Home > Security Appliances > Content Filtering and Threat Protection > Content Filtering

Content Filtering

Content filtering allows you to block certain categories of websites based on your organizational policies. You can also block or whitelist (allow) individual websites for additional customization. For example, if you block the "Internet Communications" category this also blocks gmail.com and facebook.com because both websites are communication platforms. You can whitelist gmail.com and facebook.com to make sure that both websites are fully operational while all other websites providing chat functionality are blocked. You have several options related to Content Filtering:

  • Blocked website categories: Select the categories you wish to block.
  • URL category list size: Select "Top sites only" for higher performance or "Full list" for better coverage. When "Top sites only" is selected, the list of top sites in each of the blocked categories will be cached locally on the appliance. In this mode, client requests for URLs that are not in the top sites list will always be permitted (as long as they are not in the blocklist). If "Full list" is selected, a request for a URL that is not in the list of top sites will cause the appliance to look the URL up in a cloud-hosted database. This may have a noticeable impact on browsing speed when visiting a site for the first time. But the result will be cached locally. Over time, the "Full list" performance should approach the speed of "Top sites" option.
  • Web search filtering: Enable this setting to enforce Safesearch for Google, Yahoo!, and Bing for all users in your network. This will not affect SSL/HTTPS searches.
  • Block encrypted search: Because Web search filtering cannot block encrypted searches, when it is enabled this option will appear. Enabling Block encrypted search creates a Layer 7 firewall rule that prevents users from accessing encrypted Google sites (with the exception of Gmail). Because Yahoo! and Bing do not use encrypted search. This will prevent users from circumventing Web search filtering by using encrypted Google searches.
  • Youtube for Schools: Enables Youtube's 'Youtube for Schools' functionality. This also requires you to enter a Youtube EDU ID. Details on Youtube for Schools can be found at http://support.google.com/youtube/bin/answer.py?hl=en&answer=2592715.
  • Blocked URI patterns: Enter specific URI patterns you wish to block, one per line. See below for details on pattern matching.
  • Whitelisted URI patterns: Enter specific URI patterns you wish to explicitly allow, one per line. See below for details on pattern matching.


The content filtering feature is available only in the Advanced Security Edition.

Patterns for blocking or whitelisting specific URLs

Whenever a device on the network accesses a web page, the requested URL is checked against the configured lists to determine if the request will be allowed or blocked.

Pattern matching follows these steps in order:

  1. Try to match the full URL against either list (blocked vs whitelisted patterns list)
  2. Remove the protocol and leading "www" from the URL, and check again:
    • e.g., foo.bar.com/qux/baz/lol?abc=123&true=false
  3. Remove any "parameters" (everything following a question mark) and check again:
    • e,g., foo.bar.com/qux/baz/lol
  4. Remove paths one by one, and check each:
    • e,g., foo.bar.com/qux/baz, then foo.bar.com/qux, then foo.bar.com
  5. Cut off subdomains one by one and check again:
    • e.g., bar.com, and then .com
  6. Finally, check for the special catch-all wildcard, *, in either list.

If any of the above steps produces a match, then the request will be blocked or whitelisted as appropriate. The whitelist always takes precedence over the blocklist, so a request that matches both lists will be allowed. If there is no match, the request is subject to the category filtering settings above.


In the example above, the specific (longer) URL is allowed because it is the longest match, whereas any other access to foo.bar.com domain will be blocked.

HTTPS filtering

HTTPS requests can also be blocked, but because the URL in an HTTPS request is encrypted, only the domain URL checks will be performed in the following order:

  1. www.foo.bar.com
  2. foo.bar.com
  3. bar.com
  4. .com
  5. * (the special character for catch-all URL)


In the example below all web pages are blocked except for http://meraki.com and https://meraki.com.

Group Policies

Once your Active Directory server settings are entered into Dashboard, you can click Refresh LDAP Groups to populate a list of user groups in your domain. You can then select individual groups and apply configured Group policies to them. For information about configuring Group policies, see the Group policies page.


You must to post a comment.
Last modified
08:13, 23 Sep 2016


This page has no custom tags.


This page has no classifications.

Article ID

ID: 4170

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case