Meraki

joebrug

Since switching to Meraki MX firewall from our Fortigate, our RDS gateway is getting hammered. Presumably because all countries are allowed to attempt logins. Is there really no way to use geo blocking with an 1:1 NAT? I would've expected this ability from any firewall nowadays 😕 Hopefully I'm missing it.

Brash

That's correct, Layer 7 Geo blocking rules do not apply to inbound sourced traffic flows.
There is no way to achieve this.

Re: MX67W - does 1:1 NAT forwarding superceed layer 7 country blocking? - The Meraki Community

joebrug

Thanks Brash.. but... why?!?! 🙂 It seems silly to allow our firewalls to be hammered by countries that have no legit reason to access. I realize there are VPNs, etc, but this took care of a lot of low hanging fruit.

Brash

Assumedly it's related to the processing engine of the device.
MX's are great for SMB and do a very good job at being simple to setup and run.

When you get into use-cases that are more typical of a medium to large enterprise, you may find that the simplicity can sometimes be a hindrance.

TyShawn

This was the reason we had to come off the MX platform and move to the FTD platform for our firewalls. The processing if I recall correctly was L7 then L3 unless there is a 1:1 NAT then it's just the NAT rules for inbound traffic.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Meraki

Community

1:1 NAT and Geo blocking

1:1 NAT and Geo blocking