandwidth and no content filtering, you can accomplish that this way. I tried to do what you said, under the VLAN section, I assigned a VLAN a "Filtered Web" Group Policy (blocking out the usual stuff you don't want kids at a school looking at". If you wanted to shape/slow/restrict Windows updates to 2/2 Mbps or change QoS settings to prefer VoIP traffic. Refer to the article on content filtering for setup instructions, including details about what each section of the page does and how to block all web traffic other than allow listed pages. Nobody's responded to this post yet. I've been testing some NTLM hardening policies on my machine and mention of NTLM here clued me into the solution for my case. I just know how to do it easily on the Unifi AP. East to deploy and manage. If you see One of my bigger frustrations with Meraki content filtering is that I cannot nip VPNs and DoH/DoT in the bud at the firewall with the Proxy and Avoiders Category - I would have to use the "Computer and Internet Security" category which blocks a boat load of legitimate academic sites (I also teach the tech classes). You can also override other options as well. Anything else, and Meraki should be off the table. Is there any way to apply different Content Filtering policies only for a specific VLAN? Thanks! Meraki has been pretty slow at IPv6 — their APs do okay with it now but the MX progress is nowhere to be seen. We have this setup at a few customers who want total lockdown. In that cause you can create a group policy to allow those staff or devices access while blocking from everyone else. All are on the latest firmware. 4 Kudos If Meraki event logs are "incredibly difficult to read" then I think you haven't seen many network device logs ;) You can filter the logs to show only content filtering blocked URL's for example and that should help. This thread is archived I want to enable DHCP on the MX and use MAC Filtering for my VOIP phones. I’d definitely recommend a service like Umbrella to offload that processing elsewhere. I have a group policy that filters out certain content categories. We need content filtering enabled but as soon as I enable it and just put the adult category on the pages start to load very slowly and just spin and never seem to finish. Way too many to whitelist. Is this a capability of only the MX100? They're all on an advanced security license. Try using that to verify which category the system thinks it is in. Apr 8, 2019 · I could have sworn that when I enabled Content Filtering on my MX84, blocking adult sites for example, that when you tried to go to them, it would give you a message about 'this has been blocked for XYZ reasons' or something. I had to use BrightCloud's reclassification request tool to change some of their categories. Nov 7, 2017 · We have a strict network policy with quite a bit of filtering enabled, no personal devices within the building except the lunch room and outside on breaks Firewall - both Layer 7 rules and content filtering for social network, any file transfer, external storage systems email etc. You cannot block smtp, telnet, snmp, smb, ftp etc with content filtering rules. No need for VPN, content filtering, traffic shaping or QoS, or custom firewall configuration beyond "don't allow inbound UDP or unsolicited inbound TCP traffic. There are cases where certain staff may need to access those sites as part of their job function, but the majority of other staff do not. I want Meraki to only provide addressing to phones based on MAC Filtering so a specified set of phones. 4 Kudos If you want a fleet of Meraki teleworker devices that phone home and use AutoVPN, fine. New to Meraki here but have my CMNO, I am looking to apply content filters to all of our 67 locations (LAN&Wireless)without having to go to each security applicance (MX65). Just looking for peoples thoughts on each solution. Fixed by removing Malicious Sites category from block list. I have about 800 small locations that i use a meraki product in. Code is open-source and available on GitHub, feel free to use it and report any issue or improvement. I do have a whitelist in effect, having the Blocked URL Patterns filled with '*' and all the websites the clients use added to the Whitelisted URL patterns. I can access the sites that should be filtered out, as well as those that I manually add to the blacklist. If you’re looking for the Cadillac of services, I’d recommend you take a look at Palo Alto’s cloud solutions. But overall, content filtering refers to a collection of websites with similar themes (e. On your AD server, set up a filtered Event viewer capture the logon/off events that Meraki will be looking for. Also, is there a way that I can build in an override to the content filter if it need it? Example I get a block screen for something that I want to further investigate but instead of creating a whitelist rule, I can just enter a password or something and get a one time access. 39 and testing is showing it basically just not lo PowerShell is a cross-platform (Windows, Linux, and macOS) automation tool and configuration framework optimized for dealing with structured data (e. I'm trying to apply content filtering by VLAN and I know this needs to be done via group policy, then applied to the specific VLAN in the MX, but need some guidance with the scheduling. With that, we are all stuck with a non deterministic situation where a request to an allowed URL can be blocked because the specific IP address you were steered to at the CDN has a bad reputation. (Now that everything is owned by Cisco, don't be surprised if there is some cross-pollination in the future. Only thing I can point my finger at is my client load, so maybe it works great for smaller networks. . 