Skip to main content
Cisco Meraki

Content Filtering Powered By Cisco Talos

Overview 

In firmware MX17 and up, the MX introduced Content Filtering powered by Cisco Talos Intelligence. This allows the MX’s Content Filtering feature to classify URLs based on web content and threat categories curated by Cisco Talos. 

Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. Talos teams provide threat intelligence for Cisco customers, products and services to defend against known and emerging threats. To learn more about Cisco Talos Intelligence, please visit here.

For information regarding pre MX17 Content Filtering with Bright Cloud, please see here.

Prerequisite

MX Security Appliances must be operating on firmware MX17 or up.

MX Security Appliances query the below Cisco Talos domain and IP Addresses for Content Filtering categorization. Please ensure the below are allowed on firewalls upstream of the MX.

Domain:

  • *.talos.cisco.com

IPv4 Addresses:

  • 146.112.62.0/24
  • 146.112.63.0/24
  • 146.112.255.0/24
  • 146.112.59.0/24

IPv6 Addresses:

  • 2a04:e4c7:ffff::/48

  • 2a04:e4c7:fffe::/48

Migration

Prior to MX 17, Bright Cloud was leveraged as our category intelligence source. With the introduction of Cisco Talos intelligence, previously supported Bright Cloud categories may or may not have a direct mapping to Cisco Talos categories. Dashboard has made this migration as simple as possible by suggesting closely matched categories. 

After upgrading the MX to firmware MX 17 and up, Dashboard will automatically migrate the old categories to the newly suggested Cisco Talos categories. As part of this process, users can confirm the migration and optionally accept, remove, or enter new categories in replacement of the old.

To confirm the migration process, navigate to Security & SD-WAN > Content filtering.

Feature

Prior to firmware MX 17, MX’s Content Filtering preloaded category lists and provided the user an option to choose between Top Sites or Full Lists. With Cisco Talos Intelligence, MX’s Content Filtering no longer preloads category lists. Instead, the MX queries for the categories of URLs directly from Cisco Talos’ intelligence service. These queried URLs with their respective categories are locally cached on the MX. 

Aside from Top Sites and Full Lists, MX’s Content Filtering inspection and block pages will continue to function similar to pre MX 17.

Inspection

  • MX will inspect both HTTP and HTTPS.

  • MX will use the same URL pattern logic to match URLs.

Block Pages

  • For HTTP requests matching a blocked category, MX will redirect the client to a block page as shown here.

  • For HTTPS requests matching a blocked category, MX will reset the TCP connection as shown here.

To begin configuration, navigate to Security & SD-WAN > Content filtering.

Configure Category Blocking

Prior to firmware MX 17, Content Filtering categories had only one blocked website categories field. This field contained both website content and threat categories.

In firmware MX 17 and up with Cisco Talos categories, website content and threat categories are split into two as shown below. Click into a field for a dropdown selection of categories.

Screen Shot 2021-10-20 at 6.27.23 PM.png

Check Content and Threat Categories

If unsure which URLs belong to which categories, simply type in the URL in the Type in the URL field under the Check content and threat categories section. This will query Cisco Talos Intelligence for the correlating content and/or threat category. The queried results will show to the right. As an example, the below screenshot details the query and result for www.meraki.com.

Screen Shot 2021-10-20 at 6.34.00 PM.png

If the resulting category is not currently blocked, simply click on the "+" sign next to the category to add it to your configuration in the Category blocking section. If the resulting category is already blocked, Dashboard will provide the option to remove the category from being blocked by simply clicking "x".

Allow/Block Specific URLs

If a URL needs to be explicitly blocked, you can enter the URL pattern in the Block list URL patterns field under the URL blocking section shown below.

If a configured blocked category is blocking access to a URL that is not intended, you can enter the URL pattern in the Allow list URL patterns under the URL blocking section shown below to whitelist this URL.

Screen Shot 2021-10-20 at 6.32.30 PM.png

Event Log

Blocked Content Filtering Events will display in Event Log (Network-wide > Event Log) as shown below.

Website Content Category Dispute

If a URL is categorized in an unexpected category, category disputes can be submitted directly through Talos’ Reputation Support page. From this page, you will be able to submit up to 100 URL entries at a time. A CCO ID is required. If you do not have a CCO ID, you can create a free guest account through the support page for the purpose of submitting category disputes.

For website content category disputes, click on “Submit a Web Categorization Ticket” under the Web Categorization Requests section.

To continue, please click on Cisco Login. If you do not have a CCO ID, you can create one at this step.

Once logged in, you can enter the URL for dispute submission. The submission widget should automatically populate the current content category, If not, please click “Get Category Data”.

  1. Enter URL. This example uses www.example.com.

  2. Select a suggested web content category for the URL.

  3. Select Meraki as the platform.

  4. Enter any additional comments/details for the dispute.

  5. Click Submit when previous steps are completed.

After submission, you can view your open tickets via Talos’ My Tickets page.

Threat Category Dispute

For threat category disputes, please contact Meraki Support to file a submission on your behalf.

Cisco Talos Categories List

For the entire Cisco Talos Categories List, please see here.

 

  • Was this article helpful?