Cisco Meraki MX content filtering versus Barracuda Webfilter 310

Similar Messages

• Cisco Content Engine for Content Filtering

  Hi All,
  I am looking for a low end solution for Content Filtering and would like to use Cisco Content Engine.
  1. The documentation said that Websense, Secure Computing SmartFilter (does not require separate SmartFilter) & N2H2 support is there on the CE. I used configurator on CE 510, but it did not give me option for any of those. I would appreciate any input in this regard.
  2. Also, I assume that once I get a Content Engine, I don't need to use Microsoft Proxy any more, please confirm.
  regards,
  Ahmer Ghazi

  You would have to Install the Smartfilter software on the Content engine that would work with the ACNS software running on the CE. SmartFilter software operates inside your network to control user access to external Internet resources and allows you to restrict access to World Wide Web pages, newsgroups, and FTP sites.
  For more details refer:
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/uce/acns41/smrtfltr/sf_chap1.htm
  The Content Engine does the job of storing content locally and serving it to the users, so you would not need to use the Microsoft Proxy.

• How can I achieve IOS content filtering using a Cisco router

  Good day Everybody.
  I would like to set up content filtering using IOS on my Cisco router. I already know how to do URL filtering but I want to restrict access to sites based on categories.
  Is this possible without having to introduce an external device?

  Natively in IOS this is not possible. However you can configure CWS (Cisco Web Security). The router will forward web requests to a cloud based web security service.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11720/data_sheet_c78-729637.html

• Content Filtering for new tablets

  We did this last year with our tablets. We went with iboss filtering which I highly recommend but it looks like you have web filtering in place so you would need to proxy the internet traffic. Contact the tech support of your web filtering and explain them what you need to do and they will tell you what needs to be done on your end. Then you would have to create configuration profile and push (you need MDM here) the proxy configurations to your tablets. 

  Hello all,
  I work for a local high school and they just bought tablets for all of the kids to use during the school year. They are wanting content filtering while they are at school, which we have, but they are also wanting "off site" filtering as well. What/How is the easiest way to set that up? We currently have a Cisco Meraki firewall setup for the high school.
  This topic first appeared in the Spiceworks Community

• HP Wireless Printers cannot connect to WPA2-secured WiFi networks with Cisco/Meraki WAPs

