MX L3 firewall rule hits

sungod
A model citizen

MX L3 firewall rule hits

I want to report on which clients are hitting firewall layer 3 deny rules.

 

Any idea if layer 3 firewall deny rule hits are accessible via API? I've had a look around but don't see anything.

 

It looks like they aren't in Dashboard itself other than the basic live rule hit counts on the firewall config page, but that doesn't identify the client(s).

 

Seems the only way might be activating logging on L3 deny rules to get them via syslog (or maybe netflow) but that means setting up extra services just for this info.

 

The available event types on an MX network that are blocking-related cover NBAR L7, content filtering and AMP, but don't include L3, same as the network event log categories...

 

 

 

 

    {
        "category": "Network-Based Application Recognition",
        "type": "nbar_block",
        "description": "Layer 7 firewall rule"
    },
    {
        "category": "Filtering",
        "type": "cf_block",
        "description": "Content filtering blocked URL"
    },
    {
        "category": "Filtering",
        "type": "sf_url_block",
        "description": "Security blocked URL"
    },
    {
        "category": "Filtering",
        "type": "sf_binary_block",
        "description": "Security blocked file"
    },
    {
        "category": "Intrusion Detection",
        "type": "ids_start",
        "description": "Intrusion detection started"
    },
    {
        "category": "Intrusion Detection",
        "type": "ids_error",
        "description": "Intrusion detection error"
    },
    {
        "category": "Intrusion Detection",
        "type": "ids_update",
        "description": "Intrusion detection rules update"
    }

 

 

 

 

 

I guess instead I could configure L7 rules on IP and/or port instead of L3 rules, in cases where it is a blanket rule rather than one on a subset of internal IP(s)/port(s).

 

Based on the diagram from documents, the L7 processing happens anyway, so presumably there's not a performance hit on traffic.

 

 

MXL3L7.png

 

Any other ideas?

 

3 REPLIES 3
RaphaelL
Kind of a big deal

I really think that syslog is the only realistic way to go 😞 

You are right...I talked to a Meraki rep a while ago, and using a Syslog setup is the only way to see hits on a deny rule.  

sungod
A model citizen

Thanks guys.

 

I think I'll make a wish in Dashboard for L3 hits to be in the summary data like L7, if it happens I assume it'd also appear via API one day.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.