Content Filtering
Click 日本語 for Japanese
Overview
The MX’s Content Filtering feature works by classifying URLs based on web content and threat categories curated by Cisco Talos, one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. Talos teams provide threat intelligence for Cisco customers, products and services to defend against known and emerging threats. To learn more about Cisco Talos Intelligence, please visit here.
Learn more with these free online training courses on the Meraki Learning Hub:
Prerequisite
- Firmware: version MX17 and newer
- Mode: Routed
NOTES: Content filtering is not recommended for MX configured as Passthrough/Concentrator mode.
The feature is still visible on the Meraki Dashboard for devices configured to run earlier firmware versions, but it is based on an older, 3rd-party classification system that no longer functions.
MX Security Appliances query the below Cisco Talos domain and IP Addresses for Content Filtering categorization.
Please ensure the below are allowed on firewalls upstream of the MX along with TCP port 443:
Domain:
- *.talos.cisco.com
IPv4 Addresses:
- 146.112.62.0/24
- 146.112.63.0/24
- 146.112.255.0/24
- 146.112.59.0/24
IPv6 Addresses:
- 2a04:e4c7:ffff::/48
- 2a04:e4c7:fffe::/48
Feature behavior
When Content Filtering is enabled, MXs will inspect either the URL in an HTTP payload, or the Server Name Indication field of outbound TLS traffic, and use the records indicated in each to query Cisco Talos Intelligence for possible matching categories. These results are then maintained in a local cache - up to 100,000 records, for up to 20 minutes at a time - on the MX to reduce latency.
It is important to note that since TLS protects the underlying HTTP payloads being sent from external inspection, Content Filtering can only render classifications and blocks on domains, NOT full URLs, when TLS/HTTPS is in use.
Reference this article for more information on how domains are matched
Block Pages
When HTTP traffic is blocked, the MX will perform an HTTP redirect on client traffic, sending it to a block page.
Since this is not possible for HTTPS requests, the MX will instead spoof a TCP Reset to both the client and the website it was attempting to reach to abort the connection.
Configuration
Network Configuration
To begin configuration, navigate to Security & SD-WAN > Content filtering.
Configure Category Blocking
In MX 17 and newer with Cisco Talos categories, website content, and threat categories are split into two as shown below. Click into a field for a dropdown selection of categories.
Group Policy Configuration
Group Policies can be configured under Network-wide > Group Policy. Group Policies provide custom configuration options which allow you to append, override or use the default network configuration.
- Append: allows you to add categories in addition to the default network configuration
- Override: replaces the default network configuration
- Use Network Default: This is the default policy configured on the Content Filtering page (Security & SD-WAN > Content Filtering)
For more information on configuring Group policies, see the Group policies page.
Check Content and Threat Categories
If unsure which URLs belong to which categories, simply type in the URL in the Type in the URL field under the Check content and threat categories section. This will query Cisco Talos Intelligence for the correlating content and/or threat category. The queried results will show to the right. As an example, the below screenshot details the query and result for www.meraki.com.
If the resulting category is not currently blocked, simply click on the "+" sign next to the category to add it to your configuration in the Category blocking section. If the resulting category is already blocked, Dashboard will provide the option to remove the category from being blocked by simply clicking "x".
Warning: Blocking the "Computers and Internet" or the "Computer Security" categories may impact Cisco services e.g., Device connectivity to the Meraki cloud or other services such as Cisco Umbrella
Allow/Block Specific URLs
If a URL needs to be explicitly blocked, you can enter the URL pattern in the Block list URL patterns field under the URL blocking section shown below.
If a configured blocked category is blocking access to a URL that is not intended, you can enter the URL pattern in the Allow list URL patterns under the URL blocking section shown below to allow this URL.
Event Log
Blocked Content Filtering Events will display in Event Log (Network-wide > Event Log) as shown below.
Content Category Dispute
If a URL is categorized in an unexpected category, category disputes can be submitted directly through Talos’ Reputation Support page. From this page, you will be able to submit up to 100 URL entries at a time. A CCO ID is required. If you do not have a CCO ID, you can create a free guest account through the support page for the purpose of submitting category disputes.
For content category disputes, click on “Submit a Content Categorization Ticket” under the Content Categorization Requests section.
To continue, please click on Cisco Login. If you do not have a CCO ID, you can create one at this step.
Once logged in, you can enter the URL for dispute submission. The submission widget should automatically populate the current content category, If not, please click “Get Category Data”.
-
Enter URL. This example uses www.example.com.
-
Select a suggested content category for the URL.
-
Select Meraki MX as the platform.
-
Enter any additional comments/details for the dispute.
-
Once complete, click Submit.
After submission, you can view your open tickets via Talos’ My Tickets page.
Threat Category Dispute
For threat category disputes, please contact Meraki Support to file a submission on your behalf.