  In the last two months, I've had the displeasure of working with two very different HP printers and attempting to make them work on a WPA2-secured wireless network.  All attempts to authenticate fail with "invalid phassphrase". 
  I'm not the first person to encounter this, it's a problem with many different HP wireless printers (I just happen to have physical access to the OfficeJet Pro 8610 & Deskjet 3511). 
  My equipment is a Cisco ASA 5505 Firewall running ASA 9.1x & Cisco Aironet 1142 running IOS 15.3.x. 
  What does work on the WPA2/AES SSID:  Apple MacBook Air running OSX 10.10.2, Three Windows-Based laptops running Windows 8.1 Update 1, an iPhone 5s, Three Windows Phone 8.1 devices, Roku 2, PlayStation 4, PlayStation 3, Sharp Aquos TV, Amazon Streaming Stick, and an Android Tablet (Jellybean).  Basically, everything. 
  What does not work on the WPA2 network:  OfficeJet Pro 8610 & Deskjet 3511.
  To test the theory there is a problem with HP's implementation of WPA2 with regard to Cisco Aironet IOS, I built out a second SSID that only works in WPA/TKIP mode.  This solution works.  Both HP printers will join the WPA/TKIP network.
  So, I'm able to demonstrate there is a certain connectivity issue.  When i look at AAA Debug on the WAP's console, I can observe the HPs attempt to authenticate "Bind I/F" on the WPA2 SSID, however they do not achieve authentication and do not pass the AAA phase.  However, on the WPA SSID, they bind and authenticate successfully. 
  To help illustrate this, here is my WAP running config.  It's about as simple as it can get.  There is no relevant MAC filtering or ACLs bound to any interface.  Noting that I have an ACL on remote access to the WAP (i.e. Locked down to SSH, disabling telnet).  The main point being that the ASA firewall is not a factor in this problem as the issue is at the WAP before WPA2 authentication can complete, therefore the printers never reach the network / when the printers connect to the WPA network, the operate fully & correctly. 
  If anyone at HP can indicate why this particular config is somehow improper or broken, that would be fantastic.  There should be no reason why Cisco / Meraki WAP owners have to lower wireless encryption standards just for a printer, be forced into wired, create separate SSIDs with lower encryption specifically for a device. 
  Building configuration...
  Current configuration : 6064 bytes
  ! Last configuration change at 12:46:47 UTC Fri Aug 20 1993 by admin
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname 10-10-50-1
  logging buffered 1024768
  logging rate-limit console 9
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  no ip source-route
  no ip cef
  ip domain name freedom.local
  dot11 syslog
  dot11 vlan-name inside vlan 50
  dot11 vlan-name inside-wpa-only vlan 70
  dot11 ssid inside
     vlan 50
     band-select
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 xxxxxx
     information-element ssidl
  dot11 ssid inside-wpa-only
     vlan 70
     band-select
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 xxxxxx
     information-element ssidl
  dot11 band-select parameters
     cycle-count 3
     cycle-threshold 200
     expire-supression 20
     expire-dual-band 60
     client-rssi 75
  dot11 wpa handshake timeout 500
  dot11 network-map
  username ADMIN privilege 15 secret 5 xxxxxx
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption vlan 50 mode ciphers aes-ccm
   encryption vlan 70 mode ciphers aes-ccm tkip
   ssid inside
   ssid inside-wpa-only
   antenna gain 0
   mbssid
   speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
   channel 2412
   station-role root
   l2-filter bridge-group-acl
  interface Dot11Radio0.50
   encapsulation dot1Q 50 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.70
   encapsulation dot1Q 70
   no ip route-cache
   bridge-group 70
   bridge-group 70 subscriber-loop-control
   bridge-group 70 input-address-list 700
   bridge-group 70 output-address-list 700
   bridge-group 70 spanning-disabled
   bridge-group 70 block-unknown-source
   no bridge-group 70 source-learning
   no bridge-group 70 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
  interface GigabitEthernet0.50
   encapsulation dot1Q 50 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet0.70
   encapsulation dot1Q 70
   no ip route-cache
   bridge-group 70
   bridge-group 70 spanning-disabled
   no bridge-group 70 source-learning
  interface BVI1
   mac-address xxxx.xxxx.xxxx
   ip address 10.10.50.1 255.255.255.0
   no ip route-cache
  ip forward-protocol nd
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip route 0.0.0.0 0.0.0.0 10.10.50.2
  logging history size 100
  access-list 111 permit tcp any any neq telnet
  bridge 1 route ip
  line con 0
   access-class 111 in
  line vty 0 4
   access-class 111 in
   length 0
   transport input ssh
  line vty 5 15
   access-class 111 in
   transport input ssh
  end

  I get the same behavior with a laserjet m451nw. I need to enable tkip to get the printer working, it doesn't support pure aes-ccm (every other device here supports pure aes-ccm, even cheap ones), although it's advertised as working.
  The following snippet of config works, but I still think it should work without the tkip "hack".
  dot11 ssid whatever
  vlan 1
  band-select
  authentication open
  authentication key-management wpa version 2
  interface Dot11Radio0
  encryption vlan 1 mode ciphers aes-ccm tkip

• RV220W - Content filtering not working (?)

  Hello, I bought a router model RV200W fw 1.0.1.0... nice toy.
  It all works very well with the exception of content filtering. The rule only works if connections are made with the HTTP protocol, but if the user connects with HTTPS, then the rule is not considered... (???)
  f.e.:
  http://facebook.com (content filtered)
  https://facebook.com (content NOT filtered)...
  What the hell ! where I'm wrong ?
  Does anyone is experiencing the same ?

