ECMS Practice Question - April 2nd

SOLVED
DavidLowe
Meraki Employee

ECMS Practice Question - April 2nd

Hello again! Another simple-'ish' question for you all.

 

As always, comment below with what you think is the correct answer and remember: If you like the question or the ECMS questions initiative, leave us some kudos.

 

See you in a week with the correct answer!

 

ECMS practice question

 

Select the correct firewall rule processing order for the MX security appliance:

 

A.) L3 allow/deny > L3 implicit deny > L7 deny

B.) L3 allow/deny > L3 implicit allow > L7 deny

C.) L3 allow/deny > L7 deny > L3 default deny

D.) L7 deny >  L3 allow/deny > L3 implicit allow

 

P.S. We will be sharing new practice questions weekly! If you'd like to receive updates when we do, click the "ECMS Practice" label below and then "Subscribe

Here you can find previous questions

1 ACCEPTED SOLUTION

Accepted Solutions
DavidLowe
Meraki Employee

Re: ECMS Practice Question - April 2nd

Another week, another answer.

 

First up, apologies if the wording wasn't of the question wasn't quite clear - Although it looks like most of you managed anyway!!

 

This time we were looking for...

 

B. L3 allow/deny > L3 implicit allow > L7 deny

 

The MX begins by checking if there is a matching Layer 3 (L3) rule - if so, it will make the appropriate decision based on the allow/deny parameters, else the MX will fall back on its L3 implicit allow rule. After this, the MX will check for any Layer 7 (L7) rule matches. If there is then the MX will discard the traffic/packet.

 

The wording of  'Layer 7 Deny' might have caught a few off guard - It was included because on the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule. The same cannot be said for our MR access points, which will bypass the L7 firewall altogether if traffic matches an allow rule on the L3 firewall.

 

 

As before more info here:

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

 

 

View solution in original post

10 REPLIES 10
KarstenI
Head in the Cloud

Re: ECMS Practice Question - April 2nd

I really had to scratch my head to understand what the provided answers mean, but:

Spoiler
- We can rule out A.) and C.) as there is no implicit or default deny.
- It can not be D.) as the L3 rules are processed first

The Answer has to be B.)

But I still have no idea how to consistently map this answer to the documented processing flow:
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...
UCcert
Kind of a big deal

Re: ECMS Practice Question - April 2nd

B

 

i don’t like that implicit Allow that the MXs ship with.  I understand it helps with getting these devices up and running quickly but people should be removing and setting to an implicit Deny All

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Inderdeep
A model citizen

Re: ECMS Practice Question - April 2nd

I am confused between option A and B. but as expert @UCcert  @KarstenI says B, so it should be B of course 🙂 

Regards
Inderdeep Singh
www.thenetworkdna.com
KarstenI
Head in the Cloud

Re: ECMS Practice Question - April 2nd


@Inderdeep wrote:

I am confused between option A and B. but as expert @UCcert  @KarstenI says B, so it should be B of course 🙂 


This approach will not help you in the real exam ... 😉

AB_LaDigue67
Here to help

Re: ECMS Practice Question - April 2nd

To

Spoiler
B

or not to

Spoiler
B

that answers the question.

Inderdeep
A model citizen

Re: ECMS Practice Question - April 2nd

@KarstenI Yeah I knew and will prepare myself before the exam ☺️

Regards
Inderdeep Singh
www.thenetworkdna.com
briangallagher
Conversationalist

Re: ECMS Practice Question - April 2nd

I'll go with B

Looking at the Firewall rules, Layer 3 processing comes first and the MX ships with a default  L3 Implicit Allow. When a rule is added, it is added as either an L3 Allow or Deny, depending on the policy and is inserted above the default. So L3 Allow/Deny is processed first, then L3 implicit allow. L7 Firewall rules are only created with Deny as the policy option.

DavidLowe
Meraki Employee

Re: ECMS Practice Question - April 2nd

Another week, another answer.

 

First up, apologies if the wording wasn't of the question wasn't quite clear - Although it looks like most of you managed anyway!!

 

This time we were looking for...

 

B. L3 allow/deny > L3 implicit allow > L7 deny

 

The MX begins by checking if there is a matching Layer 3 (L3) rule - if so, it will make the appropriate decision based on the allow/deny parameters, else the MX will fall back on its L3 implicit allow rule. After this, the MX will check for any Layer 7 (L7) rule matches. If there is then the MX will discard the traffic/packet.

 

The wording of  'Layer 7 Deny' might have caught a few off guard - It was included because on the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule. The same cannot be said for our MR access points, which will bypass the L7 firewall altogether if traffic matches an allow rule on the L3 firewall.

 

 

As before more info here:

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

 

 

View solution in original post

Inderdeep
A model citizen

Re: ECMS Practice Question - April 2nd

@DavidLowe Thanks for the explanation !

Regards
Inderdeep Singh
www.thenetworkdna.com
GreenMan
Meraki Employee

Re: ECMS Practice Question - April 2nd

Just one thing to add to this;   there's only an implicit allow if the packet is received on a LAN interface.  If it's on a WAN / Internet port (with no matching outbound session), it hits an implicit deny - of course!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.