Home > Security and SD-WAN > Content Filtering and Threat Protection > Content Filtering

Content Filtering

Overview

Content filtering allows you to block certain categories of websites based on your organizational policies. You can also block or whitelist (allow) individual websites for additional customization. For example, if you block the "Internet Communications" category this also blocks gmail.com and facebook.com because both websites are communication platforms. You can whitelist gmail.com and facebook.com to make sure that both websites are fully operational while all other websites providing chat functionality are blocked.

 

There are several options for Content Filtering:

  • Blocked website categories: Select the categories you wish to block.
  • URL category list size: Select "Top sites only" for higher performance or "Full list" for better coverage. When "Top sites only" is selected, the list of top sites in each of the blocked categories will be cached locally on the appliance. In this mode, client requests for URLs that are not in the top sites list will always be permitted (as long as they are not in the blocklist). If "Full list" is selected, a request for a URL that is not in the list of top sites will cause the appliance to look the URL up in a cloud-hosted database. This may have a noticeable impact on browsing speed when visiting a site for the first time. But the result will be cached locally. Over time, the "Full list" performance should approach the speed of "Top sites" option.
  • Web search filtering: Enable this setting to enforce Safesearch for Google, Yahoo!, and Bing for all users in your network. This will not affect SSL/HTTPS searches.
  • Restricted YouTube content: Enables restricted YouTube content functionality which leverages DNS-based enforcement. Once enabled, the YouTube restriction level option appears which provides a drop-down where either Moderate or Strict can be chosen. More details about restriction levels can be found here.
  • Blocked URL patterns: Enter specific URL patterns you wish to block, one per line. See below for details on pattern matching.
  • Whitelisted URL patterns: Enter specific URL patterns you wish to explicitly allow, one per line. See below for details on pattern matching.

 

IP addresses are a supported option in Blocked/Whitelisted URL pattern fields. When you enter an IP into that field, it's interpreted as a URL because as it turns out, http://192.168.1.1 is a perfectly valid URL, regardless of the fact that it's also an IP address. Note that this is not the same as an IP block - it'll just block/whitelist someone who types in 192.168.1.1 into their web browser. In addition, that would also mean if abc.com resolves to 192.168.1.1, content filtering will not block/whitelist abc.com explicitly. You will need to enter abc.com as an URL in Blocked/Whitelisted URL patterns as well.

The content filtering feature is available only with Advanced Security Edition licensing.

Using the Catch-All Wildcard (*) in URLs

The asterisk symbol has two primary uses in URLs for content filtering.

  • Standalone Catch-All Wildcard
    • The " * " (asterisk) symbol when used on its own line is an all-inclusive wildcard which represents all possible entries
    • When used on its own line in whitelisted URL patterns, ALL URL patterns are whitelisted
    • When used on its own line in blocked URL patterns, ALL URL patterns are blocked, except those that are explicitly whitelisted
  • In-URL Asterisk Character
    • The " * " (asterisk) symbol when used as part of a URL or in line with a URL is simply a regular asterisk symbol and is interpreted as part of the URL, NOT as a wildcard
    • Note that this is very rarely useful, except in URLs that actually require asterisk symbols, such as https://web.archive.org/web/*/meraki.com

Patterns for Blocking or Whitelisting Specific URLs

Whenever a device on the network accesses a web page, the requested URL is checked against the configured lists to determine if the request will be allowed or blocked.

Pattern matching follows these steps in order:

  1. Try to match the full URL against either list (blocked vs whitelisted patterns list)
  2. Remove the protocol and leading "www" from the URL, and check again:
    • e.g., foo.bar.com/qux/baz/lol?abc=123&true=false
  3. Remove any "parameters" (everything following a question mark) and check again:
    • e,g., foo.bar.com/qux/baz/lol
  4. Remove paths one by one, and check each:
    • e,g., foo.bar.com/qux/baz, then foo.bar.com/qux, then foo.bar.com
  5. Cut off subdomains one by one and check again:
    • e.g., bar.com, and then .com
  6. Finally, check for the special catch-all wildcard, *, in either list.

If any of the above steps produces a match, then the request will be blocked or whitelisted as appropriate. The whitelist always takes precedence over the blocklist, so a request that matches both lists will be allowed. If there is no match, the request is subject to the category filtering settings above.

 

Example

In the example above, the specific (longer) URL is allowed because it is the longest match, whereas any other access to foo.bar.com domain will be blocked.

Blocking all Websites Using Content Filtering

An MX Security Appliance can be used to block all web content then configured for specific websites only. This can be specifically important when needing to be in a very controlled environment such as a school. 

1. Navigate to Security & SD-WAN > Configure > Content filtering

2. Place an asterisk (*) in the Blocked URL patterns section

content filtering blocked url.PNG

HTTPS filtering

HTTPS requests can also be blocked, but because the URL in an HTTPS request is encrypted, only the domain URL checks will be performed in the following order:

  1. www.foo.bar.com
  2. foo.bar.com
  3. bar.com
  4. .com
  5. * (the special character for catch-all URL)

 

Example

In the example below all web pages are blocked except for http://meraki.com and https://meraki.com.

Group Policies

Once your Active Directory server settings are entered into Dashboard, you can click Refresh LDAP Groups to populate a list of user groups in your domain. You can then select individual groups and apply configured Group policies to them. For information about configuring Group policies, see the Group policies page.

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 4170

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community