  Yes, the correct title was "URL FILTERING NOT WORKING"...thanks abudef000
  I do not want be polemical, but I do not understand where I went wrong.
  Before I buy I looked @
  http://www.cisco.com/en/US/prod/collateral/routers/ps9923/ps11025/data_sheet_c78-630461.html
  Check it out.
  Could you assume that HTTPS URLs are not in the sentence "Static URL blocking, keyword blocking, approved URL" as stated in the product sheet ?

• Cisco ASA 5510 Content Security bundle

  Hello,
  please help me  to understand if i buy  the    Cisco ASA 5510 Content Security bundle  for  my  network   found  there is   1 yr subscription for the content
  security features.  what are  services included in it.  Does   URL blocking and filtering  includ  in this subscription  or  its a seperate features.
  Thanks,
  Saroj Pradhan

  Here is the license for CSC module and it lists what is included in Basic and Plus CSC license:
  http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html#wp1045405
  One year subscription is providing you the ability to upgrade the virus scan engine, spyware pattern file, anti spam, etc

• Does the ASA5525-K9 support Content filtering?

  Hi,
  I know the 5510 & 5520s support the CSC-SSM module for Content Filtering (Anti-Phishing, Anti Spam, URL filtering,
  Anti-Spyware & Antivirus), but what about content filtering for the ASA5525-K9.
  The problem that I have is that I need a firewall that supports up to 1 Gbps Maximum Firewall Throughput and to support 250 users with Content Filtering described above.
  I'm using the following doc for sizing and came across the ASA5525-K9 for 1 Gbps, but not sure about the Content filtering:
  http://www.cisco.com/en/US/partner/products/ps6120/prod_models_comparison.html#~tab-b
  Thanks,
  CR

  No, the new X series ASA does not support Content Filtering CSC module.
  Here is what is supported on the new ASA5525-X for your reference:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701808.html

• Web Content Filtering / Virus Scanning appliance

  Hello all,
  I'm in the market for a content / url / virus scanning device for our network. We are currently using MXLogic's Web Defense service and while it's very cheap it is not suiting our needs. What I'm looking for is an appliance that will do content filtering but also virus / malware / spyware scanning on web traffic. I'd also need to be able to setup policies / groups for different set's of users. For instance the folks who purchase the products we sell need to be able to see our vendors media (streaming video) content while our sales folks don't. I can't currently do this with MXLogic, it's all or nothing.
  Our firewall is an ASA5510 and I've looked at the Content Security SSM-10 module with the plus license and while the pricing is definitely attractive I have a few questions about it. Does it integrate with MS Active Directory? In other words and it filter based on groups and policies or is it more IP / ACL based? Also does it perform well?
  I've also looked at the IronPort product cisco sell's and have similar questions regarding that mainly what are folks experience with it, is it something you would recommend?

  Hi Allen,
  To answer your questions related to the CSC module:
  1. No, the CSC module does not integrate with Active Directory. This is something that Trend Micro has in the works, but as of now there is no ETA for this functionality.
  2. The CSC module will perform fairly well if used in the environment it was designed for. I would recommend taking a look at the CSC sizing guide to see if the CSC-SSM-10 would be something that is scalable enough for your network:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_white_paper0900aecd805c3cd6.html
  I cannot speak to the performance/functionality of IronPort as I have not used it personally, but I have heard good things. Also, external appliances from Websense seem to be a popular choice when you need a product that is a bit more scalable or granular than what the CSC module can provide.
  Hope that helps.
  -Mike

• IOS Content Filtering - Is No More ?