8:443, categories" as the event type and details respectively. However that blocks them across all vlans. e. If you use the categories of Malware Sites, Bot Nets, Phishing and Other Fraud Site and Spyware and Adware (and perhaps Confirmed Spam Sources and Spam URLs) then you should be blocking off a bulk of the bad sites before they even try to get traffic into the network. I am successful when I block the sites under Our firewall device > Security &SD WAN > configure >content filtering. To reduce maintenance of the content filtering rules you have two options Use network templates. What's the best solution for analysing that traffic and stopping it accessing illegal content (torrents, adult content etc). JSON, CSV, XML, etc. I don't see SDWAN in the API docs either Meraki doesn't do SSL decryption. I checked the website at Talos and it's not blocked or otherwise tagged as unsafe, and the "Reference" category is not blocked in any way. Nov 1, 2024 · In firmware MX17 and newer, the MX introduced Content Filtering powered by Cisco Talos Intelligence. Get the Reddit app Scan this QR code to download the app now /r/Meraki: Everything Related to Cisco Meraki Cloud Networking! The content filtering on SSIDs in assuming you have an MX, if you have the advanced security license, you should have an option under Security appliance > Content filtering to do exactly what you described. Meraki is currently blaming it on Apple and calling it an Apple problem and not bothering to document that Meraki MDM content filter is non-functional in their documentation TL;DR: If you are reading this post and have a similar issue, submit a bug report to Meraki so they can go and fix it. " It's the sort of setup where I could probably get away with using a $90 or less consumer-grade router, but I like nice things. What am I missing? Oct 31, 2024 · Found out that content filtering on organization MX appliance not working after switching to Talos. I will use content filtering as much as possible before firewall rules. However - filtering goes beyond search. It shouldn't be getting in your way. But is it possible to do this for one specific client? I feel like I have to get a little creative to do so. These capabilities include application-based firewalling, content filtering, web search filtering, SNORT®-based intrusion detection and prevention, Cisco Advanced Malware Protection (AMP), site-to-site Auto VPN, client VPN, WAN and cellular failover, dynamic path selection, web application health, VoIP health, and more. But. Right, you can apply content filtering only via group policy. The root cause of this is that Meraki decided to add IP reputation into their Content Filter algorithm to supplement traditional URL categorization. Dec 6, 2024 · To determine which possibility is occurring, I would first recommend checking whether the traffic is in fact being blocked by content filtering, which can be done by navigating to Network-wide > Event log and filtering for the affected client, setting the appropriate time, and including the Event type Content filtering blocked URL. So far it's great. Is there a way to pull a report on what MX devices in an enterprise do not have Threat Protection and Content Filtering enabled. I'm pretty sure it's VPN traffic that's hiding it's contents. For testing, created group policy with wildcard * entry (to block all websites) on the Block URL option but still any website accessible on user PC. If your traffic is getting blocked by Content Filtering then you can check event logs and there you can see the reason. google/, server 8. I know that it's possible to block all traffic through content filtering and Layer 3 rules for an entire Meraki network. Due to this issue becoming more and more common, we currently have a beta firmware that changes the way content filtering is done. com in the blacklist. I would suggest if any customers are having issues with content filtering actively blocking things incorrectly to open a case. And from my understanding, this wouldn't be a firmware issue as much as a false positive from the content filtering that Meraki uses, which can obviously change regularly ? (I don't recall the name of the service they use atm, someone else on here can provide fill in my brain fart) The logs aren't much help, as they only show "Content filtering blocked URL" and "url https://dns. The MX84 has a 500Mb link and the MX67s are on 100Mb links. Nov 7, 2017 · Unfortunately the content filter is always applied. There are things that one catches but not the other. It works fine on our main SSID that is on bridge mode and puts clients on the LAN. SecurityEdge includes a bunch of content filtering. The problem is when you are trying to I tried to go on each individual network to search the event logs but I’m just finding out that there is no filter for ‘content filtering blocked URL” under the networks that no MX is present. Help with Content filtering I have about 7,000 clients behind an MX600, and every time I set the filter to "Full List" it would kill all internet traffic. What has everyone seen in the real world? Our Chromebooks are filtered via Securly, however for our non-Chrome devices, I'm considering some options. ), REST APIs, and object models. eexpl adqh etuml orfvy tvqum umz tzmwc lhkbqn dybqi kvhthv