Skip to main content
Cisco Meraki Documentation

Content Filtering Powered By Cisco Talos

Click 日本語 for Japanese

Overview 

In firmware MX17 and newer, the MX introduced Content Filtering powered by Cisco Talos Intelligence. This allows the MX’s Content Filtering feature to classify URLs based on web content and threat categories curated by Cisco Talos. 

Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. Talos teams provide threat intelligence for Cisco customers, products and services to defend against known and emerging threats. To learn more about Cisco Talos Intelligence, please visit here.

For information regarding pre MX17 Content Filtering with Bright Cloud, please see here.

Learn more with these free online training courses on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

Learn more with these free online training courses on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

Prerequisite

MX Security Appliances must be operating on firmware MX17 or up.

MX Security Appliances query the below Cisco Talos domain and IP Addresses for Content Filtering categorization.

Please ensure the below are allowed on firewalls upstream of the MX along with TCP port 443: 

Domain:

  • *.talos.cisco.com

IPv4 Addresses:

  • 146.112.62.0/24
  • 146.112.63.0/24
  • 146.112.255.0/24
  • 146.112.59.0/24

IPv6 Addresses:

  • 2a04:e4c7:ffff::/48
  • 2a04:e4c7:fffe::/48

Migration

Prior to MX 17, Bright Cloud was leveraged as our category intelligence source. With the introduction of Cisco Talos intelligence, previously supported Bright Cloud categories may or may not have a direct mapping to Cisco Talos categories. Dashboard has made this migration as simple as possible by suggesting closely matched categories. 

After upgrading the MX to firmware MX 17 and up, Dashboard will automatically migrate the old categories to the newly suggested Cisco Talos categories. As part of this process users will see an informational, one-time popup modal. In this modal, it is possible to confirm the migration and optionally accept, remove, or enter new categories in replacement of the old. Accepting the modal is not required for the new mapping to take effect.

To confirm the migration process, navigate to Security & SD-WAN > Content filtering.

ContentFiltering

Feature

Prior to firmware MX 17, MX’s Content Filtering preloaded category lists and provided the user an option to choose between Top Sites or Full Lists. With Cisco Talos Intelligence, MX’s Content Filtering no longer preloads category lists. Instead, the MX queries for the categories of URLs directly from Cisco Talos’ intelligence service. These queried URLs with their respective categories are locally cached on the MX. 

Aside from Top Sites and Full Lists, MX’s Content Filtering inspection and block pages will continue to function similar to pre MX 17.

Inspection

  • MX will inspect both HTTP and HTTPS.

  • MX will use the same URL pattern logic to match URLs.

Block Pages

  • For HTTP requests matching a blocked category, MX will redirect the client to a block page as shown here.

  • For HTTPS requests matching a blocked category, MX will reset the TCP connection as shown here.

Network Configuration

To begin configuration, navigate to Security & SD-WAN > Content filtering.

Configure Category Blocking

In MX 17 and newer with Cisco Talos categories, website content, and threat categories are split into two as shown below. Click into a field for a dropdown selection of categories.

ContentFiltering_CategoryBlock.png

Group Policy Configuration

Group Policies can be configured under Network-wide > Group Policy. Group Policies provide custom configuration options which allow you to append, override or use the default network configuration. 

  • Append: allows you to add categories in addition to the default network configuration 
  • Override: replaces the default network configuration 
  • Use Network Default: This is the default policy configured on the Content Filtering page (Security & SD-WAN > Content Filtering)

For more information on configuring Group policies, see the Group policies page.

GroupPolicy_ContentFilter.png

Check Content and Threat Categories

If unsure which URLs belong to which categories, simply type in the URL in the Type in the URL field under the Check content and threat categories section. This will query Cisco Talos Intelligence for the correlating content and/or threat category. The queried results will show to the right. As an example, the below screenshot details the query and result for www.meraki.com.

ContentFiltering_CheckContent.png

If the resulting category is not currently blocked, simply click on the "+" sign next to the category to add it to your configuration in the Category blocking section. If the resulting category is already blocked, Dashboard will provide the option to remove the category from being blocked by simply clicking "x".

Warning: Blocking the "Computers and Internet" or the "Computer Security" categories may impact Cisco services e.g., Device connectivity to the Meraki cloud or other services such as Cisco Umbrella

Allow/Block Specific URLs

If a URL needs to be explicitly blocked, you can enter the URL pattern in the Block list URL patterns field under the URL blocking section shown below.

If a configured blocked category is blocking access to a URL that is not intended, you can enter the URL pattern in the Allow list URL patterns under the URL blocking section shown below to allow this URL.

URLFiltering.png

Event Log

Blocked Content Filtering Events will display in Event Log (Network-wide > Event Log) as shown below.

ContentFilter_EventLog.png

Content Category Dispute

If a URL is categorized in an unexpected category, category disputes can be submitted directly through Talos’ Reputation Support page. From this page, you will be able to submit up to 100 URL entries at a time. A CCO ID is required. If you do not have a CCO ID, you can create a free guest account through the support page for the purpose of submitting category disputes.

For content category disputes, click on “Submit a Content Categorization Ticket” under the Content Categorization Requests section.

CategoryDispute.png

To continue, please click on Cisco Login. If you do not have a CCO ID, you can create one at this step.

Once logged in, you can enter the URL for dispute submission. The submission widget should automatically populate the current content category, If not, please click “Get Category Data”.

ContentCategorySuppTicket.png

  1. Enter URL. This example uses www.example.com.

  2. Select a suggested content category for the URL.

  3. Select Meraki MX as the platform.

  4. Enter any additional comments/details for the dispute.

  5. Once complete, click Submit.

After submission, you can view your open tickets via Talos’ My Tickets page.

Threat Category Dispute

For threat category disputes, please contact Meraki Support to file a submission on your behalf.

Cisco Talos Categories List

For the entire Cisco Talos Categories List, please see here.