  Cisco very quickly End of Lifed the IOS Content Filtering offering last year
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/eol_c51-698205.html
  For something with a minimum of a yearly lic involved, the EOL timing is shocking - you could have ordered product with a 1 year lic and come back now to find the offering is now dead (as in our case) so much for ROI !
  Cisco are pushing Scansafe as their current offering, which has probably led toa  falling out with Trend who provided the underlying service for
  IOS Content Filtering. Scansafe does not economically cover the low end application, for which IOS Content Filtering was ideal i.e SMB space with 8xx or low end ISR routers. The Cisco answer is basically "perhaps you want to go and investigate solutions form other suppliers"
  So we are left with a router platform which is fine and  content filtering which was fine but are now unable to re-licence the URL filtering service and will stop working in about 30 days and there is apparently nothing we can do about it
  Does anyone know if Trend still operate the URL filtering subscription service and whether theire is a way of geting a subscription renewal direct ?
  (i'm not holding my breath on that - I am guessing the IOS content filtering hooks for the service being certificate based + Cisco license process will make that hard for anyone but Cisco)
  Or of any alternative simple and cost effective solution we can configure the router to use
  (please tell me we're not back to SurfControl/Websense solutions again..)
  thanks
  Sez

  Approached the Cisco AM - frankly there was little or no interest in fixing such a low value problem. The spin was the Trend relationship ending was beyond Cisco control and Cisco hands tied - i.e. its not our fault (but strangely the problem is the customers)
  Yes we could get some TMP discount - against the original hardware purchase but the hardware for lowend installs is negligible, it is the services time/cost in getting solution (and any replacement) into deployment which is the costly part and TMP makes no allowance for that.
  Also scansafe solution is much more expensive, compared to IOS URL Filtering, so even taking off the minor TMP discount the answer form Cisco is basically - yep spend more money with us and we'll fix the problem we created for you. And why is there so little normal info on Cisoc.com for scansafe - i.e. covering SKU/ordering models etc... It always just ays 'ask your Cisco AM for details' - that may have worked when Scansafe was a separate company but a Cisco AM is unlikely to even answer the phone to talk about a $3K order
  If Cisco really wanted to protect customer investment, why couldn't it provide through Scansafe a replacement service for IOS URL Filtering service, at similar cost and pricing model to that provided by the Trend integration? i.e. same kit, same config but pointed at scansafe cloud rather than Trend cloud. Then there would be no issue and a clean migration path provided for Ciscos valued customers
  Probably answering my own question but scansafe appears to return to a cost related to the user count, whereas IOS URL Filtering service was a simple one off cost per router. This was ideal for low end application (the ISR800 series size of deployment) and comparable scansafe is way more expensive.
  I have found we are not alone in this, most customers are only finding out about this mess when existing IOS URL Filtering licence's expire and go for renewal only to find the 3 month EOL process has stealthily boatanchored their implementation.
  Sez

• How to asign some content filtering policies to a wan port ISA550

  Hi, I have a Cisco ISA550, and we are trying to make some url's rules for the network. I have established a policie, with some content and url's, but now I need to asign them to a configurable wan port. What I have do is:
  1. Go to firewall and open content filtering policies
  2. Generate a new filtering policie. (named: diarios)
  3. Load the policie with some URL (all are enabled with the tickets)
  4. go to Policy to Zone Mapping and change the LAN zone. Now using "diarios"
  5. Content filtering turned ON
  6. Go to Advance settings and configure it.
  everything saved and it works. But now I need to asign this rule only to wan port #3.
  Can someone help me please?
  Thanks a lot.

  Open the Trace Log panel in Scout - it shows you all the trace messages for the selected frames (in a console-like view). If you select all frames, you can see all trace messages for the entire session.
  See Figure 27, here:
  http://www.adobe.com/devnet/scout/articles/adobe-scout-getting-started.html

• Does "first match" win on Content Filters?

  If I define multiple content filters for a given outbound mail policy, would system stop looking at filters once a match is found on one of the content filters or should I force that by using a "final" action in my content filters?
  I know "first match wins" apply to some other scenarios, but couldn't see a clear explanation to above question in section 6 of Config guide where content filters are defined (and testing with system did not clear that for me either).
  Thanks.
  Sent from Cisco Technical Support iPhone App

  Hello John,
  An emaill being processed by the content filters or messages filters will continue down the list of  content/message filters until it hits the last filter or a 'final' action filter command.   If the email being processed needs to exit (by administrative choice), the filter it hits, should have a final action.  This only applies to certain conditions, where the administrator does not want the filter's last action to be overwritten by another filter down the pipeline.
  cheers,
  -Alvaro

• RV220W - Content Filtering and Tivo

  After using an RV220W in the Office fdr some time I decided to upgrade my old WRVS4400N V1 with one - in line with Cisco recommendations. I am using the latest firmware 1.0.4.17.
  One problem I have is that a Tivo device will not connect to its contect servers in the outside world when any Content Filtering is active. I have tried setting up a firewall rule to give complete outbound access for the device for all services but that did not help. The only thing that allows the Tivo to connect properly is to either turn off Content filtering completely  - in which case some of the router protection is lost, or to select some other port in the HTTP port selection box (I tried port 79) - in which case content protection functionality on port 80 is also lost. I have also tried turning off (deselecting) all the other content filtering options but the device can still cannot connect if Content Filtering is enabled.
  It seems to me that setting a firewall rule to allow ALL outbound from the device should be enough to allow connection. What is Content Filtering doing that prevents this device from connecting? And why can't I override it with the firewall rules? This seems to be the same as an old thread many releases of firmware ago:   RV220W - Connecting to TiVo mothership w/ ProtectLink
  Why is this the only router that seems to have this problem? Will it cause other issues?
  If this is because of some internal behaviour of the ruleset then Content Filtering needs to be able to be excluded for a "trusted" internal IP address.
  thanks,
  David Wyatt

  Hello,
  I've opened case # 621056469. The support engineer told me that he'll try to reproduce the problem on his side, and contact me back for remote testing on my own router. If the issue is already known, does it have some kind of ref number so that I can inform him ? Is a fix already planned for  a future firmware release ?
  Thanks for your help.

• IOS Content Filtering

  Hello, I have just purchased content filtering for an SR520 and an 881.
  I find guides on Cisco.com relating to confiuration of filtering, but nothing with regards to reporting. I'm looking to log every time a page is denied, and what user (or IP) requested the blocked page.

  Yes there is acache you can configure under the parameter-map.
  You can also view it using command shown below
  IOSrouter# sh
  policy-map type inspect zone-pair urlfilter cache detail
  policy exists on zp zp
  Zone-pair: zp
  Service-policy inspect : trend-global-policy
  Class-map: www (match-all)
  Match: protocol http
  Inspect
  Maximum number of bytes in cache: 262144
  Time to live for each cache entry (in hrs): 24
  Total number of bytes used by cache: 453
  Number of bytes used by domain type cache: 353
  Number of bytes used by directory type cache: 100
          URL                                       Age         Idle time/        Cat::Rep
          (Directory cache
  end with /)  (day:h:m:s)
  access #
          yahoo.com                             0:16:47:30           2           56::1                                                                               
  ad.doubleclick.net                
  0:00:00:10           1           72::1                                                                                                                       
  static.eharmony.com/static../
  0:00:00:06  0:00:00:04     12::1
  Unfortunately you can't see who accessed them.
  I hope it helps.
  PK

• 3900 Content Filtering

  I have been looking everywhere for a configuration guide for the subscription based trend micro content filtering available on the routers, can someone point me in the right direction please, thanks.

  Never mind, if anyone else needs to know this is what I found:
  https://supportforums.cisco.com/docs/DOC-8028
  http://www.cisco.am/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c11_519293.html
  Really wish Cisco would do away with this, even the CSC on the ASA is better and I really hate it.